Cyber Awareness Training Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security

Cyber Security and The SME

What are we facing?

The world is in somewhat of a flux at the moment and SMEs are being battered from all sides it seems.  First, we have the increase in the minimum wage, which impacts SMEs, generally, more than the corporate sized businesses, and then the increase in NI.  What we didn’t need was tariffs, although how much of an impact that will have on SMEs won’t be known for some time yet.  The EU is the world’s largest single market area and is the largest economy in the world, whether some people agree or not.  Many may attribute that market size to large organisations and multi-national companies. While these are important contributors to the overall EU economy, the Small Medium Enterprise (SME) businesses form the backbone of that economy.  This is also true of the UK where the DTI estimates that SMEs make up nearly 95% of the UKs GDP.   A huge percentage and one that might surprise you.

According to the Cyber Security Breaches Survey (gov.uk), half of SMEs in the UK had experienced some form of cyber-attack in 2024, with email phishing, spear-phishing, and social engineering continue to trend as the most common and reliable means of illegally accessing a network.

NinjaOne produced are report which says that there were 7.78 million Cyber Attacks on UK Businesses in 2024. More than 400,000 cases of fraud and computer misuse were recorded. 50% of UK businesses experienced a cyber-attack.

The economic effects of the measures hitting SMEs discussed above, are already having an effect in that many SMEs are putting enhancing their protections against cyber-attacks, on the back burner.  Those we speak to acknowledge the problem but are reluctant to spend money on anything that isn’t their core business.  And we get that, we really do.  After all we are an SME ourselves.

What are the potential impacts of a cyber-attack on your business?

A successful cyber-attack can wreak havoc on your business. Damaging your financial stability, customer trust, and reputation while inviting legal issues. The fallout includes:

  • Loss of corporate, financial, and personal data
  • Disruption to trading and potential fines from ICO
  • Repair costs for affected systems
  • Imagine building customer trust and an impeccable reputation over years, only to see it shatter in hours due to a cyber-attack.
  • The consequences, loss of customers and decreased sales and profits

The fear of legal repercussions is real too. Deploying inadequate security measures can lead to fines, regulatory sanctions and even legal action.

So, what can you do to better protect your business?

Despite today’s digital landscape, cyber security remains a non-negotiable aspect of business success. The threats are real, and SMEs are not immune. In fact, they’re often the most vulnerable to cyber-attacks.

Solutions need not be complicated or expensive, yet many SME owners still act reactively, not proactively, to cyber threats.  The result? Huge costs to put things right and a massive hit on the company’s reputation and trust with their customers.

An underlying issue common to all SMEs is management awareness and commitment, which in turn drives budget, allocation of resources and effective implementation of the cybersecurity practices. Six categories of major challenges for SMEs have been identified:

  • Low cybersecurity awareness of the personnel.
  • Inadequate protection of critical and sensitive information.
  • Lack of budget.
  • Lack of ICT cybersecurity specialists.
  • Lack of suitable cybersecurity guidelines specific to SMEs.
  • Low management support.

Risk Management

Now I know that many will say that this is a technical matter and that we have a company under contract that looks after our IT infrastructure and therefore we can safely leave it to them.  Wrong.  Ask them some simple questions: 

  • Have they fully identified your security assets?  Security assets are not just   hardware and software, in fact those are often the least of your worries.  It’s the data, where it is and how it’s protected that is important.
  • Have they done a risk assessment on those assets.
  • Have they recommended or implemented controls to manage the risk down to your acceptable residual risk level.  That is assuming they have spoken to you about what that acceptable risk is. 

It’s very important that business owners grasp the difference between the technical requirements of their networks, and the business requirement. 

You carry out risk management on a daily basis as you go about your business.  Cyber security is no different and a simple risk management process can save you money by targeting your limited spend where it really needs to go, not where you may think it needs to go.  Here is a link to a short video on that risk management process, which should help you see that it’s not onerous and need not be costly.

https://bit.ly/3FdZ6x0

Cyber Awareness Training

Some of you who are amongst my regular readers, will be quite aware of my mantra in regard to Cyber Awareness Training for staff and managers.  A big misconception is that because cyber security can be an issue connected to technical measures, it lies squarely within the realm of IT.  Wrong.  Cyber security needs to be part of the culture of the organisation, second nature to all.  Staff need a basic awareness and how their attitude and actions can have a damaging effect on the business.  A report for ENISA, the EU security agency, suggests that 84% of Cyber attacks rely on some form of social engineering, and that the number of phishing attacks within the EU continues to grow.  This is echoed in the UK.

Budgets

Budgets remain a problem.  Many SMEs are low margin organisations, heavily reliant on cash flow, and therefore reluctant to spend on things that are not connected to their core business.  But they must get used to asking themselves, ‘Is IT part of my core business?’, and ‘how long could I continue to operate my business if I lost my IT systems?’.  Cyber security needs to be factored into budgets. Cyber security is an iterative process, it isn’t something that needs to be done once and then forgotten about.  The criminals are constantly evolving, and defences must evolve with them.

Cyber Expertise

Cyber security expertise is something that isn’t cheap and easy to obtain.  Many IT companies will talk about their expertise in this area but if you delve into that, it is generally focused on products, mainly firewalls and anti-malware.  Cyber security expertise goes much much deeper than that and is as much procedural as it is technical.  It starts with risk management, understanding the risks you face, which in turn is derived from threat and vulnerability analysis, matched to your cyber security assets.  Those latter are not necessarily hardware and software but can be much wider ranging than that.  Typically, the type of person who can legitimately call themselves experts in this field, can command salaries north of £80K.  I doubt there are many SMEs prepared to pay that, or indeed, many of the smaller IT companies.

Security Standards

It can also be advantageous to follow a standard.  By far the most comprehensive is the International Standard for Cyber Security, ISO27000 series.  However, this might be seen as a little heavy for many SMEs, although at the higher end, they may want to follow it, rather than seek certification.  At the lower end the UK Cyber Essentials scheme, mandated for anyone wishing to do business with the public sector, is very suitable, inexpensive, and obtainable.

Cloud Services

More and more SMEs are now moving to a cloud environment.  Be it MS365, Amazon Web Services, Digital Ocean, amongst others.  I usually recommend that SMEs take this approach as it can solve a lot of problems, particular with home working still very much in vogue.  However, it is not the panacea that most think it is and still has some security issues, usually but not always at the user end, that need to be addressed.

About H2

Here at H2 we use our long experience of providing cyber security solutions to the large enterprises, to craft solutions for the SME community, having first identified the issues that the business faces.  We take an approach that looks at things from the business point of view, managing risk and coming up with cost effective solutions which can be brought in in a phased way, for a subscription price.  No large bills to damage that all important cash flow.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top