Half of Small Businesses Hit by Cyber-Attack Over the Past Year

Cybersecurity has become a top concern for small and medium enterprises (SMEs) and nearly half (48%) of SMEs have experienced at least one cyber incident in the past year.

This is according to a new survey from accounting and payroll software provider Sage.

Roche Healthcare, one of Sage’s customers, is one of the SMEs that has recently experienced such an incident. Cindy Cleasby, a Roche spokesperson, shared her experience during a Sage event in London: “Two months after we decided to change our data hosting servers, the provider we were working with, who was hosting most of our data, was hit by a cyber-attack. They shut down the systems for six months, meaning we had to do a lot manually during that time, including invoices.”

Some companies surveyed by Sage were even more unlucky, with one-fourth (25%) of respondents saying they had to go through several cyber-attacks over the course of one year.

Cybersecurity Is a Priority for SMEs

According to the Sage survey, Cyber security for SMBs: Navigating Complexity and Building Resilience, most SMEs have developed a cybersecurity posture. For instance, 81% have implemented more than simple basic security controls.

A significant share of SMEs also has a sense of developing cyber resilience, with 58% declaring they were backing up their data.

Other findings in the report also show that cybersecurity is one of SMEs’ priorities, with two-thirds estimating that cybersecurity was part of their culture and four in 10 respondents saying they regularly discussed cybersecurity.

What Are the Challenges of Cybersecurity for SMEs?

The complexity of digital transformation makes it challenging for smaller firms to stay on top of security.

One significant challenge is remote working: while 81% of UK respondents said they have a process in place to manage cybersecurity risks for remote workers, only 53% closely monitor it. One-fourth (25%) of UK companies with a remote working security process admitted that some of their staff members weren’t following it.

Similarly, cloud migration poses many challenges for SMEs. Over half (52%) of respondents to the Sage survey said they were not fully confident about using cloud services for security reasons.

Kathryn Heath, a finance administrator at St George’s Church in Leeds, said that managing these complex IT environments feels “quite chaotic” for an organization like hers.

“I’m beginning to feel like I know just enough to be concerned. For instance, before talking to the person responsible for the security of our systems, I didn’t feel well informed about how complex our systems are, with the cloud, the data storage, the drives and the bespoke software we are running,” she said during the London event.

“We recently brought in a new contractor for our booking management system. An awful lot of research went into functionalities, price, easy use of customers and business benefits, but I can’t remember security being part of the discussion. We would assume that if we chose a reputable provider, good security measures are going to be in there.”

Meanwhile, the cyber threat landscape is also evolving rapidly, with phishing getting more targeted and ransomware getting more sophisticated.

This is one of the most significant concerns for SMEs, with half (51%) considering keeping on top of new cyber threats is their biggest challenge.

SMEs Want More Support to Improve Their Cyber Posture

However overwhelmed SMEs are with keeping up with technology and today’s cyber-threats it poses, the Sage survey also showed they are willing to improve their security posture.

For instance, 68% of respondents said they would use a more expensive supplier if it demonstrated superior security.

SMEs cannot improve their cybersecurity alone. Over half (52%) of the survey respondents said they wanted more support from the government, especially in raising cybersecurity awareness and deploying security training.

The General Data Protection Regulation (GDPR) was cited as one example where regulation helped drive cybersecurity.

“Sure, GDPR gave us a lot of headaches, but it also gave us some reassurance as it provided a clear set of measures to implement and conditions to meet,” said Heath.

Cleasby agreed, adding that at Roche Healthcare, cybersecurity measures were mainly driven by the data protection officer (DPO), a role introduced by GDPR.

What Cyber Resources Does the UK Government Offer to SMEs?

While the UK government is not planning to implement GDPR-like legislation for cybersecurity, Emma Green, deputy director for cyber resilience at the UK’s Department for Science, Innovation and Technology (DSIT), said during the Sage event that they were investigating the reasons for a decrease in cybersecurity investment from the country’s SMEs.

“This is the first time we see a decrease in SMEs’ cybersecurity investment, after many years of a slow increase, and the first time we see such a divergence between big organizations, who tend to keep investing more year on year in cybersecurity, and SMEs. I’m having a meeting this month with people from the London School of Economics (LSE), who are conducting research for us to dig deeper into this phenomenon.”

Although the security budget of most SMEs has recently decreased – primarily due to economic uncertainty and the rising cost of living – 91% of those surveyed by Sage believed they will increase in the next few years.

Meanwhile, Green said the UK government keeps pushing its risk-based approach to cybersecurity and promoting various resources for any organizations, including SMEs to improve their cybersecurity posture.

Resources offered by the UK government include the following:

  • Small Business Guide: Cyber Security: a free resource from the UK’s National Cyber Security Centre (NCSC) designed to help small businesses protect themselves from the most common cyber-attacks. The guide includes a number of practical tips and advice, such as how to choose a good password manager and spot a phishing email.
  • Cyber Essentials: a government-backed, industry-supported scheme to help organizations protect themselves against common online threats. It is a set of five basic technical controls that all organizations should have in place to guard against the most common cyber threats and demonstrate their commitment to cyber security: boundary firewalls and internet gateways, secure configuration, access control, malware protection and patch management.
  • Early Warning: a free service from NCSC that informs organizations of potential cyber-attacks on their network, as soon as possible.
  • Cyber Advisor: a scheme that provides SMEs with reliable and cost-effective cybersecurity advice and practical support. The scheme allows the NCSC to recommend independently assured organizations to consumers.

Read more: How Can SMEs Improve Their Cybersecurity Resilience?