Cyber Risks for SMEs

These new network boundaries introduce vulnerabilities faster than IT can address them. Modern IT is the heart of innovation, driving digital transformation through IT modernisation. Implementing a cyber security approach is crucial for organizations to ensure their safety and success in their digital transformation initiatives.

Definition of SMEs

In the UK, a Small and Medium-sized Enterprise (SME) is defined based on the number of employees and financial metrics:

• Medium-sized enterprises: fewer than 250 employees, with an annual turnover of less than €50 million or a balance sheet total of less than €43 million.
• Small enterprises: fewer than 50 employees, with an annual turnover of less than €10 million or a balance sheet total of less than €10 million.
• Micro-enterprises: fewer than 10 employees, with an annual turnover of less than €2 million or a balance sheet total of less than €2 million12.

SMEs are crucial to the UK economy, making up 99.9% of all businesses and employing over 60% of the workforce.

Size of Business​	Staff Headcount	Annual Turnover
Medium	Under 250	Under € 50 m
Small	Under 50	Under € 10 m
Micro	Under 10	Under € 2 m

Small and medium-sized enterprises (SMEs) can be significantly damaged by cyber attacks for several reasons.

1. Limited Resources: SMEs often have fewer financial and technical resources to invest in robust cybersecurity measures compared to larger corporations. This makes them easier targets for cybercriminals.
2. Financial Loss: Cyber attacks can lead to substantial financial losses. This includes direct costs like ransom payments in ransomware attacks, and indirect costs such as lost business, legal fees, and increased insurance premiums.
3. Reputational Damage: A cyber attack can severely damage an SME’s reputation. Customers may lose trust in the business’s ability to protect their personal and financial information, leading to a loss of clientele and revenue.
4. Operational Disruption: Cyber attacks can disrupt day-to-day operations, causing downtime and affecting productivity. This can be particularly damaging for SMEs that rely heavily on their IT systems for business operations.
5. Data Theft: SMEs often store sensitive information, such as customer data, financial records, and intellectual property. Cybercriminals can steal this data, leading to identity theft, financial fraud, and competitive disadvantages.
6. Gateway to Larger Targets: Cybercriminals sometimes target SMEs as a way to gain access to larger organizations they do business with.

Cyber security breaches

The Cyber security breaches survey from the UK government reveals that attacks remain a common threat. It is interesting to discover that three sectors (Food and hospitality, entertainment and construction) are less likely to have a range of security rules or controls in place.

The government recommend to follow a Cyber Essential scheme based on 5 areas of cyber security controls:

• Boundary firewalls and internet gateways
• Secure configurations
• User access controls
• Malware protection
• Patch management (i.e. applying software updates).

Unfortunately, these controls seem to have declined since 2021 and these changes are “predominantly driven by SMEs, and micro businesses, the score of large businesses have not fallen”.

General Trends and Risks

• Some sectors are particularly attractive to cybercriminals due to the sensitive personal and financial information it handles, including bank details and identification.
• The shift to remote work during the COVID-19 pandemic has heightened vulnerabilities, as many companies may not have robust cybersecurity measures in place.
• The increasing sophistication of phishing attacks, including those that exploit social engineering techniques, poses a significant threat to businesses in London. These attacks are expected to evolve further, making them harder to detect and counter.

Understand the recommendations

You are not an IT specialist, nor a cyber security expert, the cyber security scheme looks too complicated for you ? You can focus on 3 comprehensive steps that you can understand and take action with your IT or cyber security partner.