New study shows that most SMEs mistakenly believe they are immune from cyber-attack

Do owners of small and medium-sized business ever considered the fact that they may at some stage face the prospect of cyber-attack? The chances are the answer to that question is no. The reason for this is that they feel they are not big enough, or important enough to warrant attention from hackers; after all, the richest pickings must surely lie in the hands of those companies with the biggest assets. If your business thinks along these lines, then you may want to take a look at the latest survey by security firm, Kaspersky Labs, which clearly shows that size doesn’t matter. Vulnerability is not the exclusive preserve of big business: small businesses are equally at risk.

So what does this new survey say? Well, simply this: 59 per cent of small and medium-sized businesses mistakenly believe they are immune from cyber-attack because the information they hold is of no value to cyber-criminals.  However, Kaspersky Labs maintain that this is clearly not the case. The security firm believes that the information they hold is far more valuable than they think, because SMEs are effectively stepping stones; that is, a link in the chain to larger enterprises. Hackers, therefore, target smaller businesses in order to unlock the data and assets of larger organisations. Unfortunately because smaller local businesses do not take the threat seriously enough they tend to underspend of security measures.

How should SMEs be addressing the problem? Well according to David Emm, senior security researcher from Kaspersky Labs, SMEs should be improving their security posture by adopting a very simple four-step ‘SAFE’ strategy: Stepping Stone, Awareness, Forecast and Educate.

Stepping Stone

Mr Emm told Computer Weekly:

“Whether it is a supplier, a partner or a customer, SMEs tend to have links to other, larger companies. With this in mind, cyber-criminals increasingly target SMEs to get information that will enable them to access the larger company’s infrastructure.”

“For example, if the SME in question is a widget supplier to a big name, a cyber-criminal can sneak into their system [if insecure] and steal information that will make it easier for them to gain access to the larger company’s infrastructure, putting both them and their associates at risk,” he said.


Emm argues that if cyber-criminals can gain access to enough smaller businesses, it can give them enough collateral to access a big organisation directly. Therefore SMEs need to make their employees more aware about cyber-security risks like phishing, spear phishing and watering-hole attacks. Such ploys are often used by hackers to trick staff into disclosing confidential information like passwords and account details: the sort of details that ultimately could help cyber-criminals access to the company’s infrastructure.

Emm also warns that human vulnerability also needs to be factored into the awareness-approach, as hackers are increasingly targeting human vulnerability. As an example he cited SMEs which allow visiting contractors to connect USB sticks to company computers: such practices can be exploited and can ultimately lead to business networks being infected with data-stealing malware:

“In a world where people are eager to help others, something so small can have an overall damaging effect,” said Emm.


Small companies very rarely have the resources to deal with potential cyber-threats. Larger companies generally have IT managers in place who would keep up to date with relevant security news. When they become aware of any potential cyber-threat they pass this message on:

“In smaller companies that lack this, it is important for all employees to keep their ear to the ground in terms of recent threats, and to get in third-party vendors and experts to educate their staff so all can keep an eye out for the tell-tale signs.”

Emm also believe that forward planning is a key issue that SMEs need to be aware of. He believes that SMEs should have a recovery policy in place which, in the event of a cyber-attack, will ensure that the business can get back to a positive, secure and reputable state in the quickest possible time:

“Make sure all employees know they have a responsibility in terms of the company’s IT security,” said Emm.


Emm also believes that education on security policies in the workplace is just as important as education about health and safety issues:

“This is important in all organisations but in particular, for smaller companies. You need to demystify the issues, explain them in an easy-to-understand manner, use analogies if necessary; create a few simple top tips or ‘do’s and don’ts’ for staff to follow and place posters including these all over the office,” he said.

Emm’s final piece of advice to SMEs is to remember that security strategy is not a one-off activity. It needs to evolve to counter threat effectively:

“It will need to be revisited on a regular basis to keep up with the security landscape and keep security issues front of mind. All SME employees need to be responsible for security, especially with the number of personal devices being used for work,” he said.

For real-world advice on the suitability your current security measures, and help with security reviews, penetration testing or web security, please contact Krypsys on 01273 044072 or [email protected].