Last month’s cyberattack at one of its suppliers forced Toyota in Japan to halt production of almost 13,000 vehicles. The global cost of cyberattacks is up to USD 6 trillion annually, and rising every year. Cyberattacks can spell disaster for businesses of all sizes, but especially smaller firms. The median cost of a ransomware attack can amount to up to USD 1.2 million, and up to USD 1.6 million in the case of computer data breach. Urgent action is needed to support SMEs in better preparing and managing digital security risks.
Shut the door behind you…
During the pandemic, up to 70% of SMEs shifted to e-commerce, teleworking or smart working solutions. This created new opportunities for malicious actors to exploit web applications, devices and systems built in haste. In 2020, the FBI received a record number of complaints – a rise of 69% on the previous year. In Austria, 60% of firms said they fell victim to a cyberattack in 2021, while in Germany, economic damages from cybercrime more than doubled between 2019-21 to EUR 220 billion.
SMEs lag behind larger firms in the adoption of more sophisticated security practices
Larger firms like Toyota – with more data and financial resources at their disposal – are clearly attractive targets. With lower levels of digitalisation, a smaller attack surface and less data to excite criminals, we might think that SMEs would fly beneath the radar.
Yet as their uptake of digital tools accelerates, many smaller firms are presenting new opportunities for hackers. Large, digitally savvy firms with sophisticated, bespoke defenses are more challenging and costly to break, while many SMEs can fall victim to cheap, replicable attacks. Moreover, cybercrime is now within the reach of amateurs who buy ransomware ”as-a-service” on line to extort smaller amounts from SMEs at lower risk.
More ambitious hackers are finding that SMEs can provide a backdoor route into larger firms, as weak nodes in their supply chains. The automotive sector can be particularly vulnerable because of long, complex, interconnected supply chains with varying levels of cybersecurity and vulnerabilities. In October 2021, German automobile supplier Eberspächer suffered an attack that crippled its IT systems for several days. Criminals also paralysed Pilz and Schmersal, two automation specialists in the industry and are increasing targeting smaller businesses supplying special components to disrupt production.
Shielding the data
SMEs in all sectors need to up their game to better manage digital security risks and defend their data. In 2019, across the EU28, on average 33% of SMEs had measures or procedures in place for ICT security compared to 76% of large firms. A first step is to improve data governance and to raise awareness on digital security risks. Training in firms is critical, as “insiders” cause a growing share of incidents. During 2021 in the UK, 57% of incidents originated within firms and most of them happened by accident.
Many governments are helping SMEs to combat the threat. Germany’s IT Security Transfer Office for SMEs is supporting IT security knowledge and technology transfer as well as the implementation of cybersecurity measures and awareness campaigns. In Costa Rica, Smart Community Centres take a hands-on approach, offering SMEs basic courses on cybersecurity. They also do training on data-driven technologies such as statistics, big data, artificial intelligence and the Internet of things (IoT).
Governments are also working with tech companies to enhance digital security. This includes developing SME-specific commercial solutions as well as measures to improve security protocols in existing products and services. Australia is investing AUD 1.67 billion through its Australian Cyber Security Strategy 2020, which will support businesses to secure their products and services and protect their customers from known cyber threats. Sweden has provided grants to consortia to design cybersecurity solutions for new products and services developed in the country.
Effective co-operation mechanisms, including good channels of communication, can be vital in identifying and responding to emerging threats. Networks across industries, between SMEs and large firms, and across jurisdictions to fight “no-border” attacks are becoming increasingly important. In Germany, the Federal Office for Information Security (BSI) is seeking to build resilience through knowledge and experience sharing among businesses and IT security providers, with the motto “Networks protect networks”.
The fight against cybercrime is intensifying. As data become more vital to SME business models (“know your customer”), supply chains operations (“just-in-time production”), and production processes (“automation”), its value to malicious actors increases too. At the same time, the tools, skills and techniques available to criminals are increasing in sophistication and decreasing in costs. SMEs need to take urgent action to keep pace, working with governments and the tech community to protect themselves, their customers and supply chains.
The OECD Recommendation on Digital Security Risk Management for Economic and Social Prosperity provides guidance for a new generation of policies aimed to optimise digital openness and the management of digital security risk. It calls on the highest level of leadership in government and organisations to reduce overall risk, and places particular emphasis on empowering SMEs to manage their own digital security risk.
For further discussion on digital security in SMEs, emerging trends and relevant policies, please see the following recent publications The Digital Transformation of SMEs and the OECD SME and Entrepreneurship Outlook 2021. And do not miss the release of Phase I of the EC/OECD project on Unleashing SME potential to scale up that digs into the key issue of SME data governance.
Read article in this language: