How SMEs can build a cost-effective cyber strategy

By Tom Henson, below, Managing Director, Emerge Digital

The cyber security threat landscape for SMEs is continuing to evolve. A report published earlier this year by Vodafone Business UK highlighted the stark reality these businesses, that play a vital role in the UK economy, are facing.

The report found that attacks on SMEs were up 15% in 2022 compared to 2020, with more than 54% saying they had experienced some form of attack on their organisation in the previous 12 months. On top of this, 18% of those businesses polled also admitted that their business wasn’t protected. The survey also highlighted the average cost of an attack was around £4,200, however the reality is that cyber-attacks can often be much more costly than this, with this figure not taking in to account any IOC fines or the cost of reputational damage either.

SMEs are facing the critical challenge of building robust cyber defences without straining their budgets, which are already under pressure from increasing costs and bills. The Government Cyber Security Breaches Survey further underscores this struggle, suggesting an increased number of SMEs have found it challenging to maintain their cyber hygiene since the pandemic.

SMEs continue to be prime targets for cybercriminals, offering an easy backdoor into larger enterprises. Therefore, building a robust, cost-effective cyber strategy is absolutely crucial for protecting themselves, as well as other third parties in their supply chain.

With all of this in mind, here’s a strategic guide to helping SMEs navigate this challenge.

  1. Understand Regulatory Compliance and Risk Factors

Recognising your business requirements concerning cyber security is the critical first step. This includes understanding your obligations towards compliance standards such as PCI DSS for finance-related businesses, FSA guidelines, or Cyber Essentials for government/public-sector contracts. The alarming fact is that the usage of up-to-date malware protection in micro-businesses has dropped from 81% to 74% within two years. Understanding these external factors and their impact can help shape your cyber strategy and secure your business.

Furthermore, don’t overlook the statutory duties of directors when it comes to cyber security. Directors need to ensure their decisions align with protecting the company’s assets, including digital ones. According to BPE Solicitors, to uphold their duties, directors need to do things including ensuring cyber security policies are being kept up to date, the Employee Handbook has effective policies like a BYOD (Bring-Your-Own-Device) policy, and ensuring employees are given sufficient cyber awareness training. Understanding these duties can influence your cyber strategy, especially when considering data protection and reputation management.

  1. Identify and Understand your Risk Appetite

Examining the nature of your business helps identify your risk appetite. Factors such as the industry you’re operating in, the type of data you handle, the clients you serve, and potential missed opportunities (like government contracts) due to inadequate cyber security are all vital. Notably, SMEs have become a favourite for cybercriminals, with 54% having experienced a cyber-attack, an increase of 15% in two years. Understanding your company’s risk appetite will enable you to build a strategy that effectively protects against such threats.

Moreover, consider the perspectives of your leadership team or board. Their views on risk can guide your approach to cyber security, allowing you to strike the right balance between innovation and security.

  1. Choose the Right Cyber Partner

Navigating the complex landscape of cyber security can be daunting. A trusted partner can guide you through this intricate terrain, aligning your needs with cyber security technologies that offer effective protection without blowing your budget. A good partner will help you maximise your spend by showing you how much protection each technology offers, assisting you in prioritising the most significant vulnerabilities within your budget.

If there are defences that you’re considering but they’re beyond your budget, expert partners can help find the next best thing. Different technologies provide varying levels of protection. Therefore, breaking down your spend to understand the protection each technology provides is key to getting the biggest bang for your buck.

  1. Prepare for Future Growth

Factoring in future growth is a critical aspect of cyber security planning. As your business scales, costs could escalate with ‘per user’ security solutions. Understanding the financial implications of these services is vital to avoid future budgetary surprises. It’s also crucial to have a partner that can guide you in adapting your strategy as you grow.

Considering your growth plans also involves reassessing your needs and vulnerabilities. As you expand, you’ll likely handle more sensitive data and possibly face more advanced threats. Ensuring your strategy is flexible enough to adapt is key. 

  1. Promote a Security Culture

One of the most cost-effective ways to strengthen your business’s cyber defence is by promoting a security culture within your organisation. Human factors account for 82% of breaches, as reported by the Verizon 2022 Data Breach Investigations Report. Investing time in staff awareness and training can yield significant returns.

Initiate open conversations about cyber security, its importance, and the potential threats everyone should be aware of. Encourage everyone to discuss it openly. This awareness can dramatically reduce the risk of a security breach and foster a culture of vigilance and responsibility across all levels of your organisation.

As highlighted at the start of this article, the risk to SMEs of being a victim of a cyber-attack is real, as such organisations need to be thinking more about ‘when’ they’ll be attacked rather than ‘if’.

The escalating costs and complexities of cyber security need not dissuade SMEs from developing robust defences. By understanding compliance and risk, selecting the right cyber partner, preparing for growth, and promoting a security culture, SMEs can build a cyber strategy that is both effective and budget friendly. Considering the potential damage from a cyber-attack can reach $2.2 million per attack for some small businesses, investing in a cyber strategy isn’t just wise, but essential.

Tom Henson is Managing Director at Emerge Digital, a technology and digital innovation business and Managed Services Provider (MSP) which provides IT and cyber security solutions to SMEs and enterprise-level brands