santiago silver - Fotolia

SMEs failing to address cyber threats despite risks

Small to medium enterprises are failing to prepare adequately to address cyber threats – despite the risks – because of a false sense of security, particularly in the UK, a survey has revealed

Despite the WannaCry and Petya global cyber attacks, only 42% of SME IT decision makers polled in the UK, US and Australia are concerned about ransomware.

In fact, ransomware ranked lowest among concerns, with new of malware infections topping the list, followed by mobile and phishing attacks, according to a survey commissioned by security firm Webroot.

However, Webroot’s threat research from June 2017, which is based on data from a variety of businesses, reveals that more than 60% of companies have already been affected by ransomware, with the financial and retail sectors being hit the hardest.

In the UK, the research highlighted a false sense of security among IT decision makers. Even though 72% of UK respondents admit their businesses are not prepared to address external threats, 87% are confident their staff would be able fully address or eliminate an issue.

According to the survey report, when a business suffers a cyberattack, the consequences are felt both internally and externally.

Almost 58% of UK respondents, compared with 65% globally, believe it would be more difficult to restore the company’s public image than to restore employee trust and morale.

Underscoring the need for proactive security solutions, respondents estimate a cyber attack on their business where customer records or critical business data were lost would cost an average of £737,677 in the UK compared with an overall average of £773,483.

Read more about SME security

Addressing the growing threat, nearly all respondents plan to increase their annual IT security budget in 2017 compared to 2016, according to the report.

SME with 100 to 500 employees currently manage IT security in various ways, the survey revealed. In the UK, 22% of SMEs have in-house employees who handle IT security along with other responsibilities, compared with the average of 20%.

A third of UK SMEs use a mix of in-house and outsourced IT security support, compared with an average of 37%, while 25% have a dedicated in-house IT security professional or team, compared with 23% on average.

In the UK, 92% of respondents believe outsourcing IT solutions would protect their organisation against threats and increase their bandwidth to address other areas of their business, compared with an average of 90%.

Using a third-party cyber security provider

Among businesses that do not currently outsource IT security, 82% of UK SMEs will likely use a third-party cyber security provider in 2017, compared with an average of 80%, which represents a big opportunity for managed security service providers (MSSPs), the report said.

“The lack of concern about ransomware is leaving a gaping hole in the security of global businesses,” said Adam Nash, regional manager for Webroot in Europe.

“This combined with the UK’s false sense of security when it comes to businesses’ ability to manage external threats is worrying,” he said

According to Nash, SMEs can no longer afford to put security on the back burner and need to start engaging with the issues and trends affecting the industry.

“Enlisting the help and expertise of an MSSP is one way to implement a secure, layered approach to combat external threats,” he said.

Many SMEs fear cyber security attacks

Michael Donkin, director of IT support consultancy firm The IT Dept, said many SMEs fear cyber security attacks, but do not always address such concerns as fully as they perhaps should, which is borne out by this survey.

“Better, safer practices could be utilised by most of our clients, but immediate budgetary concerns can take precedence,” he said.

Donkin recommends that SMEs combing “front line” antivirus protection with other elements, such as anti-spam measures, firewall configuration, a quality data backup solution, employee awareness, and a “healthy dose of common sense.”

Lack of planned investment

The Webroot report comes a day after insurance firm Zurich published its report on a survey of 1,000 UK SMEs, showing that 49% of SMEs plan to spend £1,000 or less on their cyber defences in the next 12 months, and almost a quarter (22%) do not know how much they will spend.

The lack of planned investment in cyber defences is surprising in the face of increased attacks, the costs associated with those attacks, and the fact strong cyber security has the potential to give SMEs an opportunity to stand out from competitors, with as many as one in 20 claiming to have gained an advantage over a competitor because of stronger cyber security credentials.

This trend is confirmed by a separate survey of SMEs by security e-learning firm CybSafe, which showed that half of SMEs polled have had cyber security conditions included in contracts with enterprise customers in the past five years, and one-third of respondents said they have had their cyber security measures questioned as part of winning contracts in the past year.

Also, 44% said they have been required to hold a recognised cyber security standard, such as ISO 27001, by their enterprise customers in the past five years and 28% in the past year alone, demonstrating a clear trend in enterprise approach to supplier information security.

Webroot advice to SMEs

  • Create a plan of action to respond to any type of breach that includes outside resources, like an MSSP.
  • Invest in employee security training to help prevent attacks.
  • Reliable mobile security is essential to protect from malicious applications.
  • Allocate any additional budget you may have where risks are highest.
  • Keep business devices up-to-date with the latest software and security patches.
  • Beware of ransomware. Implementing strong back-up and business continuity plans.

Read more on Hackers and cybercrime prevention