Under attack: how ready are SMEs for a cyber-attack?

National lockdowns have forced businesses to adapt, with many sending their workers home. With a new reliance on VPNs, cloud platforms, video conferencing software and mobile devices, businesses have undoubtedly begun to face greater risks in terms of cyber security.

And even if workers haven’t been sent home, businesses have had to contend with increasingly sophisticated phishing attacks preying upon COVID-19 and vaccination fears.

As a result, it is perhaps not surprising that research carried out by Carbon Black Reports found that 88% of UK companies have reported cyber security breaches in the last 12 months.

So, how prepared are SMEs for cyber security breaches? And what defences have they put in place? To find out, we carried out a survey of SMEs to learn more about their cyber security challenges.

Awareness of the threat

In our survey of SMEs, awareness of the threat posed by cyber-attacks and breaches was generally good, with 48.6% reporting that their business was ‘very aware’ of the risk, while another 42.9% said that they were quite aware. 

However, confidence was not quite as strong when it came to assessing their business’ ability to deal with and recover from a cyber-attack, with 14.3% of respondents saying they were unsure and 10% admitting that they weren’t confident at all.

And it appears that not all businesses have necessarily reprioritised cyber security in the wake of the drastic changes triggered by the global pandemic. Despite 75.7% of respondents saying that their business has been made more vulnerable to cyber security issues due to the pandemic, nearly half (42.9%) of SMEs interviewed said that they had not made cyber security a higher priority. 

Protecting their business

To protect their business from hackers, phishing attacks, malware and other cyber threats, our survey revealed that SMEs were employing a number of defensive methods.

Virus protection

Updates to virus or malware protection are installed quickly by the vast majority of respondents, with 84.3% installing them as soon as they become available. However, it does seem that some SMEs are leaving themselves exposed to attack when it comes to the use of mobile devices.

Our survey revealed that the use of mobile devices is widespread, with 51.4% using both work-issued and personal devices, such as laptops, tablets and mobile phones, for work. Worryingly, 10% of respondents reported that these devices had no protection, leaving the door wide open for an opportunistic attack.

Password protection

Weak password protection can be a simple way for cyber criminals to gain access to confidential business information. It is therefore reassuring that 65.7% of our respondents have put some kind of password policy in place, although this number could be higher. 

A similar number (67.1%) also enforce password complexity and structure, such as the use of different characters and unrelated words, to make their passwords more impenetrable.

Interestingly, the use of two-factor authentication, in which a code accessed by SMS or other means is used in addition to a password, was not as widespread as it could be. Of our respondents, 33.3% were not using this secure method to keep access to confidential information extra secure.

Risk and training

Risk assessments don’t just apply to health & safety. Data risk assessments are ideal for identifying weaknesses within a businesses cyber security and provide a grounding for detailed disruption or continuity planning should an attack occur.

However, while 52.9% of our survey respondents had carried out such a risk assessment, a significant 31.4% have not. This is concerning given that 21.4% of our survey participants have already had a cyber-attack.

Training on cyber security also seems to be a weak point in the defence strategies of SMEs, with 54.3% of respondents admitting that their business does not offer this kind of training. This is surprising as employees can be the weak link in a cyber security strategy, and cyber criminals can easily target them with sophisticated phishing attacks. Providing training which informs workers how to identify suspicious activity and how to report it can ensure that a business’ frontline defence remains strong.

Improving cyber security

What our survey of SMEs has revealed is that there is still plenty of room for businesses to increase their cyber security and reduce their risks.

Simple changes, such as providing training to staff, enforcing password complexity or carrying out regular data risk assessments, can go a long way to protecting a business from malicious attacks. 

But those who really want to take cyber security to the next level could take a look at ISO 27001, the international Standard for information security management.

With more than 100 controls, this Standard can help businesses to stay on top of cyber threats, develop a culture of security among their workforce and provide reassurance to clients that they have processes in place to keep information confidential.

To find out more, head over to our ISO 27001 webpage.