A fifth of small businesses 'have lost contracts' after they were used to attack a customer

News by Tom Reeve

Cyber-security is an existential threat to small and medium sized businesses, according to a survey by Webroot, which found that it is a concern ranking second only to Brexit.

Small businesses have lost contracts following cyber-securty attacks (pic: Westend61/Getty Images)

Half of small to medium size businesses (SMBs) say cyber-security threatens their continued existence, according to a survey conducted by Webroot.

The survey, conducted by Censuswide in January, asked 501 IT decision makers in companies with 1-500 employees about their perceptions and experience of cyber-security risk. Respondents included businesses in the financial services, retail, healthcare and public sectors.

Almost half the organisations surveyed (48 percent) said they had suffered a cyber-attack or data breach, with 15 percent saying it had happened more than once. However, Webroot notes that these figures are conservative compared to other studies, raising the worrying prospect that most businesses are not aware that they have been attacked.

Asked to name their biggest concerns, 45 percent said uncertainty over Brexit and 35 percent said cyber-security. On average, they spend one day a week dealing with cyber-security issues, usually at unplanned times, the survey found.

A fifth of them (22 percent) said they have lost contracts after attackers used them to gain access to larger companies that they provided goods or services to.

Three-fifths conceded they needed to take a more proactive approach to protecting themselves.

Cyber-security falls to the IT manager to deal with in 75 percent of companies. In the remaining quarter of businesses, responsibility falls on the shoulders of the CEO 44 percent of the time.

One out of ten organisations (11 percent) said they have virtually no knowledge of cyber-security. The sector with the highest level of in-house expertise was the financial sector with 22 percent rating themselves as ‘expert’ while the lowest level of expertise was found in the retail sector.

Most companies rely on self-teaching and industry news to educate themselves about cyber-security – the average across all respondents was 41 percent but this rose to 47 percent for the smallest organisations. The rest relied on dedicated teaching and cyber-security providers to teach them.

Media reports about cyber-security have increased awareness, Webroot said, with 52 percent of respondents saying that news reports have made them change their approach to cyber-security. However, pushing against that was the view among SMBs that profits would be hit by investing in cyber-security (50 percent) and would result in no financial returns (24 percent).

Meeting GDPR requirements was cited by only 11 percent of the SMB respondents as a motivator for improving cyber-security, a figure that is perhaps explained by the fact that 39 percent of respondents say they don’t hold any data that would be any interest to cyber-criminals.

Paul Barnes, senior director of product strategy at Webroot, said: "SMBs can no longer consider themselves too small to be targets. They need to use their nimble size to their advantage by quickly identifying risks and educating everyone in the business of how to mitigate those risks, because people will always be the first line of defence."

Theo Paphitis, business entrepreneur and #SBS Small Business Sunday creator, said: "It’s concerning that smaller businesses have had to deprioritise activities that would help them grow in order to address security issues. Educating small businesses on cyber-security and helping them get the right support to address challenges is crucial."

Ilia Kolochenko, CEO of High-Tech Bridge, said: "SMEs are a perfect Trojan horse to get into a larger company. [Attackers] don’t need to spend considerable effort, time and/or resources to pierce multi-layer corporate protection when you can target an SME, which has access to the crown jewels or an established relationship of trust and confidence with larger companies."

He added: "Frequently, however, the large companies are to blame for incidents involving their SME suppliers. Often, they blindly trust the suppliers and neglect basic security precautions. Few large companies have a well-thought program to manage and continuously monitor third-party risks."

Paul Norris, senior systems engineer for EMEA at Tripwire, said: "SMBs used to feel safer from the threat of cyber-attacks because they failed to see the potential value of their digital assets. Recently, criminals have figured out that through the weaker security layers of smaller contractors, they could not only obtain sensitive information, but they could also gain access to the networks of larger enterprises. Fortunately, awareness is increasing, and the fact that SMBs are worrying about the state of their cybersecurity is encouraging, because it means that they are taking steps to protect themselves."

Joe Collinwood, CEO of CySure, said: "Now more than ever it is essential to take action and reduce the risk of cyber threats. Without adequate protection business leaders are risking their future business growth and development."

Corey Nachreiner, CTO at WatchGuard Technologies, said, "SMEs who once believed they were not big enough or interesting enough to be targeted by cyber-criminals have woken up to the real threats they face on a daily basis. Unfortunately, they often lack the budget or in-house expertise to shore up defences and configure, monitor and update security products. The consequences are all too real."

Oz Alashe, CEO of CybSafe, said: "Most businesses are concerned about security on some level, but they don’t necessarily see how it applies to them. What we’ve seen in the news over the last few years is a series of high profile cyber-security incidents such as the WannaCry ransomware, alleged interference in the US elections, and non-stop reporting of data breaches. Although many of these attacks are alarming, they are encouraging small businesses to think about their own cyber security. The next step is for them to do something about it."

David Rogers, senior account manager at Evaris, said, "SMEs need to do more to train each and every person in their workforce – from the minute they start with the business – to ensure they understand data management, protection and disposal best practice. Most businesses roll out annual training sessions and think that it’s sufficient, but that’s not enough."

Some commentators suggest that cyber-insurance can be the answer for SMBs. Nikolaus Suehr, co-founder and CEO of KASKO, said the underwriting process has a number of benefits for SMBs including a thorough review of their cyber-security posture and helping to put a price on the risk they face.

"Smaller companies often have a mentality of believing that they are not a target and therefore don't need cyber-risk management in their respective roadmaps. They do not dedicate any resources to cyber-risk management and occasionally explore without really implementing cyber-security as a side project. The days of this being a valid approach are long gone, however," he said.

Jake Moore, cyber security specialist at ESET UK, told SC: "Reputational damage is so important to SMEs and is never truly assessed until it could be all too late. Some SMEs are even turning to cyber insurance, but insurance can’t repair a permanently damaged reputation."

Moore added: "For small and medium sized businesses, cyber-security can be expensive and most won’t have a CISO in place, nor will the board feature someone with experience in IT security. However, when we see companies realise the benefits of cyber-security as an investment rather than an expense, it can release more time for the board to focus on other business areas." 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews