The Current Cyber Landscape for the SME sector
Today is World MSME day, which aims to raise awareness of the significant contribution of micro, small, and medium-sized enterprises (MSMEs) around the world.
MSMEs account for 90% of businesses, 60 to 70% of employment and 50% of GDP worldwide. In the UK they account for over 99% of the business sector. To put this into context, nearly 43% of cyber-attacks are targeted at SMEs, while the number of cyber-attacks soared by 15% during 2022. Current geo-political tensions and the consequences of the ongoing Ukraine war have only increased this risk during 2023.
SMEs are on the receiving end of an ever increasing and exponential level of cyber-attacks that ultimately can have a crippling effect on their survivability, reputation, competitiveness, and performance.
Why Are SMEs Targeted by Cyber Criminals?
SMEs are often an easier target for malicious actors because of weaker security infrastructure. A low security budget has been another challenge for SMEs in 2023, as well as a lack of internal cyber skills to implement and maintain an effective cyber security strategy. The average cybersecurity budget for a small business is predicted to be twice as small this year than in 2022, despite four in five (79%) SMEs having experienced a cyberattack in the past 12 months, a survey from Typetec shows. The Cyber Breach Report 2023 also shows that only 36% of small and micro businesses have any form of cyber insurance.
Cyber-attacks which target supply chains is another issue which all small businesses need to be aware of. In fact, SMEs are often exploited to attack larger and more profitable targets. By targeting a single supplier, attackers can compromise scores or even hundreds of corporate clients, many of whom may be other SMEs. SME’s can also hold especially valuable data for malicious actors if they are in a specialised industry.
In February 2023 small businesses were severely impacted by the suspension of international orders by Royal Mail after a breach launched by the Russian linked ransomware group Lockbit 3.0. This attack demonstrates how adversaries can exploit vulnerabilities within a supply chain to gain unauthorised access to critical systems or insert malicious code, leading to such breaches or unauthorised access to sensitive information.
According to Sophos Annual State of Ransomware report released in May 2023, 76% of ransomware attacks against surveyed organisations, adversaries succeeded in encrypting data.
What Cyber Risks do SME’s Face?
Ransomware is perhaps one of the biggest risks to SME’s today. According to the NCC Group, March 2023 was the most prolific month recorded by cybersecurity analysts in recent years, measuring 459 attacks, an increase of 91% from the previous month and 62% compared to March 2022. Use of strong passwords and an effective password policy is the first step to protecting yourself from ransomware. Businesses can also consider using a password manager for employees. Read more about how to use passwords securely in our password guide. This survey by Avast found that SMEs targeted by ransomware suffered significant ill-effects from cyberattacks: 41% lost data while 34% lost access to devices.
This follows a drop in the percentage of small businesses that prioritise cyber security (Cyber Breach Report 2023). This fall in percentage particularly relates to micro-businesses (decreasing from 80% in 2022 to 68% in 2023).
Remote working and the risk from use of unaudited and unsecured devices by employees or unsecure endpoints also remains a potential vulnerability. For more guidance on remote working, such as how to manage access controls and multi factor authentication click here.
As remote working becomes normalised, social engineering and phishing attacks have also experienced a surge, with utilising advanced techniques like polymorphic malware (a type of malware that constantly changes its shape and signature to evade detection), file-less attacks, and zero-day exploits. The development of artificial intelligence also presents new security challenges to businesses of all sizes. This includes the use of chatbots, such as Chat GPT, to create sophisticated and convincing phishing emails or through deepfakes (fake video, audio or images designed to mimic a real person). Find out more about the threats posed by AI in our recent blog, or read our phishing guide here.
How Can SMEs Improve Their Cyber Security Posture?
If you are a small business at the start of your cyber security journey, our foundation subscription can help you take the first steps to create a secure cyber security posture. This includes 24/7 monitoring of your systems, patching management, incident response and access to our learning platform for employees.
To explore all our subscription options and features, including Cyber Essentials accreditation (a UK government-backed scheme that helps organisations start to think about cyber security and implement their own basic controls), click here or get in touch by clicking the contact button below.