Did you know that October is Cybersecurity Awareness Month?  No – not terribly surprised after the poll we put out asking how important this subject was.  The response was truly frightening.  Cybersecurity Awareness month has participants in many countries and sponsored by many governments and tries to push awareness of the importance of this subject, across all industries.

Why do we think it’s so important?  Why would an SME bother with it?  Well, in short, it’s probably the single most cost effective and quickest win you can make.  It really doesn’t have to cost a fortune, it’s not techie if done right, is educational and it beefs up your security by ensuring your staff can spot a scam when they see one, can recognise social engineering and how to counter it, won’t open a rogue email and it generally keeps the subject in the forefront of minds.

OK, but what’s the threat?  Do hackers/scammers prey on SMEs?  Is there sufficient financial reward there for them?  Yes, yes and again yes.  The UK GDP is made up of north of 90% from SMEs.  Just think about that – 90% of the countries wealth is generated by SMEs, so a huge financial target.  The big companies spend a fortune on cyber security protections.  Most spend up to 15% of their annual IT budget on security and when you think that the IT budget often runs into millions, that’s big bucks.  SMEs can’t afford that and that makes them a much easier target.

I wrote a blog recently about the findings of the 2024 cyber security breaches survey.  The report tells us that among businesses, there has been a shift in the proportion saying cyber security is a “fairly” high priority (e.g. from 35% of businesses last year, to 40% this year). The proportions of businesses saying it is a very high priority is consistent with last year (36% last year and 35% this year). In 2023, as evidenced by the qualitative interviews, it was felt that cyber security had moved down the agenda among the businesses where it was already seen as a more marginal priority, and among businesses that typically have the fewest resources to deploy. The qualitative findings this year point towards an increased awareness of the risks that are faced when not prioritising cyber security, which could explain the increase in businesses this year rating it as a high priority.

It is more common for larger businesses to say that cyber security is a high priority (93% of medium businesses and 98% of large businesses, vs. 75% overall). The same is true for high-income charities (93% of those with income of £500,000 or more, vs. 63% overall). This continues the pattern seen since 2020, where larger organisations tend to treat cyber security more seriously, and consequently allocate more resources to it.

Businesses in the following sectors tend to treat cyber security as a higher priority than others:

• information and communications (65% a “very” high priority)
• finance and insurance (61% say it is a “very” high priority)
• health, social care and social work (62% a “very” high priority).

These percentages are still very low and amongst this, if we drill down, we will find that the prevailing answer amongst SMEs remains to reach for technology for protection.  Technology will help, but it isn’t the full answer. When faced with constraints such as a tight budget it’s essential that a business prioritises its spend, making sure that it is targeting what really needs protection, and making sure that the protections in place are actually doing what you think they’re doing.  That is essentially what we refer to in regard to risk management.  It’s a business issue, not an IT issue.

In the 2024 survey, half of businesses and around a third of charities report having experienced some kind of cyber security breach or attack in the last 12 months. As in previous years, larger businesses and charities are more likely to identify breaches or attacks than smaller ones.  This latter point is worth mentioning because it’s generally only the larger businesses that have some kind of monitoring in place to identify an attack and many smaller businesses only find out when they start losing money.

Of course, good old COVID has had its effect, and I know we still bang on about it but that’s because its effect is long term.  It has changed our working practices in many respects although there is more of a move towards a return to the workplace currently, but some businesses have embraced the hybrid working practice and look unlikely to change.  My own client base has only seen one client move to 100% remote working, but they are all working some form of hybrid working pattern.

Many corporates have had some form of hybrid working for a long time, pre-COVID.  When I was at HP and before that in Symantec, we worked the hot desk system with people working remotely a couple of days a week.  It’s not new at that level but it is at the SME level, and we need more sophisticated ways of protecting ourselves at a price we can afford.  And that’s been the focus for us, and we are now confident that we have solutions that fit an SMEs requirement, at a price they can afford.