What Europe's SMEs need to do for a cyber-secure future

Cyberattacks against digital infrastructure are one of the most common of all existing threats to the world. According to the World Economic Forum's Global Risks Report 2021, cybersecurity failure is perceived as the fourth most likely risk in the short term that will become a critical global threat.

By 2025, 25 billion digital devices are expected to be connected globally. As new technologies such as 5G and artificial intelligence (AI) arise and slowly infiltrate our daily lives, prevention, cybersecurity awareness and elevated cybersecurity skills are crucial priorities for governments, the private sector and the European Union as a whole.

A digital mindset is already visible in our societies; the COVID-19 pandemic has urged us to embrace it, building trust and helping businesses prosper in the growing digital economy. Similar to the roots that secure a tree, a strong cybersecurity framework maintains a healthy and secure online environment, where no one is left behind.

The pandemic has taught us that cybersecurity more than ever before is a responsibility by all groups in society. From government to businesses, citizens, schools and academia; from management to employees, we all have a role to play to protect the digital environment.

New digital behaviour for a new digital decade is critical to protect organizations and user data against the growth in malicious attacks such as ransomware or phishing and to safeguard the online environment.

The EU Agency for Cybersecurity (ENISA) strives for open and transparent governance from Athens, its headquarters and the centre of ancient heritage and codes of virtue. One of the agency’s core organizational objectives is to increase the common level of cybersecurity across Europe. Since cybersecurity has no borders, ENISA is here to help promote a culture of cyber hygiene and risk management to help SMEs protect themselves from cyberattacks.

The European Commission acknowledges the fact that small and medium-sized enterprises (SMEs) are the backbone of the EU's economy representing 99% of all businesses in the EU and employing around 100 million people. They also account for more than half of Europe’s GDP and play a vital role in adding value to all sectors of the EU economy.

Around 25 million SMEs are active in Europe, forming the world´s largest single market area. The pandemic has put incredible stress on these businesses. SMEs are not only navigating a new digital realm where employees work from home and business is increasingly conducted online, but also where criminals can take advantage. Since the beginning of the pandemic, there has been an increase in social engineering attacks, such as phishing emails and scams related to the COVID-19 crisis. The first months of the health crisis saw a global 667% increase in phishing attacks.

During these challenging times, many SMEs had to continue conducting business and did so by deploying systems quickly in order to continue to serve their customers rather than taking time to increase their security. Adopting cloud services, enabling staff to work remotely and allowing access to file processing made it easier to ensure business continuity.

Further steps to secure the ICT infrastructure and scale the cybersecurity measures of businesses are essential to minimize the risk of cybercriminals compromising critical data and support SMEs’ growth in a post-pandemic world.

The EU Agency for Cybersecurity conducted interviews with European SMEs to formulate evidence-based, real-life incidents that occurred during the pandemic and draw lessons learnt to overcome them.

The most common cyber incidents identified were ransomware attacks, stolen laptops, phishing attacks and CEO fraud. The latter is a decoy meant to lure a member of staff into acting upon a fraudulent email from their CEO and usually asking for an urgent payment to be made to a supplier in order to meet a project deadline.

Research and real-life experience show that organizations deal with cyber incidents in a much more efficient way than those who fail to plan or lack the capabilities they need to address cyber threats correctly.

ENISA has developed 12 basic cyber tips to secure their business:

1. Develop good cybersecurity culture;

2. Provide appropriate training;

3. Ensure effective third party management;

4. Develop an incident response plan;

5. Secure access to systems;

6. Secure devices;

7. Secure your network;

8. Improve physical security;

9. Secure backups;

10. Engage with the cloud;

11. Secure online sites;

12. Seek and share information.

To mark International Small and Medium-Sized Enterprises Day in June, besides the aforementioned basic steps, the EU Agency for Cybersecurity has published a report, Cybersecurity for SMEs, on how to better secure their systems and businesses.

The report analyses the ability of SMEs within the EU to cope with the cybersecurity challenges posed by the pandemic and determines best practices to mitigate those risks.

The main challenges identified during the interviews section of the study include low awareness of the threats posed to business by poor cybersecurity; the costs of implementing cybersecurity measures often combined with a lack of dedicated budget; the availability of ICT cybersecurity specialists; a lack of suitable guidelines aimed at the SME sector; and low levels of support from management.

The common underlying issue appears to be management awareness and commitment, which in turn drives budget, allocation of resources and effective implementation of cybersecurity practices. Cybersecurity is not an issue that should only be discussed by IT teams; it needs to make its way into boardrooms.

Of the 249 European SMEs surveyed more than 85% stated that cybersecurity issues would have serious negative impacts on their business within a week of the issues happening; 57% say they would most likely become bankrupt or go out of business.

Despite this, there is a tendency to believe that cyber incidents only affect larger organizations and are, therefore, still not considered as a major risk to SMEs. It is important for SMEs to be aware of the consequences such incidents will have on their business if they occur. Many believe that cybersecurity controls included in the IT products they have purchased will be sufficient and that no additional security controls are necessary unless mandated by law.

The agency´s cybersecurity advice towards SMEs focuses on three crucial areas: people, processes and technical recommendations. The aim is to strengthen resilience across the whole value chain through the application of the 12 cybersecurity principles and the report includes suggested actions that the EU Member States should consider in order to support businesses, associations and agencies in improving their cybersecurity posture.

Effective cybersecurity provides SMEs with the confidence that allows them to grow, innovate and find new ways of creating value for their customers in our online and interconnected world. Let’s support these businesses on their journey to better protection against cyber threats.