- The biggest cyber risk to the global economy is attacks on the often-overlooked and more vulnerable small and medium-sized enterprises.
- SMEs form supply chains, power economies and provide employment, but have smaller budgets and fewer resources to handle cybersecurity.
- Smaller businesses can follow three pathways to stronger cyber resilience, collectively, and by doing so, also strengthen the global economy.
The greatest cyber risk to the global economy isn’t attacks on nation-states or mega-breaches of big enterprises. It is the overlooked soft underbelly of small and medium-sized enterprises (SMEs).
SMEs form every supply chain, power economies, provide employment and are the lifeblood of our communities. Yet, every day and across the world, they come face-to-face with the same advanced cyber threats that large enterprises deal with, but in a very asymmetrical way. Smaller businesses have less budget and fewer resources and therefore are less prepared to face the adversary.
Empowering SMEs with cybersecurity that works and is easy to use is essential for global resilience. This requires a collective approach to cyber defence. It requires working together for a solution that smaller businesses can access and operate.
Let’s explore three actionable ways how, through solidarity, we can all be better protected.
The global economy’s vulnerable underbelly
Small and medium-sized businesses are the vital, yet exposed, foundation of the global economy.
SMEs make up around 90% of businesses worldwide. They play a critical role in the world’s supply chains and range across sectors – from education, to finances and agriculture. They are also part of the modern world and often rely heavily on technology to operate, making them more and more interconnected.
However, SMEs may not have the time or budget to train employees or to purchase expensive tools. Their awareness of the dangers is also limited, with 47% of businesses with under 50 employees not allocating any cybersecurity budget at all. This has resulted in exploitable gaps.
Right now, threats have converged on SMEs. Their limited resources and skillset are coming up against attackers with a new range of tools. Artificial intelligence (AI) is empowering attackers to target small and medium-sized businesses at scale. Cybercrime groups are finding innovative ways to distribute their malware. State actors are even sabotaging smaller companies.
In an interlocked world economy, an attack on any organization doesn’t stop there. The domino effect from an attack can spread to other SMEs, larger enterprises and even government and critical infrastructure.
These attacks can also lead to unforeseen consequences for third-party organizations. This can include supply chain disruption, compromised credentials and price rises.
What’s more, SMEs are often targeted in supply-chain cyberattacks. These attacks involve compromising a supplier to exploit their trusted relationship with a target organization, often with far-reaching effects. Accordingly, cybersecurity weaknesses of smaller businesses lead to vulnerabilities across the global economy.
Shifting from ‘buying’ to ‘operating’ cybersecurity
For SMEs, merely buying cybersecurity tools offers an illusion of safety. It’s like installing a sophisticated alarm system but leaving no one to monitor its alerts or respond to a break-in.
For example, many businesses rely on an endpoint detection and response (EDR) tool for the cornerstone of their cybersecurity strategy. Organizations may feel that this is enough to protect their networks, however, threat actors frequently bypass EDRs using a variety of methods.
This product-only, passive approach inevitably fails. Today’s cyber threats are often AI-accelerated and constantly evolving. They quickly outmanoeuvre static defences and overwhelm unmanaged systems.
The big shift that is needed is to recognize that effective cybersecurity must be continuously operated. An SME, just as a large enterprise, needs to be in a state of constant vigilance and readiness to act. But how is this possible, given the challenges they face?
3 ways to build collective cyber resilience for SMEs
Following these three pathways will help SMEs achieve a stronger cyber resilience, collectively. Their objective is to empower small and medium-sized businesses and, by doing that, strengthen both the national and global economy.
1. Democratize security operations (SecOps)
The challenge
The tools that are available on the market are overly complex. They are enterprise-focused and out of the reach of SMEs.
Action for tech providers
Technology providers must develop user-friendly tools with interfaces that are intuitive. They should offer skill development to help bridge any gaps. This enables smaller teams and non-experts to more easily defend their businesses.
Tech companies also need to offer accessible and affordable models for smaller businesses. These SecOps solutions must be flexible and evolve to defend against the sophisticated and AI-driven threats targeting this vulnerable segment.
2. Make cyber expertise accessible
The challenge
Cybersecurity is not a product, it’s a practice. Many SMEs can’t sustain managed defences alone – they have neither the financial means nor the manpower.
Action for SMEs and managed service providers
It is only possible to scale SecOps delivery at the needed rate through third-party services. Capable managed service providers (MSPs) and managed security service providers (MSSPs) are, in effect, force multipliers.
MSPs help small and medium-sized businesses overcome the real-world barriers that stop them from achieving effective cybersecurity. It is important that MSPs develop simplified solutions to ensure that their services are accessible to all sizes of business.
3. Cultivate global talent and awareness
The challenge
There is a severe cybersecurity skills shortage. This especially impacts SMEs and businesses in developing nations.
Action for policy-makers and tech providers
Industry leaders must invest in cybersecurity skills development. They should promote awareness of cybersecurity as an operational necessity. Furthermore, policy-makers in government should make it a priority to help SMEs access training.
Cybersecurity companies need to offer solutions that are accessible for users who may not have in-depth training. Automation options can also help to reduce the need for 24-hour security staffing and improve alert fatigue.
Shared responsibility on cybersecurity crucial
Cybersecurity is not just a technical issue. Disruption caused by cyber attacks on SMEs affects trust in business and impacts the economy.
The vast majority of businesses are small and medium-sized – helping them create an effective cyber defence will form a solid wall to keep attackers out.
We described three pathways: making technology accessible, scaling expert services and cultivating global talent. By committing to these, we hope to help strengthen global cyber defence but collaboration is key.
A collective approach and mindset will do more than strengthen defence for SMEs; it will secure a safe digital future across all of our industries and regions.