SME Cyber Threat Snapshot: It Will Get Worse

Cyber Threat Landscape for Small-to-Medium-Sized Enterprises (SMEs)
Robert D. Stewart
, Founder & CEO
, White Tuque

Work changed during the pandemic.  Although large enterprises had the infrastructure to allow remote work and many tech-based firms embraced it pre-pandemic, small to medium-sized enterprises (SMEs) were forced to catch up. The rapid shift to remote work has brought about a remarkable transformation in the business landscape, enabling SMEs to adapt, operate and compete amidst unprecedented challenges.  SMEs have become the lifeblood of economies, driving innovation, fostering employment, and contributing significantly to economic growth.

With great opportunities come great risks, however, and the rising tide of cyber threats has left SMEs vulnerable, facing a digital battlefield where they must fight to protect their sensitive data, protect their critical functions, and remain cyber resilient.

SMEs now have unprecedented access to global markets, digital tools, and enhanced customer engagement. Unfortunately, this digital transformation created an unprecedented amount of risk. SMEs are seen as attractive targets for cyber criminals due to their lack of cybersecurity resources and expertise compared to larger enterprises. With valuable customer data, financial information, and intellectual property, SMEs are unwittingly offering cybercriminals a buffet of sensitive information, assets to exploit, and control over their firm’s critical functions.

I have been fortunate enough to get out in the community engaging with government and business leaders on both sides of the border to highlight the current threat landscape for many unaware organizations. In many of these cases, I may be the first cybersecurity resource they have spoken to. As such, one of the best ways to paint an accurate picture is with clear data that business leaders can understand and action. Here are 6 datapoints that provide an accurate view into the threats facing SMEs across North America.

Small-to-Medium Sized Enterprises (SMEs) are targeted in 58% of cyberattacks.

Source: Verizon.  2013 DBIR (Data Breach Investigation Report)

More than half? Yep.  How does that happen? Easily. 

Not every attack is targeted towards a specific piece of infrastructure at a specific firm.  Threat actors are looking for leverage over a business’s technology and critical functions. Period.  Many attacks begin by scanning IP addresses, sending phishing emails, or obtaining and using credentials from previous breaches.

Non-enterprise clients make up a significant portion of the global technology footprint, generating a buffet of options, targets, and opportunity for threat actors.  All this while not having to face the advanced cyber defenses of large, multinational enterprises. 

66% of SMEs globally have reported being attacked in the past 12 months with only 14% having taken steps to prepare or defend themselves.

Source: Insurance Bureau of Canada – Annual Report 2022

Building on the previous point, picture yourself as a criminal. You’re looking for a score.  Would you rather rob a bank with armed guards and advanced security measures for $1 million or go visit 10 jewelry stores with the windows left open, broken door locks, no security systems and no processes or training for staff to handle a robbery and make $5 million with way less effort?

I know where I’d be going.

When you consider that it is estimated by law enforcement that less than 10% of cyber incidents are reported, this is terrifying. This statistic underscores the risk of SMEs being targeted by cyber criminals and highlights a concerning lack of readiness among these businesses.

There is an urgent need for SMEs to make cybersecurity a priority in their organizations and invest in strategies to prevent attacks and to ensure organizations are prepared navigate the risks associated with a cyberattack and prolonged outage.

83% of SMEs are not financially prepared to recover from a cyberattack.

Source: Forbes. Cybersecurity in 2022: A Fresh Look at Very Alarming Statistics

This one really stings.  As someone who has launched a start-up and is surrounded by start-up founders and business leaders within SMEs, the data does not look good.  It’s not great to look around the room and know that two thirds are likely to be attacked.  What’s worse? Knowing 4 out of 5 of those who are attacked are more than likely to go out of business for good.

Globally, 50% of all websites have exploitable vulnerabilities and 81% of companies have exposed sensitive data available online.

Sources: Varonis – 2022 & 2023 Cyber Stat Collections

This is businesses leaving the front door wide open.  What’s worse? Both figures represent a lack of basic process, cyber hygiene, and best practices.  The good news is these threats and risks are very easy to mitigate if organizations care to take the time to invest in a partner who understands how to identify, prioritize, and manage those risks.

On average it takes 277 days to detect and contain a cyberattack.

Source: IBM – 2023 Cost of a Breach Report

This should terrify you. 

Why? Because 226 days is a very, very long time.  Think about a comparable scenario.  What if there was a bad guy and he broke into your office and placed bugs in every room, trackers on every car, hidden cameras, wire tapped the phones, or heck – even sat over your shoulder? 

How much would that criminal learn about your organization? How much leverage could they get over you or your team? How easily could they identify exploitable gaps in your people, process, and technology?

This is a major reason SMEs do not survive a sophisticated cyberattack. Logging in and seeing your systems locked down and a message asking for ransom is a very bad day for any organization. 

What worries me is the other 276 days.

If cybercrime was its own economy, it would be the third largest in the world behind the United States and China.

Source: World Economic Forum (2023)

This is a simple one.  If you took all the combined profits of crime from hackers, cybercriminals, criminal organizations, nation states and anyone involved in digital fraud and crime – it’s one of the largest in the world and getting bigger.

It’s clear this is no longer a problem for the top 0.01% of companies globally.  Criminals are getting smarter and business leaders must adapt and make cyber risk a priority in their organization.  It is impossible to ignore – you will experience a cyberattack. The question is, will you be ready to respond?