a 2D red broken padlock with secured blue ones on a teal background with binary code

How to Close the Security Gap for Small and Medium-Size Enterprises

Nov 2021
By Prof. Sally Eaves
Blog Home

#KingstonCognate Introduces Prof. Sally Eaves

Photo of Prof. Sally Eaves

Prof. Sally Eaves is Chair of Cyber Trust and Senior Policy Advisor for the Global Foundation of Cyber Studies and Research. Described as the ‘torchbearer for ethical tech’ she is the inaugural recipient of the Frontier Technology and Social Impact Award, presented at the United Nations. A Chief Technology Officer by background, and now Professor in Advanced Technologies and a Global Strategic Advisor across Emergent Technologies, Sally is an award-winning International Author, MC, Keynote Speaker and Thought Leader on Digital Transformation (AI, 5G, Cloud, Blockchain, Cyber Security, Governance, IoT, Data Science) alongside Culture, Skills, DEI, Sustainability, and Social Impact.

Sally educates and mentors actively to support the next generation of tech talent and has founded Aspirational Futures to enhance inclusion, diversity, and equality in education and technology, with her latest book on ‘Tech For Good’ set to be released in 2022. Sally is consistently recognized for global influence in the technology space by leading bodies such as Onalytica, appearing in top 10 lists worldwide across multiple disciplines from AI to 5G to Sustainability and beyond.

The SME Cyber Threat Landscape

Small and medium-size enterprises (SMEs) play a vital role in both national economies and international economic stability and growth. Approximately 400 million SME’s provide the backbone for our global economy and are the leading source of work and job creation, accounting for over 95% of all business entities and 60% to 70% of employment.

It is therefore imperative to both the economy and security that SMEs can embrace all the opportunities afforded by today’s omnichannel digital world, while also maintaining strong cyber security.

And this comes at a time of significant change. Many SMEs have needed to adopt new digital strategies and technologies at speed in order to maintain, pivot, or diversify their business activities and models, all while navigating a global pandemic and the rise of remote/hybrid working. This has also given rise to additional cyber risks.

A sobering thought, given cyber attacks have been occurring every 39 seconds and, on average, 2,244 times a day (Varoni 2020) and that the vulnerability of SMEs from cyber breaches is growing annually at greater than 400%. This is at a time when their guard may be reduced with fewer resources and financial reserves to manage them effectively. This piece outlines the modern threat landscape for SMEs, why it matters so much, and the key challenges being faced, to increase the awareness that is so vital to change and foster future readiness to the escalating cyber security threat.

“The time is now to decouple SME investment, education, research, and broadened awareness of heightened risk from the false perception that SMEs have less data value to offer cyber criminals and hackers-and the global economy at large!” Prof. Sally Eaves

SME Rising Risks: Why it Matters so Much

Computer hacker silhouette of hooded man typing and numbers floating in front of him with binary data and a word map behind him

There is a significant misconception around business size in comparison to the cost that a cyber attack and lack of preparedness for cyber resilience can cause, starting with business disruption and financial loss. Putting this in context, recent research in the UK (Vodafone Business 2021) shows the average cost of a successful cyber attack to be £3,230 ($4,400), with the report finding such a loss would cause almost a quarter of UK SMEs to collapse and 16% more to have to lay off staff. This is consistent with other global studies. And the risk does not end there. The impact of damaged reputations and reduced consumer or ecosystem trust are effects that can last even longer for businesses that survive the initial threat. Some 81% of consumers state they would stop engaging with a brand online following a data breach.

Additionally, and challenging another misconception, when working with a variety of suppliers and partners, the data held by SMEs is just as valuable as that of large enterprises and can provide an access gateway to other organizations. If a cyber attacker can breach any link within the supply chain, they can more easily attack the other, and often larger companies within it. SME data is also typically much easier to steal. It is perhaps then no surprise to see that not just the frequency but also the sophistication of cyber attacks targeting this sector are escalating and are doing so at pace, including hackers now operating as an organized group with the shared objective of financial gain.

The Evolving Threat Landscape for SMEs

New research reveals the true extent of the SME threat in comparison to larger enterprises. An eyewatering 65% of SMEs suffered a cyber attack across 2019-20, compared to 46% of all businesses (Towergate) confirming that attacks occur repeatedly! SMEs suffering a breach are being hit an average of 6 times each within that period-a staggering once every two months! (NatWest).

So, What Are the Key Threat Tactics Facing SMEs?

Two core external threat vectors are front of mind-phishing and social engineering alongside the supply chain ecosystem. Compounding this with internal threat vectors including a lack of risk assessment, poor access control, data, device and password protection, low investment levels, and insufficient training and awareness, cyber hygiene culture and skills, leaves a potentially vast attack surface.

an open mail symbol with a fishing hook through the letter

Phishing and Social Engineering
85% of cyber-attacks stem from phishing attempts that seek to trick users into ‘doing the wrong thing,’ such as downloading malware, most often through email interactions. And they are becoming increasingly more sophisticated in nature. Indeed, Artificial Intelligence was found to write better phishing emails in a recent test! Often linked to phishing, social engineering describes the process of manipulating people through impersonation, persuasion, or even intimidation to take a specific action or reveal confidential information. The pandemic is a case in point, with cyber criminals feeding off our collective vulnerability and attempting to compromise accounts by using phishing emails, texts, or WhatsApp messaging with Covid-19 as the subject matter, or even by including an attachment purporting to be from the World Health Organization (WHO). Putting this all into context, the level of transformation in this type of cyber threat is revelatory-just consider the first ever recorded cyber attack called ‘Morris Worm’ back in 1988. This impacted 6,000 computers, which equated to approximately 10% of the entire internet at the time. How times have changed!

Supply Chain
Becoming a favored attack vector for cybercriminals, most breaches come from a software rather than hardware source, for example malware infiltrating regular software updates. Attacks seek to target a SME via its own supply chains, or more typically by compromising the SME to then leapfrogging onto target larger organizations. Open-source software libraries provide another area of supply chain vulnerability. And looking ahead, with IoT connections poised to more than double to 75 billion devices by 2025, this in itself creates new cyber risks. Low-cost hardware can be connected to networks, with many of the devices that sit within it being vulnerable to attack. If we consider this from an advanced IT/OT convergence and supply chain ecosystem perspective, then the threat area expansion comes center stage.

The SME Cyber Risk Barriers

This raises a central question: what are the main factors behind SMEs not adopting the latest protection to be more proactive to cyber risks? Firstly, there is clearly an awareness versus actualization gap. As an example, recent research found that while 93% of SMEs believed cybersecurity to be vital for their business continuity, only 64% were actually using cybersecurity solutions. Additionally, a European survey has found a different awareness and reality gap, namely that many SMEs believe-incorrectly-that cybersecurity controls are included in the IT products they have purchased and that no additional security measures are needed-unless mandated by compliance requirements or regulations (enisa 2021).

Investment capacity is another challenge. Statista (2020) found that investment in cybersecurity amounted to £5,100 ($6,940) on average, which could lead SME’s to believe that they are in the right ballpark in terms of spend. But this number is skewed by the sheer volume of micro and small businesses, who averaged £3,490 ($4,750). Compare this to larger organizations, who are arguably more prepared-or, at least, have more resources-for which this increased to an average investment of £277,000 ($377,030), indicating a vast gap that bad actors are more than happy to exploit!

Further factors include an under-developed ‘cyber-culture,’ perceptions of over-complexity, concerns and often misconceptions around cloud security, and an overall lack of awareness of the technology and support that ‘is actually within reach’ of SMEs. Possibly most alarming of all, 54% of participants in a recent survey said that their businesses do not train staff on data security and cybersecurity threats (Vodafone Business 2021).

Negating the Cyber Risk

Kingston DataTraveler Vault Privacy 3.0 plugged in a laptop with binary code in the background and a locked and password symbol

Clearly cybersecurity should be on the top of everyone’s agenda regardless of organizational size! With the sustained growth and prevalence of threats, ensuring your systems are not an ‘open door’ to attacks has never mattered more. This necessitates the careful coordination of people, processes, systems, networks, and technology, which involves a shared responsibility mindset and a shift in culture and values to bring about the behavioral change and buy-in that always underpins successful technological change. And with SME’s being compromised by the number one human-centered threat tactic-phishing with social engineering-this makes education a vital strategic enabler and the driver for this piece. The more aware you are of these areas of danger, the more robust your level of cyber security can be.

As a starting point toward steps you can take today, a focus on data loss prevention is critical, looking at the data that exists locally with your employees. Encrypted USB’s can be very effective here, helping ensure that sensitive data can be stored and transferred as securely as possible.

Kingston Technology is a long-established and highly trusted leader in the encrypted USB drive space, and can offer bespoke support on the benefits and alignment to your business needs. Additionally, Kingston Technology’s superb "Ask an Expert" Team can provide tailored advice on the benefits personalized to your specific storage environment and needs.

And finally, in the follow-up to this article, you can explore the top 12 tips SMEs can take to enhance cybersecurity posture right across technology, process, and people-based approaches.

#KingstonIsWithYou

Ask and Expert - SSD

Ask an Expert

Planning the right solution requires an understanding of your project's security goals. Let Kingston's experts guide you.

Ask an Expert

Related Products

Related Articles