Cyber attacks in SMEs: how companies can strengthen their resilience

The number of cyber attacks is rising. SMEs are increasingly the target: with inadequate protection, hackers often have an easy target. What can SMEs do to find a secure yet pragmatic solution? Risk awareness, IT infrastructure and data literacy are three areas where companies can take action.

Malware, ransomware, DDoS attacks, phishing emails: more cyber attacks were reported in 2021 than ever before. The Federal Criminal Police Office (BKA) recorded 146,363 offenses – an increase of twelve percent over the previous year. This number is expected to increase further this year. In addition to the financial damage, which according to Bitkom’s Economic Protection Report (Wirtschaftsschutzbericht) now amounts to €223.5 billion a year in Germany, there are also other risks: infrastructures and supply chains can be paralyzed, or in the worst case scenario, the entire business operation. Hackers are by no means only targeting large corporations. The risk is particularly high in medium-sized companies. While corporations are already suffering significant damage, cyber attacks can quickly threaten the entire existence of a medium-sized company.

80% inadequate security in SMEs

Hackers often have an easy time of it, especially in small and medium-sized businesses, as the German Insurance Association (GDV) revealed in its latest survey: 80% of small and medium-sized businesses do not fully meet the basic IT security requirements. According to the GDV, they do not perceive there to be a threat because they do not consider their company and its data to be of sufficient interest or because they have not suffered any damage to date. Moreover, at first glance, the time and expense involved in security projects do not seem to contribute to the overall growth of the company. The matter is put on the back burner. The consequences are often not apparent until the damage has already been done.

Instead of waiting until the worst happens, it is advisable for companies of all sizes to take cyber security precautions in advance. Proven measures can be used to build up an initial basic level of protection quickly, which can be expanded at a later stage. In addition to technical precautions, however, handling data prudently is also a prerequisite when it comes to protecting them. The question is, how can SMEs go about addressing these technical and organizational requirements in a pragmatic way? The following three starting points offer some guidance:

Where SMEs can make a start

1. Create awareness of the risks

Even if a company does not have 1,000 employees and terabytes of data, it is still at risk of falling victim to a cyber attack. For one thing, high-quality data, even in smaller quantities, can be attractive to hackers. Furthermore, many companies often do not even know how much valuable data they have because of a lack of transparency in this regard. Even if the data are not actually of interest, some hackers simply want to obstruct processes and demand a “ransom” for releasing them again. For an SME whose core business is production, this can result in losses that threaten the company’s continued existence. However, both data and processes are essential elements of digitization. Many decision-makers also know that they want to use their data to implement automation and AI solutions – in order to optimize their processes and open up new business areas, for example. Cyber security solutions are part of the implementation process. After all, if new solutions and processes are compromised along with the associated data, they cannot create any added value.

2. Modernize the IT landscape

Modernization becomes particularly critical when a company’s software is outdated and its vulnerabilities are documented in databases. Hackers will find everything they need to conduct an attack in no time at all. Modernizing the IT landscape is on the agenda of most SMEs anyway when they optimize processes and network systems as part of a digital transformation. Security solutions can be implemented directly at the same time, examples of which might include secure cloud migration, new authorization and authentication procedures with single sign-on and multi-factor authentication (MFA), and designing the IT architecture in line with the zero trust principles. Companies do not have to spend a lot of time building up expertise about such solutions. They can call in external support, ideally covering digitization and security expertise in one and implementing them in a coordinated manner. A helpful criterion for selecting IT and security consultants is their project history: if the external consultants have implemented projects in SMEs as well as in corporate groups across various industries, there is a high probability that they will be able to transfer the expertise they have gathered there and bring best practices to other projects.

3. Strengthen digital literacy

Secure handling of data is not just a matter for admins and data protection officers. Every employee who works with data can help protect that data if they know how best to store them, which data they are allowed to share or duplicate, and how to recognize anomalies that indicate security vulnerabilities or even intrusions. It is helpful if the management actively promotes data literacy and cyber security awareness, for instance by providing data literacy training for all members of staff. This helps on two fronts: defense against cyber attacks and data quality. The latter can be improved by making employees more aware of this, for example by avoiding redundant data storage and reducing the error rate during data entry. This high-quality database then pays off in turn when companies want to use AI to make decisions and improve processes.

How far have you progressed in terms of IT and cyber security? Where do you need support? Feel free to exchange ideas with Dr. Jan Ciupka and his colleagues: You can contact them here.