SMEs are a Cybercriminal’s number one target. Here’s why!
Last updated December 2023
Relevant statistics show us that SMEs are some of the most at-risk businesses when it comes to cyber security. A lack of cyber awareness and digital transformation expertise can only increase this risk. In this article, we’ll discuss the relationship between cybersecurity and SMEs.
Why are SMEs targeted?
Cyber criminals target SMEs for several reasons. Regardless of geographical location or industry, criminals will focus on what makes them money. No matter the size or profits of your organisation, statistics show us that your company will eventually be targeted by cyber criminals
Some of the concerns raised by small business owners relate to their business size and profits. You may feel that you have no important assets, or that your company doesn’t make enough profit to attract cyber criminals.
This type of statement is the very reason that cyber criminals target SMEs. Many small businesses underestimate the effect that a cyber-attack can have on their business, and what actions they can take to prevent them. SMEs suffer as many attacks as larger businesses, if not more.
- 71% of Irish businesses suffered a cyber-attack in 2022.
- 36% of companies with less than 10 employees suffered an attack.
The vast majority of cyber criminals operate automated software to scam or hack thousands of companies at a time. As more companies switch to a digital focus, they open themselves up to cyberattacks. Scammers and hackers avoid targeting larger and well-funded corporations to focus on easier targets, such as SMEs. For criminals, it’s the cheapest way to make money.
Understanding cybersecurity threats
A successful cyber-attack can have a serious impact on your brand reputation, your revenue and your customers. Data breaches can result in your customer’s data being accessed, sold on the dark web and being used in further scams. Large data breaches and hacks attract media attention and draw further awareness to, what is ultimately, your responsibility.
According to a report in 2020, only 55% of SMEs have a stringent cyber security policy in place. Only 45% have had any employee awareness training. These statistics show that SMEs are underprepared and unaware of the risks that a potential cyber-attack can present.
An effective cyber-attack can halt business operations and hold your private, business information hostage. Malware can permanently destroy computers, machines and software, costing you even more. While scammers may promise to return your information after payment, there’s no guarantee of them doing so. Both small (70%) and larger (72%) firms agree on the damage that a data breach can cause to their company’s brand and reputation.
Essential digital transformations
Largely due to Covid-19 and remote working measures, companies now operate more and more through digital channels. As businesses increasingly operate digitally, they adopt new software and technology into their organisation. The benefits of digital transformation can include increased efficiency, better customer facing applications and reduced expenses.
The more technology a company uses, the more susceptible it is to cyber-attack through its exposure to the Internet. When employees work on something unfamiliar to them, the chances of a mistake increase. The digital transformation experts limit the risk your company experiences during implementation, training and use of these new products.
Only 61% of companies with 250 employees or less have confidence in the cybersecurity readiness. Educating employees on new processes, policies and software through licensed professionals can greatly limit your risk profile.
Better understand how our parent company, Target Integration Group, digital transformation consultancy, can benefit your company here.
Common cybersecurity risks for SMEs
Several of the most common scams SMEs face are through text, email and phone calls. Phishing, and similar techniques across alternate digital channels, are communications that appear to come from someone you’re familiar with. Emails from people such as a boss, managers and people who might usually have access to payroll and company money.
These scams are automated, mass produced and simple. By sending them to the maximum amount of people, scammers hope to trick people into opening links, sending money and downloading malware onto their personal and business devices. These types of scams prey on the most vulnerable people in society, elderly people and children who are unfamiliar with modern technology, but criminals target people from every age and background
Scammers try to induce a feeling of panic, or urgency in their victim. Their scams will often include a deadline, where the victim must take an action or face a financial penalty. All these scams work off of the same principles, whether the victim is at work or at home. People who are distracted, unaware or in a rush are far more likely to make a mistake.
Cyber awareness training and strict cybersecurity policies are the best way secure your company against these attacks. Read more about our cyber awareness course here, delivered by industry leading cybersecurity experts with real experience in the field.
Business email compromise
The most common way for hackers to gain access to your business is through business email compromise (BEC). A BEC refers to a scam email from what appears to be a trusted person within the organisation. This might be a request for funds, personal information or access to a secure part of the business. The sender’s email is usually misspelled or comes from a slightly different domain then the official company email.
These types of emails are simple to fake and can be extremely effective. According to IBM, the average targeted phishing campaign results in a 17.8% click rate. Attackers use this method of phishing to capitalise on the trust most employees have in their managers, bosses and higher-ups within an organisation
Once employees are aware they’re receiving scam emails, a quick check of the email address, asking a work colleague or emailing another person within the company can massively reduce your risk. Proper training will inform your employees about the dangers of opening attachments, replying to and clicking links in unverified emails. Informing your employees about these risks is essential.
The most common outcome of any cyber-attack is payment diversion fraud, which results in a financial loss as mentioned by 34% of affected companies. In a BEC, this might take the form of a ‘CEO’ asking an employee for a transfer of funds in an emergency. This is a direct way of transferring money from the company to the scammers. It may also appear to be from an accounting department, a friend or a manager.
A policy that requires two steps or more when money can eliminate any possibility of this happening. When an employee reaches out to a colleague to confirm a payment, scams are quickly discovered.
BECs provide hackers with an ‘entryway’ into a business, allowing them to collect information and procure assets. 41% of hacking attempts use phishing methods just like this to help them gain access to a company. Once a hacker has access, they can attempt further ransomware, malware or phishing attacks.
Ransomware is a form of malicious software which can limit your ability to access sensitive data, operate machinery or continue specific business processes. This can result in a business effectively being locked out from their own company. Ransomware generally targets an organisation’s private and confidential information, whether that’s employee or customer data. Hackers will offer to ‘unlock’ this data and return it to the business, for a fee.
Ransomware can have an extreme impact on the viability of a business. Of the Irish companies that were attacked by hackers last year, 30% of these attacks consisted of ransomware. Two large and well-known ransomware attacks in 2021 and 2022 were on the National Health Service in the UK and on the HSE in Ireland. Companies and organisations in any industry or sector can come under ransomware attack.
A report from ENISA in 2022 suggests that up to 62.12% of companies affected by a ransomware attack may have paid the ransom (pg.25). Less than half of these businesses received the stolen data back from the hackers. Of the companies who paid this ransom, 20% say they have undergone another attack. Paying this ransom is not an effective solution.
Robust cybersecurity policies, specific disaster plans and an intimate knowledge of your company’s business processes can minimise the risk of a ransomware attack crippling your business. Maintaining back-ups, implementing 2-factor authentication and limiting access to sensitive data reduce your liability in both ransomware attacks and other phishing attempts