Cyber Security for SMEs: Why Cybercriminals are Setting their Sights on Small and Medium Businesses

When it comes to cyber security for SMEs, many are opting for cyber risk insurance. However, it doesn’t address the real problem.

Since the pandemic, traditional cyber targets have strengthened their security. Large businesses are no longer such an easy target for many hackers – but this may not be a good thing. Cybercriminals are increasingly turning their focus towards SMEs, putting thousands of companies at risk. Many SMEs have attempted to protect themselves by purchasing cyber risk insurance.  But cyber risk insurance will not prevent you being compromised, and you cannot transfer the liability to the insurance company.

How much of a problem is cyber security for SMEs?

A study reported by Forbes from Barracuda Networks analysed thousands of companies. It found that businesses with fewer than 100 employees are 350% more likely to be victims of cyber-attacks when compared to large firms. When this is combined with the 600% increase in cybercrimes over the pandemic reported by TechRepublic, the threat is clearly there. Over 70% of SMEs will experience cyber-attacks, and 60% of businesses that are attacked will go out of business within six months.

Why are cybercriminals targeting SMEs?

Larger firms often have far more comprehensive cyber security and resources, dissuading would-be attackers from mounting an assault on their accounts. Instead, they look to infiltrate accounts and systems which senior staff use to communicate or work on sensitive or financial data. Forbes shared that “…hackers target high value accounts for takeover. Accounts of CEOs and CFOs are almost twice as likely to be taken over compared to average employees.” These accounts may provide access to large amounts of company data, such as CEO email accounts or system logins that enable access to company files. Once an attacker has access to these accounts, they can use them to gather intelligence on the company and launch attacks internally.

Most SMEs will have taken steps to build cyber security defences, but with smaller budgets and fewer resources to prevent cyber breaches, it’s difficult to match or even come close to the sophisticated warnings and protections that large enterprises can muster.

Why cyber risk insurance can seem like a solution

Some small businesses resort to mitigating damages through the use of cyber insurance. At first glance, cyber insurance seems to be a pragmatic way to reduce the risks of cybercrime. Insurance can seem a cheaper option than maintaining strong cyber security internally. It’s intended to safeguard an SME financially against the damage caused by any cyber threats. Cyber insurance policies generally stipulate certain levels and measures of prevention, but meeting these doesn’t necessarily mean an SME is fully or even well protected.

Due to the relative youth of the cyber insurance market, prices can be volatile. According to the Wall Street Journal, last year premiums increased by 92% in the US alone. Eligibility and conditions are also tightening as the market develops, making cyber insurance less attractive to SMEs. Large-scale cost reductions have yet to be achieved, as unlike in mature insurance markets (such as property or life insurance) calculating the risk of an attack on a specific company is currently very speculative, with many uncertainties that drive up prices considerably.

As with all insurance, there is also the risk of claims being denied for an increasingly diverse and complex array of reasons, or pay-outs being smaller than needed to mitigate the disruption and damage caused. Cyber insurance can also cause complacency: if the risk or threat has been removed in the short term, there’s less immediate pressure to focus on long-term SME cyber security. Exposure and claims could cause further insurance premium increases or put your firm at higher risk of a pay-out being denied.

What kinds of cybercrime do SMEs face?

The sophistication of cybercrime has developed markedly in the past few years, as attackers broaden their modes of attack. The most common forms an SME may face include:

• Ransomware. Malware which may either publish a victim’s data or deny access to certain files until a ransom is paid. Often, data is encrypted with such complexity that even an expert is unable to reverse the effects, forcing a payment.
• App frauds. Maintaining access and preventing breaches on company smartphones, or personal smartphones used for company business, is a complex challenge. Hackers may be able to use insecure devices to access data, passwords, emails or even a business’ private VPN.
• Phishing and spear phishing attacks. Sending convincing-looking fraudulent communications via email or messaging platforms to steal data or to install malware for future attacks. These may be specifically targeted. When employees have lower tech literacy, they may have little awareness of these attacks and can be vulnerable to both personal and business fraud.
• Interception attacks. Criminals intercept communications between two parties and alter them. For example, a hacker could intercept employee emails to gain access to valuable accounts, or to interfere with business by altering employee exchanges.

Cybercrime prevention should be your priority

Prevention is the gold standard in any market – it’s better to avoid adversity than strive to be compensated for it. Cars have crash prevention technology to decrease accident risks, homes have security systems to prevent burglaries, and doctors prescribe statins to prevent cholesterol-related health conditions. All these measures are more beneficial than insurance to mitigate the issues after the worst has happened. The same applies to cyber risk insurance – even heavy financial compensation is unlikely to make up for reputational damage and loss of customer trust, not to mention business disruption or complete stoppage.

A key cyber security strategy for SMEs is increasing employee awareness. Cyber-attacks are often successful due to employee error – if an employee is unaware of the tools used by criminals, they make their business far more susceptible to cyber breaches. Regular and thorough employee training has been shown to be a very effective defence against cybercrime.

Preventative cyber security tips for SMEs

Cyber security can be a complex business, but there are core activities that every organisation with a digital presence should put in place. The start point must be reviewing how you currently protect your users and systems to identify gaps and weaknesses. SMEs must have monitoring in place to detect compromised email accounts and suspicious messages. Threat responses can be automated to streamline security. But keeping your cyber security software and protocols up to date is a full-time job. With cybercriminals refining their attacks every day, it’s vital to have the latest defence tools and detection in place.

Managing cyber security in-house can also put a strain on the budget and resources of a business. Many SMEs choose instead to partner with a cyber security specialist who understands the unique needs of SMEs and the challenges they may face.

How Six Degrees delivers market-leading cyber security for SMEs

At Six Degrees, our experienced team offers a range of services to help protect your SME. Our award-winning managed security services protect your organisation’s digital assets, helping you to reduce vulnerabilities and exposure to threats, including 24×7 monitoring and response to anticipate and defend against attacks.

Consulting and compliance services are an effective way of reducing your business’ vulnerability. SMEs can assure themselves that the organisation is compliant with data protection and other security regulations. Working with us, you gain access to third party industry experts who can advise on key decisions and help you develop and implement a robust cyber security strategy to safeguard assets and reassure customers.

Penetration testing can also offer an insight into the weak points of SMEs’ infrastructures, systems and processes, enabling them to strengthen their security and minimise vulnerability to attacks.

The bottom line: cyber security and cyber insurance are very different!

Cyber insurance is no substitute for robust preventative measures, constant monitoring and protection. If you do invest in cyber insurance, you will in any case need to demonstrate that you have defences in place before any claim can be accepted.

With the threats faced by SMEs in the cyber landscape growing so substantially, no responsible business leader can afford to be complacent. Cyber insurance will neither provide a blueprint for robust cyber security standards nor adequately protect organisations from disruption, reputational damage or financial loss.

To learn more about how Six Degrees can help your business put robust cyber security measures in place and maintain protection continuously, get in touch with one of our SME cyber security specialists.

About the Author

Chris Cooper is Cyber Security Practice Director at Six Degrees. At Six Degrees, we’ve been helping organisations confront cyber security challenges for over 15 years. While cyber threats are always developing, our experience and industry presence are testament to our ability to stay ahead of emerging threats.