Grant McGregor News

The Impending SME Security Crisis

August 28 2017

The brutal fact is most small businesses are not spending enough time or money on cyber security – leaving them exposed to ransomware, severe regulatory fines, reputational damage and lost business opportunities.

While 74% of businesses questioned in the UK Government’s Cyber Security Breaches Survey 2017 said cyber security was a high priority for senior management, the vast majority of the 7% who said it was a very low priority were small and micro businesses.

This disparity in the seriousness with which small and large businesses approach the subject of cyber security is reflected in spending.

While 91% of large firms have spent money on cyber security in 2017, this figure falls to 67% overall.

So why are small companies failing to address the subject of cyber security?

“Too Small” to Matter

There is some evidence to suggest that smaller companies just don’t perceive themselves to be at risk from cyber-attack.

But this complacency is misplaced. As we saw from the Wanna Cry virus that affected NHS organisations last month, once a virus spreads it isn’t selective about which computers it attacks.

Just under half (46%) of all UK businesses identified at least one cyber security breach or attack in the last 12 months.

It’s worth noting that this figure does not account for breaches or attacks that go unidentified – and for businesses that aren’t investing in cyber security the question of how they would register an attack is left wide open.

The same UK government survey finds that the average cost of a data breach is £3,070 for medium sized businesses (with 50 to 249 employees) or £1,380 for small and micro firms (with less than 50 employees).

But these significant costs – and the disruption to the business and its customers – are not the only cost to small and medium sized businesses that fail to properly address cyber security.

Lost Commercial Opportunities

The seriousness with which enterprise organisations take cyber security does have implications for small businesses.

A recent survey for online security education and e-learning company CybSafe found that, of 250 IT decision-makers in small to medium-sized businesses that were polled, half have had cyber security conditions included in contracts with enterprise customers in the past five years.

Indeed, one third reported having their cyber security measures questioned as part of a contract-awarding process in the last 12 months.

In many ways, it is good to see that enterprises are finally cottoning on to the fact that their IT security policies and procedures must apply to the full extent of their supply chain. It is, after all, only as secure as it weakest link. However, this does have serious implications on the smaller businesses that make up those supply chains – especially since the data shows they have been slower to react to the cyber threat.

It is worth noting that enterprises are using recognised security standard processes to vet their suppliers and potential suppliers.

The CybSafe survey found that 44% of the small and medium-sized businesses questioned had, in the last five years, been required by an enterprise customer to have a recognised cyber security standard in place, such as ISO 27001.

Clear Competitive Advantage

For those small and medium-sized businesses that are investing in and taking a rigorous approach to cyber security, they stand to gain an obvious competitive advantage.

As enterprise customers seek to secure all elements of their supply chain, so the trend towards demonstrating good cyber security as part of any tender process will become more prevalent.

This pressure will only increase as the full impact of GDPR is felt.

Adopting a standard like ISO 27001 is a clear way to demonstrate a rigorous approach to information management and cyber security within a business for commercial purposes.

The Government’s Cyber Essentials certification is a good start; the basics it covers are thought to protect businesses from at least 80% of cyber-attacks.

Simple Cost Avoidance

Whether or not small and medium-sized businesses sell to larger enterprises, a more rigorous approach to cyber security is desirable.

A 2017 Malwarebytes survey of more than 1,000 small and medium-sized businesses found that 37% of UK responders had been attacked with ransomware in the past 12 months. And more than 49% of them believed they should pay any money demanded.

However, it isn’t ransomware that costs British businesses the most when it comes to cybercrime: it is the simple disruption that an attack can cause.

Given that average cyber-attack costs British businesses more than £3,000, this productivity problem is what should be driving all businesses – small, medium, or large – to act.

And act now – because it’s unlikely to be only on-time that your IT vulnerabilities will be targeted and your productivity and confidence will be hard hit.


One approach that’s working well is for businesses and organisations to get a second opinion on the true state of their IT security.

If it’s good, and meets best practice standards, then SHOUT that to the world (but especially to your customers and stakeholders) by getting an objective accreditation like the Government’s own Cyber Essentials or audited Cyber Essentials Plus standards. Find out how you can do that here. 

If your IT security is not up to scratch, better to find that out from someone who can help to fix it and plug the holes with you, rather than from a hacker once you’ve been compromised.

Our Security Assessment Service starts from £695 depending on the number of devices, sites and complexity of your IT infrastructure.

Contact us on 0808 164 4142 to find out details or complete our Cyber Essentials form here.