Cyber Security: Not a Priority In SMEs
Cyber Security: Small and medium-sized businesses are aware of cyber threats but only have a fraction of their budget allocated to security. How are companies advised to protect the National Security Agency?
Table of Contents
Most small businesses are focused on something other than cybersecurity
The aim of the Business Agency survey, carried out in cooperation with the National Security Office, was to find out the current level of maturity of the sector in the field of cyber security. It showed that only about a third of small business deal with cyber security, while for medium-sized companies, the value was around 50%.
The COVID-19 pandemic and the war in Ukraine show how much the business and public sectors are becoming targets for cyber attackers. In addition to traditional large companies, small and medium-sized enterprises (SMEs), where the attacker assumes a lower level of security, tend to be important targets. It is, therefore, important that these organizations also start dealing with cyber security and try to reduce risks in their business.
Small and medium-sized companies do not feel the need to increase security
The survey showed that in approximately 60% of cases, the motivation to take measures to improve cyber security is mainly the threat of cyber attacks. Recommendations and requirements of the customer-supplier chain are considered a priority by almost a third of them.
More than half of micro-enterprises are aware of security risks, especially in transport, information and construction. However, this fact is not significantly translated into practice, in which half of the surveyed companies, especially smaller companies, do not employ any cyber security specialists.
Cyber security services are provided externally by the approached companies only to a minimum. However, the survey also showed that almost half of the companies offer their employees relevant education and adequate training in the field of cyber security, which can be evaluated as a positive figure.
Based on these data, it can be concluded that companies in practice do not feel the need to strengthen their resilience to a greater extent. Approximately two-thirds of the interview entities have never performed a cyber security risk analysis in their environment.
Business continuity management (BCM), which identifies potential threats to the organization and evaluates their impact on its operations, can be similarly characterized. Approximately two-thirds of enterprises still need to develop BCM.
Both grants and education can help.
A positive finding is that, from the perspective of the budget, companies are beginning to differentiate more significantly the special package intended for information technology and especially for cyber security (about half of the companies approached). On the other hand, this budget is at most 10%. Two-thirds of businesses said their cybersecurity spending is at most 1% of their total budgets.
The results of the survey fulfilled rather negative expectations. It is evident that, from the point of view of lower available capacities or financial possibilities, SMEs are at a natural disadvantage compared to large companies, even when it comes to ensuring their cyber security. On the other hand, even in the absence of legislative obligations, SMEs should, at least on their initiative, be interested in the issue of cyber security.
The National Security Office
The National Security Office recommends that small and medium-sized enterprises carry out a risk analysis as a priority. The following steps will adapt to the findings. SMEs form a crucial pillar of the economy, so their high level of cyber security has the potential to support further economic growth. Market development and the number of business transactions also depend on mutual trust between individual businesses.
It follows from the evaluated reactions of companies that small and medium-sized entrepreneurs would most welcome measures in the form of grants and vouchers for the purchase of technology, but also to ensure training and educational courses to improve cyber security. They also expressed interest in information services, counseling, mentoring, and the possibility of training.