The Cyber Security Challenges Facing SMEs

The Cyber Security Challenges Facing SMEs

Posted 21 October, 2021 at 11:03

Author Kevin Hawkins on behalf of H2 Cyber Risk Advisory Services Ltd

There is a general belief amongst SMEs that cyberattacks only happen to large organisations and that SMEs are simply too small a target to get hit.  However survey after survey finds that all enterprises can be, and are, attacked regardless of size and the information they store.  ENISA, the European version of NCSC, estimates that across Europe, 46% of businesses have been hit and a quarter of charities, in the last 12 months.  This figure does rise for medium size businesses, to 68%, but smaller businesses are still very much at risk.

The challenges faced by SMEs regarding their cyber security preparedness are many and varied, but the clear common underlying issue to all appears to be management of awareness and commitment, alongside managing their cyber risk, which in turn drives budget, allocation of resources and effective implementation of good cyber security practices.

ENISA has identified seven categories of challenges faced by SMEs:

  • Low cybersecurity awareness of the personnel.
  • Inadequate protection of critical and sensitive information.
  • Lack of budget.
  • Lack of ICT cybersecurity specialists.
  • Lack of suitable cybersecurity guidelines specific to SMEs.
  • Shadow IT, i.e. shift of work in ICT environment out of SME’s control.
  • Low management support.

Cyber Awareness Training, or rather the lack of, is a favourite hobby horse of mine.  It is vitally important for both managers and staff.  If you don’t know what threats exist, then how can you look out for the signs, and how can you effectively target your security spend.  Likewise staff have to know what to look out for, how attacks are formulated and how they are carried out.  A good motivator for staff is that to put it bluntly, their jobs are on the line if the business is hit badly and loses money.  Most SMEs are running businesses where cash flow is king and they simply can’t afford the kind of hits that many are experiencing.

A major misconception is that cyber security is an IT issue.  Wrong, it’s a business issue.  This misconception is generally arrived at because it is seen as having complex technical solutions that only the ‘techies’ fully understand.  However this is not the case.  Cyber security needs to be in the culture of the company, a culture that protects the business from harm.  Each person must have at least a basic understanding of the issues they face and how their attitude can affect the cyber security posture of the entire organisation.

As time goes on and the company matures, the what is really needed is a transition from initial awareness to internal cyber security culture through developing an effective strategy.

In the coming weeks I’ll tackle the other 6 categories arrived at by ENISA.

For more information, contact Kevin Hawkins of H2 Cyber Risk Advisory Services:

T: 0845 5443742

M: 07702 019060


More from H2 Cyber Risk Advisory Services Ltd

Cyber Incident at a Conveyancing Firm
Social Media Post

Cyber Incident at a Conveyancing Firm

22 November 2021
The Road to Cyber Resilience

The Road to Cyber Resilience

22 November 2021


16 November 2021
Phishing still very much a problem
Social Media Post

Phishing still very much a problem

10 November 2021
Card image cap

H2 Cyber Risk Advisory Services Ltd


Profile Feed
Established in 2016, H2 Cyber Risk Advisory Services is a specialist cyber security and data protection company that focuses on providing innovative and robust security solutions to the UK SME sector. Its founders, Kevin Hawkins and Bob Hay, are amongst the best qualified and most experienced...


Press Releases