The cybersecurity challenges for SMEs

To mark International Small and Medium-Sized Enterprises Day in June, besides the aforementioned basic steps, the EU Agency for Cybersecurity has published a report, Cybersecurity for SMEs, on how to better secure their systems and businesses.

The report analyses the ability of SMEs within the EU to cope with the cybersecurity challenges posed by the pandemic and determines best practices to mitigate those risks.

The main challenges identified during the interviews section of the study include low awareness of the threats posed to business by poor cybersecurity; the costs of implementing cybersecurity measures often combined with a lack of dedicated budget; the availability of ICT cybersecurity specialists; a lack of suitable guidelines aimed at the SME sector; and low levels of support from management.

The common underlying issue appears to be management awareness and commitment, which in turn drives budget, allocation of resources and effective implementation of cybersecurity practices. Cybersecurity is not an issue that should only be discussed by IT teams; it needs to make its way into boardrooms.

Of the 249 European SMEs surveyed more than 85% stated that cybersecurity issues would have serious negative impacts on their business within a week of the issues happening; 57% say they would most likely become bankrupt or go out of business.

Despite this, there is a tendency to believe that cyber incidents only affect larger organizations and are, therefore, still not considered as a major risk to SMEs. It is important for SMEs to be aware of the consequences such incidents will have on their business if they occur. Many believe that cybersecurity controls included in the IT products they have purchased will be sufficient and that no additional security controls are necessary unless mandated by law.

Criticality and sensitivity of processed information as perceived by SMEs
Criticality and sensitivity of processed information as perceived by SMEs
Image: ENISA

The agency´s cybersecurity advice towards SMEs focuses on three crucial areas: people, processes and technical recommendations. The aim is to strengthen resilience across the whole value chain through the application of the 12 cybersecurity principles and the report includes suggested actions that the EU Member States should consider in order to support businesses, associations and agencies in improving their cybersecurity posture.

Effective cybersecurity provides SMEs with the confidence that allows them to grow, innovate and find new ways of creating value for their customers in our online and interconnected world. Let’s support these businesses on their journey to better protection against cyber threats.