Although the business world is aware of cyber risks, particularly with the development of teleworking following the public health crisis, it is nevertheless clear that small companies lack maturity in this area. Two out of five SMEs or VSEs have already been targeted by hacking or cyber attacks, and 71% of them have gone out of business in the wake of a cyber attack (according to a CPME survey that can be found here). What makes SMEs-VSEs ideal targets for hackers? How can we explain the lack of a real cybersecurity culture? In this article, we review the situation.

SMEs-VSEs: ideal targets for hackers

France has 3.5 million small and medium-sized businesses making up 99.8% of the entrepreneurial landscape(Ministry of the Economy). The scale of this statistic explains in itself why SMEs-VSEs are so often targeted. Hackers also take advantage of the “ideal” conditions offered by this type of company: less rigorous security processes and protection systems that are not necessarily suited to their task.

Less rigorous security processes

In the field of cybersecurity, we tend to think of large corporations as being natural targets for hackers. This is a misconception, however. Because it is far easier for hackers to break into the IS of a small business than to get past the protective shields put up by multinationals.

The less rigorous security processes of smaller companies are another factor. Only one-third of SMEs-VSEs have an IT specialist dedicated to cybersecurity. More often than not, this task is managed by the company director (41% of cases), a third party (8%) ,or no one at all. The smaller the company, the more likely it is that cybersecurity will be overlooked. (Source: Ifop survey for Xerfi, December 2021).

As a result, in the event of an attack, it takes a very long time to deal with the problem. According to ANSSI and AMRAE, the average time elapsing between a cyber attack and its discovery is 167 days… Which leaves ample time for hackers to cause irreversible damage.

Protection solutions ill-suited to SMEs-VSEs

Small and medium-sized businesses are becoming aware of the risk and taking action, but the barriers they are putting up remain ill-suited to actual needs. Too often, antivirus software is the only form of protection integrated with the information system: 97% of SMEs-VSEs use this type of solution, while 88% have a firewall, 79% an internal data backup system, and 60% an external backup tool (Ifop/Xerfi).

This is insufficient, but we can see a possible explanation: the more advanced solutions are considered to be out of reach, owing to the cost and complexity of a market offering that may appear incomprehensible. In addition, cybersecurity service providers often have few solutions tailored to SMEs-VSEs, preferring to focus on key accounts and creating a two-tier system of cyber protection.

Another fact must also be taken into account: quite simply, the world of small and medium-sized business does not have a strong cyber culture.

A weak cybersecurity culture in small and medium-sized businesses

We can point to four possible explanations for this weak culture. Let’s explore them!

 1. Cyber risks are often downplayed

A problem of risk perception exists within SMEs-VSEs. A full 77% of respondents to the Ifop/Xerfi survey believe that small companies are rarely affected by cyber attacks. More worrying still: 75% of them assess their own risk profile as “fairly low” or even “very low”. Similarly, 80% consider themselves to be “well protected” against these risks.

2. A lack of regulatory requirements?

Although regulatory requirements exist, they mainly target large structures, public-sector players and Operators of Essential Services. This is the case of the European NIS 2 directive. As a result, small and medium-sized companies feel less concerned by cybersecurity, although this is starting to change with the implementation of the GDPR, which applies to everybody.

 3. Awareness-raising efforts that are still only starting

The ANSSI report on cybersecurity in SMEs and VSEs clearly shows that only one VSE in five conducts internal awareness-raising campaigns on cyber risk. According to Ifop/Xerfi, simple preventive actions, such as regularly changing passwords, are carried out by only a small number of SMEs-VSEs. And yet awareness and training are essential prerequisites for building a secure and stable IT environment.

 4. Limited investment

Finally, we can see a glaring lack of investment. The arguments put forward to support this timidity are rarely backed up by the facts: 56% of business leaders over-estimate the cost of effective protection, quoting a figure of over 100 euros per month, whereas in reality a wide range of secure solutions are available at a far lower price. More particularly, the investment/risk ratio is largely under-estimated, since cyber attacks can cost SMEs an average 9,000 euros, rising to as much as 500,000 euros!

So the diagnosis is clear: SMEs-VSEs are ill prepared to deal with cyber risks. Fortunately, as alarming as the situation may seem, all hope is not lost. Providing that SMEs-VSEs adopt the right practices, they will be able to counter the threat. We will look at this subject in a future article.

By industry

Aerospace & Defence

Energy

Government

Healthcare

Financial Services

Critical Infrastructure

By department

Information Security

Human Resources

Legal

Finance

Risk & Compliance

R&D and Engineering

Marketing & Sales