SMEs isolating themselves due to limited awareness of cyber threats

Source: report ABN AMRO
May 03, 2023 · 10 min read

Cybercriminals are shifting their focus towards smaller businesses, as revealed by ABN AMRO's research among 233 corporate clients. Whereas last year, large enterprises were significantly more targeted than SMEs, the differences are now minimal. Yet, smaller businesses seem to pay little heed to this trend; their risk perception remains unchanged.

In contrast, larger organizations have seen a substantial increase in their risk perception. Small businesses must therefore step up their game, partly to avoid losing contracts due to new legislation.

Despite many businesses feeling secure, the likelihood of falling victim to cybercrime is high. Companies are digitally interconnected in various ways. Recently, several market research firms reported data breaches following a hack on software vendor Nebu, exposing the personal data of at least two million Dutch citizens. These agencies, often falling into the SME category, gauge customer satisfaction on behalf of larger organizations such as NS, VodafoneZiggo, and CZ.

Bron: ABN AMRO en MWM2

While companies rapidly expand their IT landscape, malicious actors are also incorporating increasingly innovative technologies into their toolkit. Artificial intelligence aids in rapidly cracking passwords, crafting convincing phishing campaigns, and creating malicious programs that automatically enhance themselves. "Companies are falling further behind the hacker community," says Matthijs Blokker of cybersecurity company MMOX.

“The limited sense of urgency among smaller businesses is also recognized by Frank Breedijk. In his role as CISO at IT service provider Schuberg Philis, he engages with larger companies. As an 'ethical hacker' for the Dutch Institute for Vulnerability Disclosure (DIVD), he also observes how things sometimes unfold in SMEs. "When I report a security issue to a small business, I often receive a response along the lines of: thank you, I will notify the system administrator. However, it turns out that they are not working every day, while urgency is crucial." With such an attitude, companies make themselves an easy target. Breedijk notes, "Anyone can fall victim to a cyberattack, but those with the poorest security measures are the first targets.”

Frank Breedijk, CISO Schuberg Philis

Limited Sense of Urgency Among SMEs

An integrated approach to cyber resilience is required to contain the increasing threat of phishing, malware, and ransomware. However, that urgency is not uniformly felt. While the percentage of SMEs and self-employed individuals (freelancers) with firsthand experience is rapidly increasing, their risk perception compared to last year has remained practically the same.

In contrast, the largest organizations show a clear increase in risk perception. Because large companies typically collaborate with more partners, have more suppliers, and serve more customers, they are more vulnerable to cyberattacks. These vulnerabilities through third parties are currently being exploited by malicious actors, particularly through attacks on IT companies serving a wide range of clients.

Bron: ABN AMRO and MWM2

A critical view of supply chain partners

With the growing risk awareness among large companies, so do the cybersecurity standards they impose on their partners. Smaller businesses risk failing the cybersecurity assessment of their larger clients and sidelining themselves, regardless of the damage to their own company. And it's precisely the small businesses that are being affected by cybercrime more than ever before.

““There's a waterbed effect," says Breedijk of Schuberg Philis. "Cybercriminals are shifting their focus from large enterprises to SMEs." Therefore, large organizations are critically evaluating the cybersecurity of their partners and suppliers. "They are raising the bar for their suppliers," says Breedijk of Schuberg Philis. "And if these suppliers don't have their cybersecurity in order, they won't do business.”

Frank Breedijk, CISO Schuberg Philis

The critical examination of supply chain partners will be further reinforced by new European regulations in the field of cybersecurity. NIS2, the successor to the previous Network and Information Systems- directive (NIS), encourages companies to contractually establish cybersecurity agreements with their immediate suppliers and partners. Although NIS2 does not apply to the smallest companies, larger clients may still pose critical questions following the new law.

It is therefore essential that cybersecurity becomes an integral part of business operations within companies. In this regard, Erik Michielen, managing consultant at SEQRIT, sees a positive trend. "Finally, directors are also sitting at the table to think about cybersecurity."

“With the dependence on various cloud services, open-source software components widely used by developers, and new technology being rapidly embedded in business operations, the attack surface is growing. IT landscapes are also becoming increasingly complex. "We are all witnessing a massive IT development," says Breedijk of Schuberg Philis. "Functionality is being stacked upon functionality, but without the attention needed to keep up with security standards.”

Frank Breedijk, CISO Schuberg Philis

For more information

Read the full report here 'Mkb isoleert zich door beperkt bewustzijn cyberdreiging'.

Want to know more?

Contact Frank Breedijk.

Send me an email \