Posted 21 October, 2021 at 11:03
There is a general belief amongst SMEs that cyberattacks only happen to large organisations and that SMEs are simply too small a target to get hit. However survey after survey finds that all enterprises can be, and are, attacked regardless of size and the information they store. ENISA, the European version of NCSC, estimates that across Europe, 46% of businesses have been hit and a quarter of charities, in the last 12 months. This figure does rise for medium size businesses, to 68%, but smaller businesses are still very much at risk.
The challenges faced by SMEs regarding their cyber security preparedness are many and varied, but the clear common underlying issue to all appears to be management of awareness and commitment, alongside managing their cyber risk, which in turn drives budget, allocation of resources and effective implementation of good cyber security practices.
ENISA has identified seven categories of challenges faced by SMEs:
Cyber Awareness Training, or rather the lack of, is a favourite hobby horse of mine. It is vitally important for both managers and staff. If you don’t know what threats exist, then how can you look out for the signs, and how can you effectively target your security spend. Likewise staff have to know what to look out for, how attacks are formulated and how they are carried out. A good motivator for staff is that to put it bluntly, their jobs are on the line if the business is hit badly and loses money. Most SMEs are running businesses where cash flow is king and they simply can’t afford the kind of hits that many are experiencing.
A major misconception is that cyber security is an IT issue. Wrong, it’s a business issue. This misconception is generally arrived at because it is seen as having complex technical solutions that only the ‘techies’ fully understand. However this is not the case. Cyber security needs to be in the culture of the company, a culture that protects the business from harm. Each person must have at least a basic understanding of the issues they face and how their attitude can affect the cyber security posture of the entire organisation.
As time goes on and the company matures, the what is really needed is a transition from initial awareness to internal cyber security culture through developing an effective strategy.
In the coming weeks I’ll tackle the other 6 categories arrived at by ENISA.
For more information, contact Kevin Hawkins of H2 Cyber Risk Advisory Services:
T: 0845 5443742
M: 07702 019060