Over a quarter of EU small businesses were hacked in the space of a year – How to protect your SME

Cyber attacks are on the rise in volume and sophistication, and SMEs are in the criminals’ crosshairs. 

The EU’s SMEs and Cybercrime report found that 28% of European SMEs had experienced at least one form of cyber attack during 2021. A separate study by La Mobilière in Switzerland: Teleworking and cybersecurity in Swiss SMEs [in French], showed that Swiss companies that use an IT service provider – which account for about 30% of SMEs with some regional differences – are better protected than those that do not.

The La Mobiliére study resulted in several key findings and recommendations for SMEs seeking to protect themselves from cyber attacks.

Key Findings

• SME leadership teams often feel that they have a good grasp of the threat of cyber attacks. This confidence may be misplaced.
• SMEs that have experienced a cyber attack are more inclined to protect themselves more thoroughly in the future.
• Many Swiss SMEs are taking steps on a technical level to secure themselves.
• SMEs that work with IT service providers for their cyber security are better protected from attacks.
• Technical solutions to cyber security are not sufficient on their own to fully protect companies from attacks. 
• Individual user behavior often poses the biggest cyber security threat.

Why are SMEs Inadequately Protected?

The report makes it clear that although Swiss SMEs are taking steps to protect themselves from cyber attacks, these steps often fall short of what is required. Some of the common reasons for this mismatch are:

• A misconception that SMEs will not be targeted because they are smaller and can go unnoticed, not being seen as high-value targets by criminals. 
• A belief that if IT security is outsourced to an IT service provider, little further action is required.
• Awareness of the threat of cyber attacks at management level is not reflected throughout the organization.
• Ongoing IT security and awareness training is not provided to all IT staff within the organization.

It remains true that the vast majority of cyber attacks occur through targeting staff through phishing attempts. Although SMEs are not unique in this respect, the level of damage caused and the potential for business disruption can be disproportionately large for smaller companies.

What to Look For in an IT Services Provider

For Swiss SMEs looking to use an IT service provider to improve their resilience to cyber attacks and ongoing threats, the authors of the report offered the following recommendations on what makes an effective partnership:

• Look for official accreditation and certification – such as ISO 27001 or ‘CyberSeal’ in Switzerland – as an indicator of competence.
• Regular security audits should be part of the service.
• Regular staff training is essential to boost threat awareness and adoption of safe practices.
• Constant communication between the SME and service provider, and clear lines of responsibility are key.
• The SME needs to be an active participant in its own cyber security.
• Thoroughly research a variety of service providers, and seek references and recommendations before making a choice.

Enhance, not Replace

Cyber security is an insurance policy against the potentially devastating impact of a security breach. Partnering with an IT service provider that can set up systems and train teams to be resilient to attacks can take the strain from internal resources and improve security. 

However, the La Mobiliére report makes it clear that using an IT service partner is not a way to outsource cyber security entirely. The company itself is still ultimately responsible, and internal teams need to be aware, educated and vigilant for new threats and counter-measures. 

To speak to a Penta consultant about how to protect your business, click here.