Small and medium sized businesses (SMBs) are often referred to as the backbone of the British economy – with very good reason. First, SMBs are often not that small, the category covers businesses with up to 250 employees, which are pretty sizeable operations. Second, they make up over 99% of all businesses in Britain. According to the Federation of Small Businesses there were 5.9 million SMBs in the U.K. in 2019. A formidable force when it comes to job and wealth creation.
SMBs appear to be prioritizing their organizations’ data in greater numbers and are aware of the … [+]
dpa/picture alliance via Getty Images
SMBs are not one single amorphous group. They differ widely, not just in terms of size, sector and age but in terms of their aspirations, organizational structures and management styles and the range of issues with which they are grappling at any given time. However, with greater levels of scrutiny, commonalities become apparent and looking closely at these can be revealing about how SMBs view their growth prospects and the barriers to achieving these.
Cybersecurity and SMBs
When it comes to technology and cybersecurity, assumptions have been made in the past (and, sadly, sometimes continue to be made) that time-poor SMB business owners and decision makers tend not to think holistically about their use of technology as a growth-enabler. When it comes to cybersecurity, the misconception is that they simply do not have time to even consider adding this to their to-do list. New evidence however supports the fact that these attitudes are far less pervasive among today’s more sophisticated SMBs, which comes as a relief to those of us familiar with the sobering statistics around SMBs and cybercrime.
Back in 2018 the British government was warning SMBs against complacency when it came to their cybersecurity in advance of the GDPR legislation that was about to come into force. The figures made for grim reading. Back then medium-sized firms experienced an average of six cyberattacks a year, with two in five micro and small businesses identifying at least one breach or attack in the previous 12 months.
It will come as no surprise to learn that the situation has not improved since then, in fact cybercriminals, always on the look-out for their latest victims, are eyeing-up SMBs and their valuable data – not to mention their vital place in the supply chain – with ever greater levels of interest. In 2019 60% of UK medium businesses and 40% of small businesses reported they had experienced cyber security breaches or attacks in the last twelve months.
No doubt in response to this worrying reality, SMBs appear to be prioritizing their organizations’ data in greater numbers and are aware of the catastrophic impact a cyberattack could have on reputation and profit. New research from Sophos directly challenges any lingering assumptions that smaller businesses are not taking cyberthreats seriously. In fact, this research indicates that smaller firms are often well aware of the risk of cyberthreats – even if these concerns do not always translate into secure behaviour.
Cyberthreats more worrying than cashflow?
One of the research results that stood out for me, and which serves to highlight just how seriously SMBs now take cybersecurity, is that almost half (45%) of business and technology decision makers in the U.K. view the prospect of a cyberattack or malware infection as their single biggest concern, ahead of staffing issues (40%), keeping up with legislation (37%) and even cashflow problems (32%). Interestingly, the research showed it was not size that was the biggest differentiator when it came to attitudes to cybersecurity, but the number of years that a SMB had been in operation.
Younger companies, by which I mean those that have been in operation for five years or fewer, unsurprisingly appear to be more digitally inclusive and connected than their more mature counterparts. They are also happy to seek external IT support and expertise and are more aware of security. However, this openness and connectivity brings with it some significant potential risks associated with opening up their networks to third parties and employees’ personal devices. An added concern is that younger companies are also more likely to use consumer-grade security products, unlikely to be fit for purpose for a growing enterprise.
Older companies, established for 16 years or more, tend to be far more restrictive about network access. Although this undoubtedly brings security advantages, these are often offset by lower visibility in terms of cloud applications used, less emphasis on employee awareness training, and lower supply chain security than those of their younger counterparts.
If security best practice is to be effective it must be accompanied by an ongoing program of employee awareness training and support. SMBs of all sizes will all too often be reliant on their individual employees to install updates and to self-police their own security behavior. If these employees lack cyberthreat awareness they may fail to spot an update or even fall victim to a phishing scam, creating far greater levels of risk within a company.
It is vital we understand that companies of different ages have markedly different areas of security vulnerability, and that these variations are understood and addressed by IT security professionals working with SMBs.
U.K. SMBs can no longer be accused of failing to understand or prioritize their company’s cybersecurity challenges. For many of them, securing their IT defences is absolutely front and centre of their business priorities. It is vital that IT security professionals also grasp the changing, multi-faceted nature of this sector’s security needs and adopt a layered defence-in-depth security model to meet these challenges.