Earlier this year, Hyundai Europe experienced a security breach, involving an estimated 3TB of data from the German-based division. This attack made headlines, adding to a series of digital incidents hitting the automotive industry over recent years. In 2023, BMW and Volkswagen reported being victim of cyberattacks or digital incidents. In 2022, Toyota in Japan halted production of almost 13,000 vehicles after the attack at one of its suppliers. In 2021, Kia stopped production due to a ransomware, and Volvo claimed R&D data stolen. No actor seems safe: almost two-thirds of automotive industry leaders believe their supply chain is vulnerable.
Shut the door behind you…
The global cost of cyberattacks is up to USD 6 trillion annually, and rising every year. Cyberattacks can spell disaster for businesses of all sizes, but especially smaller firms. The median cost of a ransomware attack can amount to up to USD 1.2 million, and up to USD 1.6 million in the case of computer data breach. Urgent action is needed to support SMEs in better preparing and managing digital security risk.
During the pandemic, up to 70% of SMEs shifted to e-commerce, teleworking or smart working solutions. This created new opportunities for malicious actors to exploit web applications, devices and systems built in haste. In 2020, the FBI received a record number of complaints – a rise of 69% on the previous year. Supply chain attacks increased fourfold in Europe between 2020 and 2021 in Europe, with around 62% of the attacks on customers taking advantage of their trust in their supplier. In Austria, 60% of firms said they fell victim to a cyberattack in 2021, while in Germany, economic damages from cybercrime more than doubled between 2019-21 to EUR 220 billion.
SMEs lag behind larger firms in the adoption of more sophisticated security practices
Figure. Percentage of enterprises implementing ICT digital security measures, by type of measure and firms (2022)
Source: The Digital Transformation of SMEs – © OECD 2021, updated with Eurostat (2023), Security policy: measures, risks and staff awareness by size class of enterprise, DOI: 10.2908/isoc_cisce_ra (accessed 15 March 2024).
Larger firms like Hyundai, BMW or Toyota – with more data and financial resources at their disposal – are clearly attractive targets. With lower levels of digitalisation, a smaller attack surface and less data to excite criminals, we might have thought SMEs would fly beneath the radar.
Yet, as their uptake of digital tools accelerates, many smaller firms are now presenting new opportunities for hackers. Large, digitally savvy firms with sophisticated, bespoke defences are more challenging and costly to break, while many SMEs can fall victim to cheap, replicable attacks. Moreover, cybercrime is now within the reach of amateurs who buy ransomware ”as-a-service” on line to extort smaller amounts from smaller victims at lower risk.
More ambitious hackers are also finding that SMEs can provide a backdoor route into larger firms, as weak nodes in their supply chains. The automotive sector can be particularly vulnerable because of long, complex, interconnected supply chains with varying levels of cybersecurity and vulnerabilities. In October 2021, German automobile supplier Eberspächer suffered an attack that crippled its IT systems for several days. Criminals also paralysed Pilz and Schmersal, two automation specialists in the industry and are increasing targeting smaller businesses supplying special components to disrupt production.
Shielding the data
SMEs in all sectors need to up their game to better manage digital security risk and protect their data. A first step is to improve data governance and to raise awareness on digital security risks. Training in firms is critical, as “insiders” cause a growing share of incidents, often by accident. In 2022, across the EU27, on average only 54% of SMEs have made their employees aware of their obligations in ICT security related issues compared to 91% of large firms.
Many governments are helping SMEs to combat the threat. Germany’s IT Security Transfer Office for SMEs is supporting IT security knowledge and technology transfer as well as the implementation of cybersecurity measures and awareness campaigns. In Costa Rica, Smart Community Centres take a hands-on approach, offering SMEs basic courses on cybersecurity as well as statistics, big data, artificial intelligence and the Internet of things (IoT).
Governments are also working with tech companies to enhance digital security. This includes developing SME-specific commercial solutions as well as measures to improve security protocols in existing products and services. Australia is investing AUD 1.67 billion through its Australian Cyber Security Strategy 2020. This includes support for businesses to secure their products and services and protect their customers from known cyber threats. In 2021, Sweden provided grants to consortia to design cybersecurity solutions for new products and services developed in the country.
Effective co-operation mechanisms, including good channels of communication, can be vital in identifying and responding to emerging threats. Networks across industries where actors share similar business models, between SMEs and large firms, and across jurisdictions to fight no-border attacks are becoming increasingly important. In Germany, the Federal Office for Information Security (BSI) is seeking to build resilience through knowledge and experience sharing among businesses and IT security providers, with the motto “Networks protect networks”.
The fight against cybercrime is intensifying. As data become more vital to SME business models (“know your customer”), supply chains operations (“just-in-time production”), and production processes (“automation”), its value to malicious actors increases too. At the same time, the tools, skills and techniques available to criminals are increasing in sophistication and decreasing in costs. SMEs need to take urgent action to keep pace, working with governments and the tech community to protect themselves, their customers and supply chains.
The OECD Recommendation on Digital Security Risk Management provides guidance for a new generation of policies aimed to optimise digital openness and the management of digital security risk. It calls on the highest level of leadership in government and organisations to reduce overall risk, and places particular emphasis on empowering SMEs to manage their own digital security risk.
For further discussion on digital security in SMEs, emerging trends and relevant policies, please see The Digital Transformation of SMEs, the OECD SME and Entrepreneurship Outlook 2021 and OECD SME and Entrepreneurship Outlook 2023. And don’t miss the report on Turning Data in Business. Helping SMEs Scale Up, which that digs into the key issue of SME data governance.
Read article in this language:
Sandrine Kergroach is Head of SME and Entrepreneurship Performance, Policies and Mainstreaming unit at the OECD Centre for Entrepreneurship, SMEs, Regions and Cities (CFE). She leads the work on innovation, internationalisation and the scaling up of SMEs and start-ups, their productivity and ESG performance. She supervises activities related to policy monitoring, the development of data infrastructure and the OECD SME and Entrepreneurship Outlook. She also leads efforts for mainstreaming SME&E policy considerations. Sandrine holds a Doctorate in Economics (TU Berlin), a Master in Strategy and Management (Paris Dauphine-PSL), a Master in Modern History (Paris Sorbonne) and a Bachelor in Applied Economics and Statistics (Paris Dauphine-PSL).
Stefan Becker joined the Federal Office for Infomation Security (BSI) as Head of Section, Cyber Security for the Private Sector in May 2017. He started his career at the criminal police in Bonn in 1994. With the creation of the Cybercrime Competence Centre he moved on to the Landeskriminalamt Nordrhein-Westfalen in 2011. Stefan Becker holds a degree in public administration as well as an MBA with a specialisation in Risk and Fraud Management.
Laurent Bernat is a policy analyst at the OECD Secretariat in the Digital Economy Policy Division. He supports the Working Party on Security in the Digital Economy (SDE), under the Committee on Digital Economy Policy (CDEP), as well as the OECD Global Forum on Digital Security for Prosperity. He led the development of the OECD Recommendations on Digital Security Risk Management for Economic and on Social Prosperity (2015) and on Digital Security of Critical Activities (2019). Currently, he coordinates policy work on the digital security of products, vulnerability treatment, “responsible response” by private actors, and the security of communication networks. Laurent worked on many different trust-related policy issues including national cybersecurity strategies, digital identity management, RFID, cryptography policy and the protection of children online. Prior to joining the OECD in 2003, he worked at the French data protection agency, the Commission nationale de l'informatique et des libertés (CNIL) and was associate director in an Internet consulting firm. Laurent BERNAT has a master in political science and international relations.