Shielding SMEs – how to boost their defence against cyberattacks

Last month’s cyberattack at one of its suppliers forced Toyota in Japan to halt production of almost 13,000 vehicles. The global cost of cyberattacks is up to USD 6 trillion annually, and rising every year. Cyberattacks can spell disaster for businesses of all sizes, but especially smaller firms. The median cost of a ransomware attack can amount to up to USD 1.2 million, and up to USD 1.6 million in the case of computer data breach. Urgent action is needed to support SMEs in better preparing and managing digital security risks.

Shut the door behind you…

During the pandemic, up to 70% of SMEs shifted to e-commerce, teleworking or smart working solutions. This created new opportunities for malicious actors to exploit web applications, devices and systems built in haste. In 2020, the FBI received a record number of complaints – a rise of 69% on the previous year. In Austria, 60% of firms said they fell victim to a cyberattack in 2021, while in Germany, economic damages from cybercrime more than doubled between 2019-21 to EUR 220 billion.

SMEs lag behind larger firms in the adoption of more sophisticated security practices

Source: The Digital Transformation of SMEs – © OECD 2021 based on Eurostat (2020), ICT Usage by Businesses data.

Larger firms like Toyota – with more data and financial resources at their disposal – are clearly attractive targets. With lower levels of digitalisation, a smaller attack surface and less data to excite criminals, we might think that SMEs would fly beneath the radar.

Yet as their uptake of digital tools accelerates, many smaller firms are presenting new opportunities for hackers. Large, digitally savvy firms with sophisticated, bespoke defenses are more challenging and costly to break, while many SMEs can fall victim to cheap, replicable attacks. Moreover, cybercrime is now within the reach of amateurs who buy ransomware ”as-a-service” on line to extort smaller amounts from SMEs at lower risk.

More ambitious hackers are finding that SMEs can provide a backdoor route into larger firms, as weak nodes in their supply chains. The automotive sector can be particularly vulnerable because of long, complex, interconnected supply chains with varying levels of cybersecurity and vulnerabilities. In October 2021, German automobile supplier Eberspächer suffered an attack that crippled its IT systems for several days. Criminals also paralysed Pilz and Schmersal, two automation specialists in the industry and are increasing targeting smaller businesses supplying special components to disrupt production.

Shielding the data

SMEs in all sectors need to up their game to better manage digital security risks and defend their data. In 2019, across the EU28, on average 33% of SMEs had measures or procedures in place for ICT security compared to 76% of large firms. A first step is to improve data governance and to raise awareness on digital security risks. Training in firms is critical, as “insiders” cause a growing share of incidents. During 2021 in the UK, 57% of incidents originated within firms and most of them happened by accident.

Many governments are helping SMEs to combat the threat. Germany’s IT Security Transfer Office for SMEs is supporting IT security knowledge and technology transfer as well as the implementation of cybersecurity measures and awareness campaigns. In Costa Rica, Smart Community Centres take a hands-on approach, offering SMEs basic courses on cybersecurity. They also do training on data-driven technologies such as statistics, big data, artificial intelligence and the Internet of things (IoT).

Governments are also working with tech companies to enhance digital security. This includes developing SME-specific commercial solutions as well as measures to improve security protocols in existing products and services. Australia is investing AUD 1.67 billion through its Australian Cyber Security Strategy 2020, which will support businesses to secure their products and services and protect their customers from known cyber threats. Sweden has provided grants to consortia to design cybersecurity solutions for new products and services developed in the country.

Effective co-operation mechanisms, including good channels of communication, can be vital in identifying and responding to emerging threats. Networks across industries, between SMEs and large firms, and across jurisdictions to fight “no-border” attacks are becoming increasingly important. In Germany, the Federal Office for Information Security (BSI) is seeking to build resilience through knowledge and experience sharing among businesses and IT security providers, with the motto “Networks protect networks”.

The fight against cybercrime is intensifying. As data become more vital to SME business models (“know your customer”), supply chains operations (“just-in-time production”), and production processes (“automation”), its value to malicious actors increases too. At the same time, the tools, skills and techniques available to criminals are increasing in sophistication and decreasing in costs. SMEs need to take urgent action to keep pace, working with governments and the tech community to protect themselves, their customers and supply chains.


The OECD Recommendation on Digital Security Risk Management for Economic and Social Prosperity provides guidance for a new generation of policies aimed to optimise digital openness and the management of digital security risk. It calls on the highest level of leadership in government and organisations to reduce overall risk, and places particular emphasis on empowering SMEs to manage their own digital security risk.

For further discussion on digital security in SMEs, emerging trends and relevant policies, please see the following recent publications The Digital Transformation of SMEs and the OECD SME and Entrepreneurship Outlook 2021. And do not miss the release of Phase I of the EC/OECD project on Unleashing SME potential to scale up that digs into the key issue of SME data governance.


Read article in this language:

Sandrine Kergroach
Head of SME and Entrepreneurship Performance, Policies and Mainstreaming unit at | Website | + posts

Sandrine Kergroach is Head of SME and Entrepreneurship Performance, Policies and Mainstreaming unit at the OECD Centre for Entrepreneurship, SMEs, Regions and Cities (CFE). She leads the work on innovation, internationalisation and the scaling up of SMEs and start-ups, their productivity and ESG performance. She supervises activities related to policy monitoring, the development of data infrastructure and the OECD SME and Entrepreneurship Outlook. She also leads efforts for mainstreaming SME&E policy considerations. Sandrine holds a Doctorate in Economics (TU Berlin), a Master in Strategy and Management (Paris Dauphine-PSL), a Master in Modern History (Paris Sorbonne) and a Bachelor in Applied Economics and Statistics (Paris Dauphine-PSL).

Stefan Becker
Head of Section, Cyber Security for the Private Sector at Federal Office for Information (BSI) | + posts

Stefan Becker joined the Federal Office for Infomation Security (BSI) as Head of Section, Cyber Security for the Private Sector in May 2017. He started his career at the criminal police in Bonn in 1994. With the creation of the Cybercrime Competence Centre he moved on to the Landeskriminalamt Nordrhein-Westfalen in 2011. Stefan Becker holds a degree in public administration as well as an MBA with a specialisation in Risk and Fraud Management.

Laurent Bernat
Policy Analyst, OECD Digital Economy Policy Division at | Website | + posts

Laurent Bernat is a policy analyst at the OECD Secretariat in the Digital Economy Policy Division. He supports the Working Party on Security in the Digital Economy (SDE), under the Committee on Digital Economy Policy (CDEP), as well as the OECD Global Forum on Digital Security for Prosperity. He led the development of the OECD Recommendations on Digital Security Risk Management for Economic and on Social Prosperity (2015) and on Digital Security of Critical Activities (2019). Currently, he coordinates policy work on the digital security of products, vulnerability treatment, “responsible response” by private actors, and the security of communication networks. Laurent worked on many different trust-related policy issues including national cybersecurity strategies, digital identity management, RFID, cryptography policy and the protection of children online. Prior to joining the OECD in 2003, he worked at the French data protection agency, the Commission nationale de l'informatique et des libertés (CNIL) and was associate director in an Internet consulting firm. Laurent BERNAT has a master in political science and international relations.

One comment

Comments are closed.