October 23rd, 2018

The Cyber Security Struggle: Are SMEs Safe?

Smaller organizations have a lot on their plates. They face many of the same pressures and threats as enterprises, but their scale often means that they lack both the skills and resources to properly address these problems.

When it comes to cyber security, SME (Small-to-Medium Enterprise) attitudes can be all over the place. Some don’t put much thought into it, thinking that they’re too small to be a target. Cyber threats may not even be on their radar, especially if they’ve been lucky enough to avoid being attacked so far.

Other companies take the threats more seriously but don’t know how to defend themselves appropriately. This can be a significant challenge, particularly if they don’t have any security experts on their staff.


SMEs also tend to lack a Chief Information Officer (CIO) and a Chief Information Security Officer (CISO) which means that their IT teams often report to business management. Unfortunately, many management teams don’t have the relevant IT knowledge and they may not understand the cyber security issues that their company faces. This makes it a challenge to form adequate policy and to allocate the necessary funds for defenses.

If your company’s approach to security is similar to any of these situations, it faces significant risks. The chances of cyber attacks are much higher than many small businesses like to believe. According to a Ponemon Institute survey conducted on IT personnel from SMEs, 61% of the respondents reported a cyber attack against the business they worked for.

Your business may not have been attacked yet, but with the attack rate so high, it is only a matter of time. That’s why small businesses need to start taking their cyber security seriously before it’s too late.

What Kind of Attacks Can Affect Businesses?

There is a range of different online attacks that can negatively affect businesses. Most of the attacks that SMEs face will be financially motivated, although acts of cyber vandalism such as website defacement are also popular.

One of the fastest growing cyber attacks involves ransomware. Hackers generally make their way into a company’s (or individual’s) systems, find valuable files and then encrypt them. The hackers then contact the victim, saying that they will only give out the key if they are paid a certain amount. If the company pays, sometimes the attackers will send through the key and the victim will be able to access their files. At other times, the hackers are never heard from again.

In the responses to the Ponemon study, 52% said that their company had been attacked by ransomware, with 53% of those respondents saying that their business had suffered two or more ransomware attacks in the past year. These attacks pose significant risks to businesses. Many organizations have files that they haven’t backed up but are essential to their core business processes. If attackers can find these, they can easily disrupt business operations and command a high fee in order for the files to be unlocked.

Data breaches are another major threat to businesses. In many industries, companies have large amounts of valuable data, such as customer details or intellectual property. Hackers use a variety of techniques to intrude into company networks, then exfiltrate any valuable information that they may find. Once they have the data, they may use it themselves for fraud, sell it on the darknet, or even use it to blackmail the company into sending them payments. Each of these outcomes can be costly for companies and in the worst-case scenarios, businesses may face paying millions in fines and restitution.

Cybercriminals also use social engineering techniques such as phishing to manipulate their targets into sending them money, or into handing over their login details, which they can then for a range of other scams.

These are just some of the many ways in which businesses can be attacked online. The most important takeaway is that criminals have many different opportunities, with each of them capable of wreaking tremendous havoc on businesses.

How Much Can Cyber Attacks Cost?

According to a report from Kaspersky, the average costs of a cyber attack against an SME is $117,000, while it is $1.7 million for larger enterprises. These costs can be a combination of many different factors. Attacks can cause business disruptions which lead to loss of revenue. There are also recovery costs, which include paying the relevant personnel and perhaps doing infrastructure upgrades. A business may also have to pay fines and restitution depending on the circumstances of the attack.

While not necessarily a direct cost, savvy businesses may also want to implement new security policies and training to reduce the chances of suffering another attack in the future. All of this can lead to immense financial strain on cyber attack victims.

What Factors Lead to Attacks?

Businesses can never be 100% secure. No matter how much an organization spends on its defenses, if an attacker with more resources and unending motivation wants to breach those defenses, then it’s possible. Thankfully, most businesses don’t face threats that are anywhere near this extreme.

Most cybercrime comes from hackers who are just probing around, looking for systems that will be easy to penetrate. If a business has reasonable defenses, the vast majority of attackers will just move on in search of easier prey. Because of this, the goal of cybersecurity isn’t to build up impenetrable defenses that limit usability, but instead to have a well-thought-out plan that makes an attack not worth the effort.

According to an ESG study of IT professionals, 28% of respondents thought that the biggest factor that leads to security incidents was a lack of understanding when it comes to cyber risks. If organizations don’t understand the threats that they face, then how can they defend themselves adequately?

One of the primary factors that lead to weak defenses is the lack of a cohesive cybersecurity policy. Whether a business has nothing at all or a patchy mix of defenses, it makes it simple for attackers to weave their way into an unprepared company’s systems.

The same ESG study indicated that human error, new technology implementations, lack of cybersecurity training and insufficient funding or staff for cybersecurity endeavors were also major factors that lead to security incidents.

How Can SMEs Keep Themselves Safe?

While small and medium-sized businesses face tremendous challenges when it comes to securing themselves, the situation is far from hopeless. The first step is to acknowledge the severity of the threats and just how great the risks are. Once a company realizes that it is likely to be affected by cyber attacks and that these attacks have the potential to bankrupt the company, it makes it much easier to come up with an appropriate defense plan.

The specific plan will depend on the business’s size, industry, expertise and a range of other factors. Smaller businesses without specific security personnel may find that their best option is to rely on outsourcing.

Trying to orchestrate cohesive defenses in-house can be expensive, and relying on security specialists is often a much more cost-effective and secure strategy. This outsourcing can range from using secure services such as LuxSci’s HIPAA-compliant email or web hosting, to completely outsourcing all aspects of a company’s security to a trusted third party.

The most important thing is to be aware of the limitations of your business and turn to professionals whenever necessary. Smaller organizations with limited tech expertise may be better off outsourcing everything from their initial consultations to policy development, all the way through to training and compliance. Larger organizations may be able to take on some or all of these aspects in-house.

It’s critical to not view this security spending as a waste, but instead as an investment. Given how rapidly cybercrime is growing, it’s only a matter of time until it strikes your business. That’s why you need to be prepared and build your defenses today–so that tomorrow you can sleep a little easier.

4 Responses to “The Cyber Security Struggle: Are SMEs Safe?”

  1. Mark Worthen Says:

    What is an SME?

    Sure, I could Google it, but you really should explain acronyms unless you know for sure that 99% of your readers know exactly what they mean.

  2. Erik Kangas Says:

    Thanks, Mark. You are absolutely right. We have updated the post to define this acronym.

  3. Mark Worthen Says:

    Right on. So many companies ignore or brush off sincere feedback from customers. You didn’t.

    *That* is a sign of a good company.

  4. Erik Kangas Says:

    Thank you, Mark!

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.