A new report on Cybersecurity for SMEs by the EU Agency for Cybersecurity (ENISA) identifies the most common cyber incidents faced by SMEs. The report is accompanied by recommendations and is directed at owners and employees of SMEs as well as those in the broader SME ecosystem.
Over a third of the 250 SMEs surveyed by ENISA had experienced a cyber incident in the last five years and over half indicated that a serious incident could lead to business failure. While the majority of SMEs use some security controls (such as backups, antivirus protection, firewalls), far fewer train all their staff or utilise logging and alerting systems. While many SMEs resorted to new technologies during the pandemic, for instance use of QR codes or contactless payments, not all took steps to enhance security around new systems. Most SMEs do not perceive cyberattacks as a major risk – and many consider that only larger companies are targeted.
Common cyber incidents and challenges
According to ENISA, the five most common cyber incidents experienced by SMEs are: phishing attacks, web-based attacks, general malware, malicious insiders and denial of service.
While SMEs face multiple challenges in dealing with cybersecurity, management awareness and commitment is a common underlying issue. This in turn drives decisions on the allocation of budget and resources as well as impacting the effective implementation of cybersecurity practices. Other challenges include:
o Low awareness of cyber threats
o Inadequate protection for critical and sensitive information
o Lack of budget to implement cybersecurity measures
o Availability of cybersecurity expertise
o Absence of tailored guidelines
o Increased online presence
12-steps to better cybersecurity
A short, accompanying Cybersecurity guide for SMEs sets out 12 practical steps to better secure their systems and businesses -
- Good cybersecurity culture – covering management responsibility, employee buy-in, proper cybersecurity policies, regular cybersecurity audits and appropriate data protection;
- Provision of appropriate training;
- Effective third-party management;
- Defined incident response plans;
- Secured access to systems;
- Secure devices – including managed (and regular) installation of software patches and upgrades, anti-virus protection, email and web protection tools, data encryption, policies to manage mobile devices;
- Secured networks – ensuring firewalls are in place and regular review of remote access solutions;
- Better physical security;
- Secure back-ups;
- Cloud security management policies;
- Secure online sites; and
- Sharing information and best practices.
The main ENISA report also provides a checklist for SMEs on cybersecurity fundamentals, centred around people, process and technology. Links to available guidelines at EU and national level are also included.