Businesses that fall into the “small and medium size enterprise” (SME) category are by far the most numerous in just about any given country or territory. They usually represent over 99% of the total businesses, and are responsible for somewhere between 50 to 70% of the jobs. Statistically speaking, that makes SMEs the most likely target of a cyber attack – particularly given that criminals perceive them as a lower-risk option that usually has lower cyber awareness than a larger enterprise.
A recent study conducted in major Asia-Pacific markets reveals that SMEs tend to be both overconfident and underprepared when it comes to cyber awareness. The study was confined to respondents in Singapore, Hong Kong and Australia, but there are lessons to be learned here for SMEs located anywhere in the world.
The SME study
The study was conducted by Chubb, one of the world’s largest property and casualty insurers. The cyber awareness survey included a total of 1,000 business owners from these three major markets. Respondents were asked:
- If they had experienced a cyber attack in the previous 12 months
- If they feel they are aware of all the cyber threats that could impact them
- If they knew which data files would be affected by a breach
- If they felt confident in being able to contain a breach with 12 hours
- If they felt confident that employees were aware of their data privacy responsibilities
- What internal factors most contributed to cyber incidents
- Who in the organization should ultimately be responsible for cyber security
- If they purchased and understood cyber insurance
Though the numbers varied somewhat by country, the survey results were fairly consistent. The majority of SMEs surveyed felt that they were better prepared for cyber attacks than their larger competitors, but had also experienced some sort of attack in the past year that could be attributed to an internal factor. In spite of their overall general feelings of confidence, SMEs appear to be less prepared and at greater risk on average than their larger competition.
The title Chubb chose for the study, “Too Small To Fail”, reflects their findings. SMEs have an unfortunate tendency to believe that they’ll simply fly below the radar of cyber criminals or that antivirus software is sufficient protection, when we know all too well that is not the case.
The Chubb cyber awareness study centers on the fact that SMEs surveyed experienced a high rate of internal security incidents in spite of their high confidence in their ability to handle their own risk profile. In fact, in Australia, the number of respondents who both experienced an internal incident and felt high confidence in their cyber awareness was dead even (60%). About 60% also felt that they were not knowledgeable about all of the potential cyber threats out there.
The leading incident factor reported by respondents was “business interruption from system malfunction and technical fault”, followed by “data loss through system malfunction and technical fault” and “human error” (which also encompasses intentional theft by employees) in second and third place respectively.
Response time is another significant issue highlighted by the survey. In Australia, the vast majority (87%) of respondents felt they could recover from a cyber attack. However, only 56% felt they could contain cyber security breaches within 12 hours.
Response time is critical because other surveys and studies have demonstrated that within the first hours of a breach, attackers are generally limited to basic and non-critical data. Critical data is usually accessed and exfiltrated over a period of days following the initial breach. Being able to clamp down illicit access within 12 hours greatly reduces a breached company’s potential for catastrophic outcomes.
Small businesses tend to have inadequate response plans and security controls in place. And even if the plan is robust, it’s usually necessary to conduct live drills or exercises periodically to ensure that everyone is aware of their personal responsibilities in detecting and responding to a security breach.
Interestingly, the number of companies reporting cyber awareness incidents in the past year is right about on par with cyber crime trend observations from other sources; while attacks on small and large companies were previously about evenly divided, cyber criminals appear to be showing a small but increasing preference for SMEs.
Responses to the question of ultimate responsibility in cyber awareness also indicate that differences in business culture may play a role in organizational preparedness.
Survey respondents in Singapore and Australia were about evenly divided as to whether the company CEO or head of IT should ultimately be responsible for cyber awareness and data security. However, in Hong Kong, there is an almost 2-to-1 belief that it is the responsibility of the IT department. It’s worth noting that the survey found that SMEs in Hong Kong appear to be experiencing attacks much more frequently (at 71%) than their counterparts in Singapore (at 56%).
Chubb’s response to these results is that there is some level of responsibility for cyber awareness and data protection within every department, but ultimately the figurehead must be someone in the organization who has adequate authority to effect change and implement appropriate training requirements.
Cyber awareness takeaways for SMEs
This comes hot on the heels of a December 2018 Aon poll that found that about 50% of UK SMEs had experienced cyber attacks and were also confused about GDPR information security rule implementation, and a mid-2018 report that 47% of United States SMEs had experienced a cyber attack yet 65% failed to take any action after one occurred.
Big lessons from this Chubb survey for all SMEs include the need to clearly establish and communicate hierarchy in terms of cybersecurity responsibility, and the need for all company members to understand their roles in an attack response plan.
Timely installation of software patches and updates is also key. But ultimately, SME security boils down to willingness to budget appropriately. This includes not just spending appropriately on security measures, but budgeting the time for awareness training in everyday security hygiene and response steps in the event of data breaches.