Larger businesses have the budget to spend money on their cybersecurity defences. This is not always the case for small and medium businesses, which can make them a prime target for cyberattacks. Robert Sugrue, Cybersecurity Product Director at Six Degrees, explains how SMEs should not rely on cyber-risk insurance and offers advice on what they can do to protect themselves.
Since the UK’s larger businesses strengthened their defences to protect their increasingly borderless networks during the pandemic, cybercriminals have diverted their attention to their lesser-protected peers in the mid-market territory. And with a reported 600% increase in cybercrime over the pandemic, thousands of businesses are now at risk. In fact, the government’s late 2022 policy paper on National Cyber Strategy indicates that ‘almost four in ten businesses (39%) report suffering cybersecurity breaches or attacks in the last year, and many organisations (especially small and medium enterprises) lack the ability to protect themselves and respond to incidents’.
With increasing frequency and impact of breaches, there’s a clear need for dedicated cybersecurity teams working with specialist products and skills. While large businesses are in the more advantageous position to be able to improve their cybersecurity postures, with budgets to upgrade their security tools and expertise, the less prepared mid-market enterprises are left exposed to significant risk as they become the targets for threat actors.
Risk levels for mid-market enterprises
A recent study by Barracuda Networks offers a bleak outlook for mid-market enterprises, revealing that organisations with fewer than 100 employees are 350% more likely to be victims of cyberattacks. Their more limited budgets and resources offer inadequate detection and response levels to keep them a step ahead of their intelligent threat opponents.
In today’s cyberthreat landscape, with a 100% chance of being targeted, organisations must assume they will be compromised at some point. The dramatic evolution in corporate networks has created security vulnerabilities which are obvious to threat actors.
In the event of a successful breach, even heavy financial compensation is unlikely to make up for reputational damage and loss of customer trust incurred by victims, not to mention business disruption or unplanned downtime caused as a result. This means prevention is better than cure.
Cyber-risk insurance isn’t a solution
With threat response levels among mid-sized enterprises being poor, a typical response might be to invest in cyber-risk insurance. However, this plays no role in defence itself and the liability cannot be transferred to the insurance company. For a data-first business, it doesn’t offer any reassurance against an attack and renders them an easy target for threat actors.
As with all insurance, there is also the risk of claims potentially being denied or pay-outs being smaller than needed to offset the business impact. Cyber insurance can also cause complacency: if the risk or threat has been removed in the short-term, there’s less immediate pressure to focus on long-term mid-market enterprise cybersecurity. Exposure and claims could cause further insurance premium increases or put firms at higher risk of a pay-out being denied, all at a time when global advisors are reaching out to businesses to not pay ransoms at all.
Since data is arguably their most valuable asset, it’s critical for mid-market enterprises to make cybersecurity a business priority and maximise defence for their increasingly borderless networks.
Proactive cybersecurity strategies can minimise mid-market enterprise risk
Mid-market enterprises are realising that cybersecurity strategies must rank top of the agenda. By adopting a proactive cybersecurity strategy which includes effective staff training, working with security experts and simulating breaches to test defences, businesses can bolster their defences and guard valuable data to avoid the worst happening:
Building a strong culture of security throughout the organisation is one of the most effective ways to reduce risk. Increasing employee vigilance is critical to detecting suspicious behaviour in order to avoid them clicking on infected links and phishing emails. It only takes one employee to click on the link for the attackers to be within the network. The most effective way to embed a culture of cybersecurity is through regular phases of training to ensure that workers don’t become complacent.
Core technology processes must be in place for all digital businesses to heighten security defences. This means a comprehensive review of how the business currently protects its users and systems to identify gaps and specific vulnerabilities. Effective network monitoring must be implemented which can detect abnormal behaviour and compromised email accounts. Threat responses should be automated to ensure the earliest response to suspicious activity. Maintaining cybersecurity updates to software and protocols as well as the latest detection tools is vital to keep pace with the ever-increasing intelligence of cybercriminals.
Assessing the business risk is vital. This means regular penetration testing and security assessments, which are an essential way for mid-market enterprises to check their security defences and reveal any weak links before an attacker finds them. Knowing your vulnerabilities is critical to building robust, seamless defences which keep the enemy out while allowing Business Continuity in this fast-paced digital world.
Drafting in third party specialist support for strategic advice can be sensible, to get an objective view of the strength of the company’s defences and compliance capabilities. Partnering with a cybersecurity expert can help to boost team resources, particularly when managing cybersecurity in-house puts a strain on the budget and resources of a business. Choosing a specialist that understands the specific needs of the mid-market enterprise within its specific sector is important to mitigate the challenges they may face proactively and meet compliance objectives, such as data protection and other security regulations, which will reassure customers, partners and other stakeholders.
Mid-market businesses in the spotlight
Although no business is safe from cyber harm, there has been a growing trend for cyberattacks within the mid-market sector – and understanding risk is essential to prepare for a potential attack.
The costs and consequences of a cyberbreach can be expensive and paralyse businesses, causing lost custom, reputational damage and worse. And signing up to an insurance policy would only ever allow a business to play catch up after a successful breach. Only by taking a proactive approach to cybersecurity will mid-market companies ensure that any breach is prevented or at worst detected at the earliest opportunity, with an effective recovery strategy in place.
Click below to share this article