With the frequency of cyber attacks escalating over the past few years, more and more businesses are finding themselves victim to cyber criminals. But it’s not just larger businesses being targeted, with increasing amounts of small-to-medium-sized enterprises feeling the threat too, and facing the same business disruption, financial losses, and damaged reputations as their larger counterparts.
So how aware are SMEs of the threat? And what measures do they have in place to minimise the risks? To find out, we went and asked them.
Here is a summary of what we discovered.
As digital innovation continues to strengthen its position in our business lives, the possibility of falling foul to a cyber attack inevitably escalates with it. But with the relentless pressures of running a business, improving and maintaining cybersecurity is often overlooked.
While it’s easy to understand why cybersecurity might not be at the forefront of our minds on a daily basis, there is evidence to show that it should be. According to a cybersecurity breaches survey undertaken by the UK Government in 2020, 46% of businesses had identified a cyber breach or attack, and a huge 32% were experiencing these issues at least once a week.
Furthermore, with the seismic shift in business practices caused by the COVID-19 pandemic, hacking and phishing scams are on the rise, with cyber criminals capitalising on the vulnerability of remote workers and the policies and procedures that weren’t fit for keeping them safe.
Our survey was created to find out more about current cyber awareness among SMEs and identify gaps where improvements can be made to their defence against cyber attacks.
Reflective of the growing use of IT systems in business operations within all sectors, we found that 81% of our respondents labelled data security as being ‘very important’ to their organisation, with a further 17% labelling this as ‘quite important’.
Current levels of data security awareness also scored highly, with 49% deeming their businesses to be ‘very aware’ of the risks and another 42.9% saying that they were ‘quite aware’.
But while awareness among our participants was looking strong, it appears that the COVID-19 pandemic has not spurred as many of them into action as may have been predicted. With just over half of the participants answering that data security was a higher priority for them in 2020, it seems that not all businesses have felt the need to reprioritise cyber security following the hike in threat.
The palpable disregard of the increasing threats throughout 2020 was perhaps even more surprising when contextualised by the significant 76% of respondents who felt that the pandemic had made businesses more vulnerable to attack. Some even shared that they had seen a direct increase in attacks throughout the pandemic, and went so far as to identify home working as the culprit.
It appears that a majority of attacks on respondents were phishing attempts through email, in which staff were encouraged to open malicious links and attachments. In one particular case, bank details were stolen by the attacker, and the company suffered financial losses as a result.
In another case, a hacker managed to take control of a business’ information system and encrypt it, causing the business to have to cease trading for a whole week while they regained control and restored their systems.
Processes and procedures are a great way for a company to encourage and cultivate a widespread culture of digital security. Therefore, it is somewhat reassuring to see that 61% of respondents have an Information Security Policy in place within their business, while 59% have a Remote Working Policy and 66% have a Password Policy.
However, it is worrying that there are 30% of respondents for each respective policy that do not have these in place, meaning they are missing out on the opportunity to educate and inform their staff on how to stay cyber safe.
Virus and malware protection, on the other hand, seems to sit further up the list of priorities for most businesses, with 84% of respondents stating that their company’s software gets regular updates ‘as soon as they become available’.
Data security risk assessments are a great way of identifying where your business is succeeding and failing at keeping you safe from cyber threats. Our survey revealed that over 30% of respondents have not carried out such an assessment, highlighting what appears to be a notable ignorance of their value and significance.
Furthermore, the huge part that employees play in keeping our businesses secure also doesn’t seem to be hitting home, even though digital technology plays a part in the day-to-day work of most employees. It is therefore shocking to see that only 40% of respondents said that their businesses train staff on data security and cybersecurity threats, with a whopping 54% saying that they don’t.
Both of these omissions identify significant risks, but ones that could also be easily rectified through the roll-out of regular training and risk assessments.
This Standard has been developed by the ISO (International Organisation for Standardisation), which calls upon information security experts from all across the world to develop its requirements. With 114 controls designed to help businesses manage their information security and keep their data confidential and in-line with the latest legislation, the Standard can help businesses to develop a real culture of security.