Employees of small and medium-sized enterprises (SMEs) are four times more likely to encounter a cyber threat than those at larger organisations, according to security service Mimecast’s new Global Threat Intelligence Report 2024 H1.
The cloud-based email security service analysed more than 1.7 billion messages per day from over 42,000 customers and found that small businesses experience the highest volume of cyber threats. In the first quarter of this year, small and medium businesses saw 40 and 31 threats per user, respectively. Meanwhile, large enterprises only saw 11.
SMEs urgently need to pay attention to this. According to a new nationwide survey of 1,055 UK small business owners by 1st Formations, as many as one in five small businesses report having experienced cybercrime within the past 12 months.
Here’s why cybercriminals target SMEs, what security breaches really cost, and how organisations can stay vigilant.
Small businesses are data-rich but security-poor
Although SMEs may not handle the same volume of data as large corporations, they still have highly valuable customer data, employee data, financial records, and intellectual property on file.
According to IBM’s Cost of a Data Breach Report 2024, the most common type of data stolen or compromised in cyber attacks is customer personally identifiable information (PII). PII includes anything that can be used to identify someone, including a full name, email address, bank account number, National Insurance number, and more.
Consider the sheer number of records businesses store, from the founder’s home address to scans of employee passports. Even for micro businesses, the numbers are bound to be at least in the tens of thousands.
All businesses have a responsibility to keep this information secure for their customers and employees. If it gets into the hands of criminals, it can easily be used to commit identity theft and credit card fraud. Businesses also have a legal duty to comply with UK GDPR, the UK’s general data protection regulation.
Yet research shows that the majority of SMEs do not invest in the necessary cybersecurity measures to protect this data. Cyber insurance provider Cowbell found that only 1 in 5 have a cyber incident response plan in place, according to their 2024 survey of 500 UK SME chief executives. In addition, one in ten said they saw no need to enhance their position regarding cyber risk.
With so many of the UK’s 5.6 million SMEs underprepared for an attack, criminal opportunists may consider them easy pickings.
Lack of dedicated team and training
One of the most significant vulnerabilities SMEs have is their lack of resources. Larger companies can afford to invest in sophisticated systems and hire IT teams, while SMEs don’t always have that luxury.
The UK Government’s Cyber Security Breaches Survey 2024 supports this. This survey asked 2,000 UK businesses and charities of all sizes about their cybersecurity positions over the past year. It found that micro and small businesses typically assigned cyber security responsibility to chief executives or senior managers.
Additionally, only 2% of micro businesses have someone specifically in an IT role looking after cyber security matters. With all the responsibilities senior staffers juggle, it can be hard for them to dedicate time to essential tasks, like monitoring networks for suspicious activity.
The study also revealed that in SMEs, cyber security is discussed with senior managers in an ad hoc, reactive manner (i.e. only when specific issues arise). Those with external IT contractors even felt like the ‘problem’ of cyber security had been passed over, causing them to disengage from the topic entirely.
The government’s survey also found that, compared to larger businesses, very few SMEs had any training or awareness-raising sessions on cyber security within the last 12 months.
All of this leaves SMEs’ data more exposed and at risk. Catherine Aleppo, UK sales director at cyber insurance provider Cowbell, is calling for better cyber education within SMEs. “More support and education on cyber risk and incident response planning needs to happen if businesses are to navigate these incidents and recover quickly. There is work to be done, raising critical awareness of cyber vulnerabilities and safeguarding the UK’s SMEs, who form the backbone of the UK economy.”
How bad can it really be?
Another key finding from the Cowbell survey mentioned earlier was that 32% of SME chief executives said they were confident that a cyber attack would not impact their ability to conduct business, and the majority of respondents (87%) did not consider consequent reputational damage to be a significant business risk.
Are they correct? Here’s the reality of data breaches’ financial and reputational costs using findings from the UK government’s survey. These numbers are based on the mean results of each organisation’s single most disruptive breach that year.
First, the average short-term direct cost of a breach, including payments to external IT consultants to fix the problem, payments to the attackers, or money they stole. The damage was far higher for medium/large businesses, at £4,670, compared to micro/small businesses, at £330. Medium-sized enterprises can assume a point between these ranges.
Secondly, the average long-term costs, including the cost of new or upgraded software or systems and legal fees post-incident. Again, these were higher for medium/large businesses, at £3,550, compared to micro/small businesses, at £90.
Thirdly, staff pay for their time investigating or fixing problems. This was £1,010 for medium/large businesses and £90 for micro/small.
Finally, indirect costs, including staff absences, the value of lost files or intellectual property, and the cost of replacing devices, cost £1,930 for larger businesses and £280 for micro/small ones.
Moreover, among the 50% of businesses of all sizes that identified a breach or attack, only 2% reported that it resulted in any customer complaints, reputational damage, or a loss of revenue or share value.
So, though small and micro businesses have highly valuable data worth protecting, the financial and reputational risk may be unlikely to put one out of business. Putting these findings together, a data breach may cost a smaller business (£330+£90+£90+£280) £790 in total.
However, the damage may be much more severe if it happens frequently. Considering 1st Formations’ finding of one in five UK small businesses having experienced cybercrime within the past 12 months, this is more than possible.
Checklist: countermeasures to prioritise today
There are steps businesses can take to protect themselves from cybercriminals. Here are five key recommendations:
- Invest in cyber security: whether it’s third-party support or hiring an in-house expert.
- Employee awareness training: educate staff on best practices, such as recognising phishing emails, using strong passwords, and multi-factor authentication.
- Develop an incident response plan: should a breach occur, this includes notifying key staff, outlining immediate steps to take, and complying with GDPR.
- Regular software updates: ensure regular updates of all software and systems to patch any security vulnerabilities.
- Back up data: regularly back up data to secure, offsite locations to prevent the financial risks of a ransomware attack.
Other useful resources include the Information Commissioner’s Office’s guide ‘72 hours – how to respond to a personal data breach’ and the National Cyber Security Centre’s Small Business Guide: Cyber Security.
Conclusion
SMEs are attractive targets for cybercriminals due to their valuable data and their lack of cyber security preparedness. While a single incident may not damage a company’s bottom line or brand reputation much (after all, mistakes happen), repeated breaches can become expensive and result in lost business. Therefore, it’s still essential for businesses to protect internal data and minimise the risk of cyber attacks.
By taking proactive steps, SMEs can significantly reduce their vulnerability to cyber threats.
