This Wall Street Journal article investigates why there are a growing number of SMEs struggling with  cyberattacks. WSJ concludes that SMEs simply  “don’t believe they are targets, so they don’t make security a priority.” There is now more evidence that cyber attacks aren’t exclusive to “the big players”. Still, SMEs are convinced that they fly below the radar of nation-state attackers and criminal hackers.

Let’s explore the 5 compelling reasons why SMEs need to acknowledge that they are just as vulnerable as large organizations and should begin to take steps in supercharging their cybersecurity posture. 

1. Security incidents have skyrocketed in the past year

The risk of an attack has grown exponentially for SMEs over the past couple of years. “During the pandemic, small businesses were attacked at twice the rate of larger organizations,” says Ajay Bhalla, president of cyber and intelligence at Mastercard Inc. 

During 2020 and 2021, data breaches at small businesses globally jumped 152%, compared with the two prior years, according to RiskRecon, a Mastercard company that assesses companies’ cybersecurity risk. Breaches at larger organizations rose 75% in the same period, according to RiskRecon.

According to a WSJ Pro Cybersecurity survey of cybersecurity professionals published in December, 52% of small businesses (those with less than $50 million in annual revenue) have insurance coverage for cyber risks, compared with about 75% of larger businesses.

2. The threat landscape is constantly changing

Raising awareness of the importance of cyber security for SMEs is critical. With new threats being discovered daily and the severity of those threats increasing, the tools that worked in the past may no longer be sufficient today. Now, companies need to assess and update their cyber risk posture constantly.

As attacks become more sophisticated, we’ll see an increasing trend towards advanced techniques and tools from a broader range of state-sponsored, cybercriminal and ransomware groups. For example, in 2021, cybercriminals targeted critical infrastructure, including information technology, financial services, healthcare, and energy sectors, with headline-grabbing incidents which harmed businesses.

The more sophisticated, relentless, and widespread incidents become, the more SMEs require next-gen Web Application Firewall to identify and defend against emerging exploits.

3. Cyber risk management is a business imperative

Businesses of all sizes must accept the reality that a cyber attack is no longer a matter of “if” but “when”.

Security should always be a response to specific risks. Instead of a vaguely defined overall strategy with one-size-fits-all solutions, your cyber security processes should examine how the business—revenue, IP, assets—is at risk and how the security strategy responds to those risks.

Armed with this knowledge, you gain a better understanding of how security investments relate to specific business objectives and specific risk vectors. 

4. A strong security protects the bottom line

Cyber security directly impacts business outcomes. From protecting your data and assets to ensuring operational compliance, and guarding against attacks, a strong security posture helps the enterprise to be perceived as more trustworthy and thus gain a competitive advantage.

Entrepreneurs, first and foremost, are concerned with the company’s growth and its profits. If you treat cyber security as an abstract entity, you risk losing the trust and support of customers.

5. SMEs play a critical role in the global supply chain

Consider this scenario – your company makes a proprietary part or material in energy distribution. State-sponsored hackers engaging in industrial espionage have several reasons to target your operations —

• They will attempt to steal your data and designs for their own strategic or financial advantage, jeopardizing your future success and profits.
• They want to illegally access your clients, a major commercial, or government partner for example, who may be their ultimate targets.

And since attackers know that you invest very little in security, you’ve become an easy target compared to the “big fish” they’re after. Accessing your network to get to the larger organization is easier than going after them directly. You’ve just exposed your clients to potential harm by being lax with your own security. 

These types of incidents happen all the time and should give SMEs pause to protect their business relationships from becoming potential cyberattack targets.

Better Cybersecurity for SMEs

There are several ways to achieve a stronger security posture, even with limited resources. Here are a few ideas to start:

1. Benchmark your current level of security against the five core principles of the NIST Cybersecurity Framework. These principles are: Identify, Protect, Detect, Respond & Recover. You can’t address deficiencies you aren’t aware of.
2. Enable multi-factor authentication (MFA) wherever possible within the organization.
3. Consider implementing zero trust network architecture (ZTNA) to harden networks and reduce cyber risk. 
4. Consider a Managed Security Operations Center subscription (SOC).  This where security issues are dealt with on an organizational and technical level. It will normally comprise a team of skilled cybersecurity experts who develop and implement such security policies and use the necessary technology to monitor and respond to identified network threats. The SOC is composed of the three building blocks of people, processes and technology that go hand in hand to manage and enhance the organization’s security posture. Finally, governance and compliance provide a framework for tying these building blocks together.