The EU is the world’s largest single market area and is the largest economy in the world, whether some people agree or not. Many may attribute that market size to large organizations and multi-national companies. While these are important contributors to the overall EU economy, the Small Medium Enterprise (SME) businesses form the backbone of the EU’s economy. This is also true of the UK where the DTI estimates that SMEs make up 95% of the UKs GDP. A huge percentage and one that might surprise you.

More than half (54%) of SMEs in the UK had experienced some form of cyber-attack in 2022, up from 39% in 2020 (Vodafone Study, 2022).

So, what can you do to better protect your business?

In today’s digital landscape, cyber security is a non-negotiable aspect of business success. The threats are real, and SMEs are not immune. In fact, they’re often the most vulnerable to cyber-attacks.

Solutions need not be complicated or expensive, yet many SME owners still act reactively, not proactively, to cyber threats.

The result? Huge costs to put things right and a massive hit on the company’s reputation and trust with their customers.

That’s why I’m excited to share a valuable (FREE) resource that we’ve been working on to help guide SME business owners in the right direction and provide valuable actions to fortify their company’s cyber security.

You can download your copy here: https://bit.ly/3qTCYkW

The common underlying issue common to all SMEs appears to be management awareness and commitment, which in turn drives budget, allocation of resources and effective implementation of the cybersecurity practices. Six categories of major challenges for SMEs have been identified:

• Low cybersecurity awareness of the personnel.
• Inadequate protection of critical and sensitive information.
• Lack of budget.
• Lack of ICT cybersecurity specialists.
• Lack of suitable cybersecurity guidelines specific to SMEs.
• Low management support.

Some of you who are amongst my regular readers, will be quite aware of my mantra in regard to Cyber Awareness Training for staff and managers.  A big misconception is that because cyber security can be an issue connected to technical measures, it lies squarely within the realm of IT.  Wrong.  Cyber security needs to be part of the culture of the organisation, second nature to all.  Staff need a basic awareness and how their attitude and actions can have a damaging effect on the business.  A report for ENISA, the EU security agency, suggests that 84% of Cyber attacks rely on some form of social engineering, and that the number of phishing attacks within the EU continues to grow.  This is echoed in the UK.

Budgets remain a problem.  Many SMEs are low margin organisations, heavily reliant on cash flow, and therefore reluctant to spend on things that are not connected to their core business.  But they must get used to asking themselves, ‘Is IT part of my core business?’, and ‘how long could I continue to operate my business if I lost my IT systems?’.  Cyber security needs to be factored into budgets. Cyber security is an iterative process, it isn’t something that needs to be done once and then forgotten about.  The criminals are constantly evolving, and defences must evolve with them.

Cyber security expertise is something that isn’t cheap and easy to obtain.  Many IT companies will talk about their expertise in this area but if you delve into that, it is generally focused on products, mainly firewalls and anti-malware.  Cyber security expertise goes much much deeper than that and is as much procedural as it is technical.  It starts with risk management, understanding the risks you face, which in turn is derived from threat and vulnerability analysis, matched to your cyber security assets.  Those latter are not necessarily hardware and software but can be much wider ranging than that.  Typically, the type of person who can legitimately call themselves experts in this field, can command salaries north of £80K.  I doubt there are many SMEs prepared to pay that, or indeed, many of the smaller IT companies.

It can also be advantageous to follow a standard.  By far the most comprehensive is the International Standard for Cyber Security, ISO27000 series.  However, this might be seen as a little heavy for many SMEs, although at the higher end, they may want to follow it, rather than seek certification.  At the lower end the UK Cyber Essentials scheme, mandated for anyone wishing to do business with the public sector, is very suitable, inexpensive, and obtainable.

More and more SMEs are now moving to a cloud environment.  Be it MS365, Amazon Web Services, Digital Ocean, amongst others.  I usually recommend that SMEs take this approach as it can solve a lot of problems, particular with home working still very much in vogue.  However, it is not the panacea that most think it is and still has some security issues, usually but not always at the user end, that need to be addressed.

Here at H2 we use our long experience of providing cyber security solutions to the large enterprises, to craft solutions for the SME community, having first identified the issues that the business faces.  We take an approach that looks at things from the business point of view, managing risk and coming up with cost effective solutions which can be brought in in a phased way, for a subscription price.  No large bills to damage that all important cash flow.