How can small and medium-sized enterprises protect themselves from cyber attacks?

IT security plays a far greater role for companies than many believe. A new study reports on current cyber attacks, outlining what the consequences are and what countermeasures you can and should take.

Despite an increasing number of cyber attacks, some companies still do not take IT security seriously enough. Small and medium-sized enterprises (SMEs) in particular often assume that they are too small to be a lucrative target for cybercriminals. Unfortunately, the exact opposite is true.

At 57 percent, more than one in two medium-sized companies with 50 to 250 employees has already been the victim of a cyber attack at least once in the past ten years, HDI insurance reports. On its behalf, Sirius Campus has also surveyed more than 500 SMEs in Germany about their cybersecurity (PDF). 37 percent of the smaller companies with 10 to 49 employees have reported being victims of a hacker attack at least once and up to multiple times. In addition to those statistics, 31 percent of companies with a maximum of nine employees have reported at least one attack as well.

SMEs are becoming the entry point for supply chain attacks

“The frequently expressed view that smaller companies are not interesting for cyber attacks is simply not true in the real world," said Christian Kussmann, divisional board member for Companies and Independent Professions at HDI Insurance regarding the results of the study. Kussmann also warns against a current trend: Smaller companies are increasingly drawing the attention of enterprise-level criminal operations as larger companies are doing more to protect themselves against cyber attacks. SMEs, on the other hand, often have weaker defenses than larger companies. Some attackers are even exploiting smaller companies as an entry point for further attacks on the more larger companies. Many SMEs are also service providers with connections to larger companies and are vulnerable to being exploited in this way. Security experts refer to this strategy as a "Supply chain attack”.

Cyber attacks can cause immense financial damage. Almost 20 percent of the companies surveyed reported financial losses of more than 100,000 euros. Whereas 40 percent reported a loss between 25,000 and 100,000 euros, and just under a third (32 percent) of surveyers reported losses below these amounts. On average, damages caused by successful attacks amounted to around 95,000 euros, according to HDI insurance reports.

Remote working, Bring Your Own Device (BYOD) and cloud services have created new attack trajectories that cybercriminals are trying to exploit with increasingly sophisticated methods. This is also confirmed by techconsult, which belongs to the renowned Heise publishing group. On behalf of its partners, including NCP, the analysts carried out a study on the current situation of IT security in Germany from a company perspective. In the past twelve months, more than half of the companies surveyed were affected by cyber attacks. Nearly a quarter of these companies were affected by cyber attacks more than once.

Although 42 percent stated that they had not been targeted by a cyber attack at all, it is questionable whether this is actually true. Analysts often warn about the accuracy of these figures as successful attacks often remain undetected. The number of unknown cases is therefore difficult to estimate. Additionally, techconsult found that phishing, ransomware, insider attacks and the Business Email Compromise (BEC) are among the biggest threats for companies. However, Denial of Service (DoS) attacks and cloud account compromise continue to pose a significant threat as well.

Cyber attacks threaten business operations and business success

Once the attackers have chalked up a successful victory, affected companies often face serious consequences. While the HDI insurance study focused on the financial damages, the techconsult study dealt more specifically with the business aspect impact of cyber attacks. More specifically, almost one third of the companies affected reported disruptions to their business operations. Slightly more than a quarter of participants also reported loss of earnings and sensitive data, whereas23 percent reported reputational damage and 22 percent reported the loss of regular customers.

In the medium and long term, this often has devastating effects on a company. 16 percent of the respondents suffered sales losses and 11 percent suffered from the loss of intellectual property, such as the theft of designs and product development plans. Only 12 percent did not notice any influence on their business activities, although as mentioned before it is questionable whether this sort of conclusion matches up to reality.

Measures planned by German companies to mitigate cyber attacks

Most companies are well aware of the dangers posed by cybercrime and, despite widespread misconceptions, they seem to be paying attention. For example, the majority of respondents (86 percent) expect an increase in their budgets for cybersecurity in the next two years; we’ll have to wait and see whether this is enough though. Meanwhile, 15 percent of small companies between 50 and 249 employees expect a stagnation of their budgets for IT security. Then, almost a third expect a very slight increase, while almost 5 percent expect their IT security spending to fall.

The techconsult study also addresses specific countermeasures that companies are planning to improve their IT security. One example being, significant trends in recent years, such as cloud computing and remote working, have demonstrated the importance of sophisticated identity management. State-of-the-art IAM (Identity and Access Management) solutions ensure that only authorized devices and users are allowed to access internal networks and sensitive data.

Zero Trust and SASE (Secure Access Service Edge) are playing an equally important role. Both approaches have already undeniably proven that they provide far better protection for remote connections than previous concepts. Zero Trust is a security principle that can also be stated as “never trust, always verify”. It requires that every single access to company resources is verified. SASE implements this concept in the cloud. The current techconsult study also shows how German companies are taking up these two approaches and changing their existing security concepts to ensure IT security in the future.

Learn more about Zero Trust security from NCP now.