What are the most common cybersecurity challenges SMEs face today?

Small and medium-sized enterprises (SMEs) are considered to be the backbone of Europe’s economy. 25 million SMEs are active in the EU, and employ more than 100 million workers. ENISA identified the cybersecurity challenges SMEs face today and issued recommendations.

The ENISA report provides advice for SMEs to successfully cope with cybersecurity challenges, particularly those resulting from the COVID-19 pandemic. With the current crisis, traditional businesses had to resort to technologies such as QR codes or contactless payments they had never used before.

Although SMEs have turned to such new technologies to maintain their business, they often failed to increase their security in relation to these new systems. Research and real-life experience show that well prepared organizations deal with cyber incidents in a much more efficient way than those failing to plan or lacking the capabilities they need to address cyber threats correctly.

Juhan Lepassaar, EU Agency for Cybersecurity Executive Director said: “SMEs cybersecurity and support is at the forefront of the EU’s cybersecurity strategy for the digital decade and the Agency is fully dedicated to support the SME community in improving their resilience to successfully transform digitally.”

In addition to the report, ENISA also publishes the Cybersecurity Guide for SMEs: “12 steps to securing your business”. The short cybersecurity guide provides SMEs with practical high-level actions to better secure their systems, hence their businesses.

Based on an extended desktop research, an extensive survey and targeted interviews, the report identifies those pre-existing cybersecurity challenges worsened by the impact of the pandemic crisis.

Phishing attacks among the most common cyber incidents

85% of the SMEs surveyed agree that cybersecurity issues would have a serious detrimental impact on their businesses with 57% saying they would most likely go out of business. Out of almost 250 SMEs surveyed, 36% reported that they had experienced an incident in the last 5 years. Nonetheless, cyberattacks are still not considered as a major risk for a large number of SMEs and a belief remains that cyber incidents are only targeting larger organizations.

However, the study reveals that phishing attacks are among the most common cyber incidents SMEs are likely to be exposed to, in addition to ransomware attacks, stolen laptops, and CEO frauds. For instance, with the concerns induced by the pandemic, cybercriminals seek to compromise accounts using phishing emails with COVID-19 as a subject.

CEO frauds are other decoys meant to lure an employee into acting upon the instructions of a fraudulent email displayed as if sent from their CEO, and usually requesting a payment to be performed in urgency under business-like circumstances.

Challenges SMEs are faced with

• Low awareness of cyber threats
• Inadequate protection for critical and sensitive information
• Lack of budget to cover costs incurred for implementing cybersecurity measures
• Availability of ICT cybersecurity expertise and personnel
• Absence of suitable guidelines tailored to the SMEs sector
• Moving online
• Low management support.

“The COVID-19 pandemic generated many significant challenges for SMEs. For many SMEs remaining in business relied upon them being able to engage in new ways of providing their services to their customers. This very often entailed changing their IT systems or upgrading them to enable them to conduct business online or for their staff to continue to work remotely. While the cloud, remote working, and other IT services prevented many SMEs from going out of business many SMEs face new threats as a result of these technologies,” Brian Honan, founder of BH Consulting, told Help Net Security.

“Criminals targeted staff and clients with phishing emails, CEO fraud, and invoice redirection fraud. Many others faced attacks from ransomware gangs looking to take advantage of hastily put together remote solutions, or insecure personal devices used by staff. The report from ENISA highlights the key threats many SMEs throughout the EU faced during the pandemic and provides practical and cost effective measures to assist SMEs to deal with those threats,” Honan concluded.

How to address cybersecurity challenges?

The recommendations issued fall into three categories:

People – People play an essential role in the cybersecurity ecosystem. The report draws attention to the importance of responsibility, employee buy-in and awareness, cybersecurity training and cybersecurity policies as well as third party management in relation to confidential and/or sensitive information.

Processes – Monitoring internal business processes include performing audits, incident planning and response, passwords, software patches and data protection.

Technical – At the technical level, a number of aspects should be considered in relation to network security, anti-virus, encryption, security monitoring, physical security and the securing of backups.