Cyber Awareness Training Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools Supply Chain Security

More on budgets

I’ve been talking recently about the relationship between IT and cyber security budgets for SMEs and I mentioned that at one time, the recommendation was that 5% of IT budgets be put aside for security.  Well, that figure has gone up year on year and is now about 15%.  Of course, these percentages work well in the corporate market where IT budgets can run into the millions, but in the SME world, where budgets are tiny in comparison, the percentages don’t work quite as well.  After 15% of very little, is very little.

So where does that leave us?  We still have to budget, failing to plan is planning to fail – how’s that for a nice bit colloquialism.  Budgets are necessary.  IT whether hardware or software, doesn’t stand still, it moves forward rapidly and the hardware you bought two years ago will often struggle to run some of the software upgrades, and those upgrades themselves come thick and fast.

Cyber security is no different.  We have to contend not only with those software implementations, many with vulnerabilities already present, but with cyber criminals who are always pushing the boundaries.  We play catch up.  We always have and probably always will.

So what are we budgeting for?  SMEs face several challenges in implementing adequate cybersecurity defences. These challenges arise due to resource constraints, lack of expertise, and evolving threats. Some of the biggest issues are:

  • Cybersecurity tools, training, and infrastructure
  • Inadequate funding for the above.  SMEs will naturally prioritise business growth and operations over cybersecurity investments.
  • Lack of Expertise
  • SMEs often lack dedicated cybersecurity personnel or in-house IT teams.  Limited access to experienced professionals makes it difficult to implement and maintain robust security measures.
  • In adequate or lack of cyber awareness and training
  • Employees may lack awareness of cybersecurity risks and become easy targets for phishing or social engineering attacks.
    • Insufficient training on best practices, like identifying suspicious emails or handling sensitive data securely.
  • Underestimation of Risks
  • Many SMEs believe they are too small to be targeted, making them complacent.
    • Attackers often target SMEs precisely because they assume SMEs are less secure than larger companies.
  • Rapidly Evolving Threat Landscape
  • Cyber threats like ransomware, phishing, and zero-day exploits are constantly evolving.
    • SMEs struggle to stay updated with new technologies and threats.
  • Outdated Technology
  • Reliance on legacy systems or software that lacks regular updates or patches.
    • Limited investment in modern security tools, such as firewalls, endpoint protection, or intrusion detection systems.
  • Third-Party Risks
  • SMEs often rely on third-party vendors or service providers, which can introduce vulnerabilities.  Don’t assume that your IT vendor has a grip on security – they are often as ill-informed as you are.
    • A breach in one partner’s system can cascade down to the SME.
  • Compliance Challenges
  • SMEs may not have the resources to understand or comply with cybersecurity regulations (e.g., GDPR, CCPA, PCI DSS).
    • Non-compliance can result in fines or penalties, exacerbating financial pressures.
  • Insufficient Incident Response Plans
  • SMEs often lack a formal incident response plan to handle breaches or attacks.
    • Without predefined protocols, responses to incidents are slower and less effective.
  • Shadow IT
  • Employees may use unauthorised software or devices without IT approval, creating vulnerabilities.
    • Shadow IT can bypass existing security measures.
  • Supply Chain Attacks
  • Cybercriminals target SMEs as an entry point to larger companies in their supply chain.
    • SMEs often lack robust controls to mitigate supply chain risks.
  • Difficulty in Accessing Cyber Insurance
  • Obtaining cybersecurity insurance can be difficult or expensive for SMEs, especially if they lack basic protections.
    • Insurers often require proof of a certain level of security maturity.

These days addressing these challenges requires SMEs to adopt a combination of cost-effective solutions, such as managed security services, regular training, and leveraging cloud-based security tools.  Effective cyber security is a business issue, not an IT issue and requires a thorough understanding of the risks, vulnerabilities and threats, that a business faces.  It requires a professional approach from a security professional that most SMEs can’t afford to employ, so the next best thing is to partner up with such an organisation.

H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services designed specifically for SMEs; at a price they can afford.  Our advice and guidance takes a unique look at the problems facing SMEs whilst calling on our vast experience working for the larger organisations and government departments.

Scroll to top