Why SMEs are at a higher risk to cyber crime

Preventing cyber crime has become a major consideration for small businesses in today's digital economy, but how can they actually do that?

Cyber crime is one of the biggest threats faced by businesses today. Research from internet provider Beaming shows that UK companies alone faced 146,491 attempted attacks in the second quarter of 2019, up from 52,596 in 2018.

This is particularly becoming a major challenge for small and medium-sized businesses. According to the Federation of Small Businesses, one in five SMEs have experienced a cyber attack in the past two years. An estimated 7 million attacks took place during this period, costing firms £4.5bn annually.

A recent study from security firm Webroot has also highlighted the growing danger to SMEs, claiming that they face a higher risk of attacks such as ransomware, phishing and social engineering. It found that 48% of small businesses have had to deprioritise areas that could help them grow in order to address cyber security issues and that 18% are having to spend an entire working day fighting cyber crime.

But what makes SMEs a bigger target for cyber criminals than larger and more established organisations? Paul Barnes, senior director of product strategy at Webroot, believes it is because they can no longer consider themselves too small to be targeted. He says: "In fact, they are facing the same risks as larger corporations when it comes to cybersecurity, thanks to the increasingly valuable data they hold.

"SMEs also have arguably fewer resources, smaller budgets and fewer skills available to defend against attacks. This makes it difficult for smaller IT teams to manage on their own, and leaves employees stretched thin and unable to devote the necessary time to many critical cybersecurity tasks. Cybercriminals are well aware of these vulnerabilities and also understand that SMEs can be a useful conduit to bigger, more valuable organisations via the supply chain."

He notes how bigger businesses are better equipped to identify and mitigate potential attacks. Barnes says: "In comparison, larger corporations have become increasingly more aware of the risks associated with cyberattacks and are implementing more sophisticated cybersecurity tools and techniques to make it difficult for cybercriminals to break through their defences."

A growing epidemic

Another important question to ask is, what puts SMEs at risk exactly and what types of attacks can they expect? Barnes continues: It's clear that employee working practices and behaviours could be putting businesses at higher risk. Two-thirds (69%) of IT leaders believe their business is at risk due to employees inadvertently creating security threats due to lack of knowledge or continuous training. The often demanding working environments at growing businesses can present a risk too, as nearly two-thirds (64%) say that high workloads can cause cybersecurity mistakes.

He says this lack of awareness places SMEs in danger of attacks specifically designed to target them, using Remote Desktop Protocol (RDP) attacks as an example. "In these cases, hackers use unsecured RDP protocols as a port of entry into a network, before deploying either ransomware or cryptojacking," explains Barnes.

"Another critical point of entry is phishing attacks on employees which compromise the network's credentials. Employees often get taken in by phishing scams out of simple curiosity or lack of security awareness, which further emphasises the need for continuous awareness training.

Barnes warns that the financial and reputational damage of a cyberattack could be devastating. He adds: "Almost half (46%) of respondents say that if their organisation suffered a data breach, it would put their business at risk of closure."

Fighting cyber crime

Cyber attacks are quickly growing in scale and complexity, which means firms must take necessary steps to stay one step ahead of attackers. How can they do that in practice, though? Ian Hughes, an analyst at 451 Research, says: "Mitigation of risk comes from a constant focus on security, ongoing technical patches to systems, virus and spyware detection and staff training to avoid responding to falsified requests and other less technical approaches.

"Companies that create devices or software need to engage with the security community to be open to running a bug bounty scheme and act swiftly. Companies that use these services and devices should look for that transparency when selecting a provider."

Thomas Richards, principal consultant at Synopsys, says all businesses should take cyber security seriously in light of growing threats. He tells IDG Connect: "User education and awareness training are good first steps to preventing cyber-attacks. Make sure all corporate data is backed up with a tested business continuity plan in place. Additionally, invest in cyber security protections such as endpoint protection, network intrusion detection, and segmented networks to help prevent a successful attack."

Often, small businesses just don't have the internal resources to protect themselves from cyber crime. Andrew Rogoyski, innovation director at Roke Manor Research, points out that SMEs can benefit from out-of-the-box solutions from many large vendors. He says: "Small and medium sized businesses do not, and arguably should not, have the deep cyber security expertise to protect themselves from sophisticated attacks. If you're a 10 person plumbing company, are you going to be able to put a cyber security expert on the payroll? Would that cyber expert actually want to work on such a small IT estate? These business realities make small and medium size business easier to attack.

"Cyber security technology and techniques have become incredibly sophisticated and complex - many companies, including large but especially small, struggle to use cyber solutions properly. There is a rising trend amongst small and medium size companies to use cloud services from their inception. If you were starting a company today, unless your business is software, why would you want to run your own IT department? Major cloud providers can provide sophisticated and large scale security solutions in ways that small companies never can - and even the UK Government now operates a ‘cloud first' policy."

He argues that leadership on this topic is essential, too. Rogoyski says: "The very least that small and medium sized companies can do is to ensure that the CEO or founder takes cyber security seriously. Then it's down to simple things, like awareness, sound password policies, basic security infrastructure and so forth. Government schemes like Cyber Essentials can be helpful for small and medium size businesses."

The unfortunate reality is that cyber crime will never stop. As the digital ecosystem continues to expand, it's likely that attacks will become more sophisticated and commonplace. This puts increasing pressure on businesses of all sizes to implement appropriate security measures, although the risk to SMEs will no doubt remain greater.