Following research conducted by ABN AMRO, of their 233 business customers, there has been a notable shift in cybercriminal behaviour, with smaller companies (who are unaware of their cyber risk) now facing the brunt of threat actors’ attention.
The concern is that small and medium enterprises (SMEs) are largely unaware of their vulnerability, whilst large companies (who were previously the focus of malicious activity) have ramped up their cyber risk awareness and mitigation strategies. Criminal groups will always look for the low-hanging fruit and leverage this lack of awareness, targeting SMEs as easy prey. However, their exposure is a double-edged sword, as awareness and preventative measures are a mandatory part of new legislation, with many victimised organisations facing crippling penalties for failing to integrate security controls.
It is the sole purpose of the hacker community to remain one step ahead of their victims, and the business community must be aware that malicious actors will continuously evolve their tactics, sharpen their technology, and develop sophisticated ecosystems designed to outwit their targets – undetected. Using artificial intelligence, threat actors rapidly crack passwords and are mastering various advanced phishing methods, stealing personal data and gaining access to vital systems with ease.
Larger companies tend to work with more vendors and third parties which increases their threat surface and exposes the data of the many customers they share. Third-party vulnerabilities are being exploited more than ever by cyber criminals, and we’re seeing attacks on IT companies that serve a wide range of customers hitting the press almost daily. As awareness of service provider cyber risk increases, cybersecurity standards have come into force, bringing these partners into the scope of regulation.
NIS2 (which follows the earlier Network and Information Systems guideline -NIS) requires companies to contractually record agreements on cybersecurity with their third-party suppliers and partners.
And as SMEs continue to fail in their duty to apply security controls and assess their exposure, they not only risk falling victim to a breach but also fail to meet the cybersecurity requirements of their more prominent clients. These are the very businesses that are now more affected by cybercrime than their larger peers – and in reality – are putting themselves out of business.
The true extent of SME cyber risk
COVID-19 brought on an accelerated digital shift, bringing SMEs increasingly under the radar of cybercriminals. This was observed mainly in the healthcare, financial and professional service sectors.
According to a publication by Swiss Re Institute (SRI), the total claims from SMEs suffering a cyberattack is in relative terms three times larger than for bigger organisations, with costs ranging from USD 20 000, to USD 100 000 for a company with a turnover of less than USD 50 million.
With high-profile cyberattacks hitting the news in recent years, large businesses and corporations are investing more heavily in cybersecurity tools, and cyber risk discussions are making it to the boardroom with management taking ownership of their responsibility. As adversaries are challenged with these tighter controls, they’ve turned their sights to small and mid-size businesses that demonstrate weaker defences and awareness, and essentially offer easy financial rewards.
Allianz Insurance has stated that most cyber incidents in the SME sector are ransomware attacks, however, social engineering scams are also on the rise. They’ve observed smaller companies are more exposed to supply chain attacks as they often purchase software program licenses from larger organisations and vendors. Digital supply chains and cloud service platforms make up 35% of the most critical cyber risk concerns for Allianz Risk Barometer respondents.
This, coupled with advances in AI and machine learning tools, further exposes small businesses as criminal hackers use their advancing technology to find and exploit vulnerabilities in threat detection models.
Smaller organisations are not investing appropriate funds and resources to mitigate cyber risk, a concern reflected in some alarming statistics.
- New cyber breaches in small businesses increased by 424% last year. (GNP Brokerage)
- 51% of small businesses have no cybersecurity measures at all. (The Small Business)
- The average annual loss from cyberattacks on a small business is around $25,000. (The Small Business)
- In 2021, the FBI’s Internet Crime Complaint Center received 847,376 malicious cyber activity complaints accounting for nearly $7bn in losses, the majority of which targeted small businesses. (CNBC)
When considering the reporting statistics gathered from the UK Governments Cyber Security Breaches Survey 2022, it may be fair to question how accurate the above cyber breach figures really are. Findings from the survey indicated that 30% of large businesses are significantly more likely than medium (16%) or micro/small (10%) businesses to publicly report their cyber risks, so the actual figures for attacks against the SME community may be far higher. Unfortunately, the cost of these incidents is often enough to force many SMEs to lay off staff and even close down altogether.
Despite this, in the UK Government Cyber Security Breaches Survey 2023, the proportion of micro-businesses declaring cybersecurity as a high priority decreased from 80% in 2022, to 68% this year.
Cyber risk accountability at the Board
Cyber risk is now a corporate governance issue for boards. CEOs are being held accountable and could face litigation if regulators find them negligent in applying adequate security and data protection controls.
The General Data Protection Regulation (GDPR), applies to companies operating in the EU that process personal data, imposing severe penalties of up to 4% of global revenue for failing to comply. Boards must get up to speed in understanding their responsibility to protect the data they hold, taking note of how these regulations apply to their business.
However, according to the above UK Governments 2022 Survey, just 50% of businesses and 42% of charities say they update the board on cybersecurity matters. Looking at the findings in relation to business size, 80% of large organisations update the board at least quarterly, 63% conducted a risk assessment, and 61% carried out staff training. This is compared with 50%, 33% and 17% respectively for all businesses. Furthermore, just 34% of businesses had board members or trustees who were accountable for cybersecurity. This lack of board-level cyber knowledge or awareness acts as a barrier when appropriating adequate levels of funding, processes, and controls.
The benefits of being cyber risk aware
According to the CrowdStrike 2022 Global Threat Report, their CrowdStrike Falcon OverWatch Team measured the time an adversary takes to move laterally from the initial point of compromise to another within the victim environment.
It revealed an average of just 1 hour 38 minutes, leaving very little time for response. When you add to this that it takes an average of 277 days to identify and respond to a cyberattack, we gain a much clearer picture of how extensive a cyber breach can be.
On the value of understanding your threat exposure, Chris Hazewinkel, CEO at Securesult comments:
“Most companies look for a business case to invest in cybersecurity, and from my experience, this is all too common with many reaching out for support after an incident has occurred. It’s important to look at cyber preparedness as gaining a competitive advantage, as when quality processes and controls are in place, you’re more likely to secure reasonable pricing due to lower risk, and that goes for cyber insurance costs too. Prevention ultimately increases company performance, and with just a one-hour conversation with a senior expert, personal liability can be avoided, maturity is increased, response times are dramatically reduced, and valuable insights are gained.”
Performing cyber risk assessments at least annually is the most crucial component of a good cybersecurity plan.
Gaining a clear picture of your organisation’s weaknesses and vulnerabilities allows you to identify potential threats and put controls in place to remediate those risks. With a clear understanding of your exposure, steps can be taken to align policies and procedures that bolster defences, keeping your business safe.
Want to know more about how we can help you?
Contact the team for more information: