We notice you are currently visiting the UK site. Would you like to visit our main site instead?

a 2D red broken padlock with secured blue ones on a teal background with binary code

How to close the security gap for small and medium size enterprises

#KingstonCognate introduces Prof. Sally Eaves

Photo of Prof. Sally Eaves

Prof. Sally Eaves is Chair of Cyber Trust and Senior Policy Advisor for the Global Foundation of Cyber Studies and Research. Described as the “torchbearer for ethical tech” she is the inaugural recipient of the Frontier Technology and Social Impact Award, presented at the United Nations. A Chief Technology Officer by background, and now Professor in Advanced Technologies and a Global Strategic Advisor across Emergent Technologies, Sally is an award-winning International Author, MC, Keynote Speaker, and Thought Leader on Digital Transformation (AI, 5G, Cloud, Blockchain, Cybersecurity, Governance, IoT, Data Science) alongside Culture, Skills, DEI, Sustainability and Social Impact.

Sally educates and mentors actively to support the next generation of tech talent and has founded Aspirational Futures to enhance inclusion, diversity and equality in education and technology, with her latest book on “Tech For Good” set to be released soon. Sally is consistently recognised for global influence in the technology space by leading bodies such as Onalytica, appearing in the top 10 worldwide across multiple disciplines from AI to 5G to Sustainability and beyond.

The SME cyber threat landscape

Small and medium size enterprises (SMEs) play a vital role in both national economies and international economic stability and growth. Approximately 400 million SME’s provide the backbone for our global economy and are the leading source of work and job creation, accounting for over 95% of all business entities, and 60% to 70% of employment.

It is therefore imperative to both economy and security that SMEs can embrace all the opportunities afforded by today’s omnichannel digital world, while maintaining strong cyber security too.

And this comes at a time of significant change. Many SME’s have needed to adopt new digital strategies and technologies at speed in order to maintain, pivot or diversify their business activities and models all whilst navigating a global pandemic and the rise of remote/hybrid working. This has also given rise to additional cyber risks.

A sobering thought, given cyber attacks have been occurring every 39 seconds and, on average, 2,244 times a day (Varoni 2020) and that the vulnerability of SME’s from cyber breaches is growing annually at greater than 400%. Conversely, while their guard can be reduced with fewer resources and financial reserves to manage them effectively. This piece outlines the modern threat landscape for SME’s, why it matters so much, and the key challenges being faced, to increase the awareness that is so vital to change and foster future readiness to the escalating cyber security threat.

‘The time is now to decouple SME investment, education, research and broadened awareness of heightened risk, from the false perception that SME’s have less data value to offer cyber criminals and hackers - and the global economy at large!’ Prof. Sally Eaves

SME rising risks: Why it matters so much

Computer hacker silhouette of hooded man typing and numbers floating in front of him with binary data and a word map behind him

There is a significant misconception around business size vis a vis the level of cost a cyber attack and lack of preparedness for cyber resilience can cause, starting with business disruption and financial loss. Putting this in context, with recent research in the UK (Vodafone Business 2021), the average cost of a successful cyber attack is £3,230, with the report finding such a loss would cause almost a quarter of UK SMEs to collapse and 16% more having to lay off staff. This is consistent with other global studies too. And the risk does not end there, the impact of damaged reputations and reduced consumer or ecosystem trust are effects which can last even longer for businesses that survive the initial threat. Some 81% of consumers state they would stop engaging with a brand online following a data breach.

Additionally, and challenging another misconception, working with a variety of suppliers and partners, SME’s data is just as valuable as that of large enterprises and can provide an access gateway to other organisations. If a cyber attacker can breach any link within the supply chain, they can more easily attack the other, and often larger companies within it. SME data is also typically much easier to steal. It is perhaps then no surprise to see - not just the frequency - but the sophistication of cyber attacks targeting this sector are escalating and are doing so at pace, including hackers now operating as an organised group with the shared objective of financial gain.

The evolving threat landscape for SMEs

New research brings to life the true extent of the SME threat in comparison to larger enterprises. An eyewatering 65% of SMEs cyber attack across 2019-20, compared to 46% of all businesses (Towergate) confirming that attacks occur repeatedly! SMEs suffering a breach are being hit an average of 6 times each within that period – a staggering once every two months! (NatWest).

So, what are the key threat tactics facing SME’s?

2 core external threat vectors are front of mind – phishing and social engineering alongside the Supply Chain ecosystem. Compound this with internal threat vectors including lack of risk assessment, poor access control, data, device and password protection, low investment levels, and insufficient training and awareness, cyber hygiene culture and skills, leaves a potentially vast attack surface.

an open mail symbol with a fishing hock through the letter

Phishing and social engineering
85% of cyber-attacks stem from phishing attempts which seek to trick users into ‘doing the wrong thing’, such as downloading malware, most often through email interactions. And they are becoming increasingly more sophisticated in nature. Indeed, Artificial Intelligence was found to write better phishing emails in a recent test! Often linked to phishing, social engineering describes the process of manipulating people through impersonation, persuasion or even intimidation to take a specific action or reveal confidential information. The pandemic is a case in point, with cyber criminals feeding off our collective vulnerability and attempting to compromise accounts by using phishing emails, texts or WhatsApp messaging with Covid-19 as the subject matter, or even by including an attachment purporting to be from the World Health Organisation (WHO). Putting this all into context, the level of transformation in this type of cyber threat is revelatory - just consider the first ever recorded cyber attack called ‘Morris Worm’ back in 1988. This impacted 6,000 computers which then equated to approximately 10% of the entire internet. How times have changed!

Supply chain
Becoming a favoured attack vector for cybercriminals, most breaches come from a software rather than hardware source, for example malware infiltrating regular software updates. Attacks seek to target a SME via its own supply chains, or more typically by compromising the SME to then leapfrog onto target larger organisations. Open-source software libraries provide another area of supply chain vulnerability. And looking ahead, with IoT connections poised to more than double to 75 Billion devices by 2025, this in itself creates new cyber risks. Low-cost hardware can be connected to networks, with many of the devices that sit within it being vulnerable to attack. If we consider this from an advanced IT/OT convergence and supply chain ecosystem perspective, then the threat area expansion comes centre stage.

The SME cyber risk barriers

This raises a central question, what are the main factors behind SME’s not adopting the latest protection to be more proactive to cyber risks? Firstly, there is clearly an awareness versus actualisation gap, as an example recent research found that while 93% of SMEs believed cybersecurity to be vital for their business continuity, but only 64% were actually using cybersecurity solutions. Additionally, a European survey has found a different awareness and reality gap, namely that many SMEs believe - incorrectly - that cybersecurity controls are included in the IT products they have purchased and that no additional security measures are needed - unless mandated by compliance requirements or regulations (enisa 2021).

Investment capacity is another challenge, Statista (2020) found that investment in cybersecurity amounted to £5,100 on average, which could lead SME’s to believe that they are in the right ballpark in terms of spend. But this number is skewed by the sheer volume of micro and small businesses, who averaged £3,490. Compare this to larger organisations, who are arguably more prepared – or, at least, have more resources - this increased to an average investment of £277,000, indicating a vast gap, for which bad actors are more than happy to exploit!

Further factors include an under-developed ‘cyber-culture’, perceptions of over-complexity, concerns and often misconceptions around cloud security, and an overall lack of awareness of the technology and support that ‘is actually within reach’ to SME’s. Possibly most alarming of all, 54% of participants in a recent survey said that their businesses do not train staff on data security and cybersecurity threats (Vodafone Business 2021).

Negating the cyber risk

Kingston DataTraveler Vault Privacy 3.0 plugged in a laptop with binary codes in the background and a locked and password symbol

Clearly cybersecurity should be on the top of everyone’s agenda regardless of organisational size! With the sustained growth and prevalence of threats, ensuring your systems are not an ‘open door’ to attacks has never mattered more. This necessitates the careful coordination of people, processes, systems, networks, and technology which involves a shared responsibility mindset, culture and values change shift to afford the behaviour change and buy-in that always underpins successful technology change. And with SME’s being compromised by the number one human centred threat tactic - phishing with social engineering – this makes education a vital strategic enabler and the driver for this piece. The more aware you are of these areas of danger, the more robust your level of cyber security can be.

As a starting point on steps, you can take today, a focus on data loss prevention is critical, looking at the data that exists locally with your employees. Encrypted USBs can be very effective here, helping ensure that sensitive data can be stored and transferred as securely as possible.

Kingston Technology is a long established and highly trusted leader in the encrypted USB drive space, and can offer bespoke support on the benefits and alignment to your business needs. Additionally, Kingston Technology’s superb "Ask an Expert" Team can provide tailored advice on the benefits personalised to your specific storage environment and needs.

And finally, in the follow up to this article, you can explore the top 12 tips SME’s can take to enhance cybersecurity posture right across technology, process, and people-based approaches.


Kingston’s ask an expert icon on a circuit board chipset

Ask an Expert

Planning the right solution requires an understanding of your project’s security goals. Let Kingston’s experts guide you.

Ask an Expert

Related Articles