Cyber attacks among SMEs

Cyber-risks pose a major challenge to SMEs (Small Medium Enterprises). The impact is increasing. For management, this fact must be considered a top priority risk. 

Ransomware-attacks, where businesses are ‘crippled’ by their computer systems, have increased dramatically, almost doubling in the first half of 2021, while the average ransom to escape the dilemma has increased by 82%.  Globally, businesses of all sizes and types are being attacked by criminal ransomware. These attacks often bring business operations to a halt. Recovery takes time, becomes expensive, leads to image loss and can disrupt or even stop business operations. 

For example, JBS, the world’s largest meat processing company, had to pay a ransom of US $11 million to regain access to its data and systems. Ransomware led to shutdowns of water and water treatment plants at Norwegian energy technology company Volue, affecting 85% of the Norwegian population. Transnet, a South African port operator, was also affected by ransomware, causing disruptions and delays at one of South Africa’s major ports. In Germany, attacks on hospitals led to network problems and days of outages at the University Hospital in Düsseldorf or the Neuss Clinic. In hospitals in the USA, networks were reportedly disconnected due to ransomware in the first six months of 2021 – either through their own measures to avoid a security breach or because they were forced to do so by a severe malware infection. 

The problem with SMEs, unlike large companies, is that they do not have cybersecurity departments. Accordingly, they often only react after an attack, which can simply cripple business for many SMEs. 

A particularly worrying trend is that criminal cyber-attacks are taking shape in ways that were once the preserve of state actors. This is most common in so-called “supply chain attacks“, which affect the supply chain. Unknown flaws in the technology are exploited by companies that infect the company’s customers, bypassing traditional defences such as anti-virus software. 

Cyber technologies are exploited by states primarily to conduct economic espionage and intellectual property theft. State cyber operations have doubled since 2017, with a third of these attacks apparently targeting businesses. One of the most high-profile recent examples was the Russian attack on US technology company SolarWinds, which exploited security vulnerabilities in trusted technology products. 

SMEs are the engine of our society and unfortunately also the sore spot. It is all the more important that management recognises the risk and develops a good understanding of what it needs to protect and how much risk it wants to take. 

Important for the assessment is an independent evaluation of the cyber risk profile and the effectiveness of the current cyber security precautions in the company. Based on this, SMEs should invest in a cyber improvement programme and ensure they have access to the cyber skills they need, including independent third-party expert advice. 

What does the future hold for cyber security in SMEs? SMEs, especially growth companies, are potentially becoming real targets for attack as they expand. SMEs need to be more engaged in cyber security to effectively address the challenges in a timely manner. The Risk Management System (RMS) with all its processes needs to be rethought and implemented. Embedding a security culture in the company is the best protection against cyber threats and this needs to be exemplified from the top, top-down.