The BSI expands on this, by saying, “Unlike typical large companies, SMEs don’t usually employ dedicated IT security teams.” A fact that has been underlined by Michael Thumann, IT security specialist at Bechtle Lake Constance, after years of experience in SME business consulting. “The IT department of the typical SME is often not well enough set up. There’s little to no staff and huge deficits in the budget.”
The question of what the right security budget is, is not easy to answer as there are many factors to consider. “It depends on the size of the company and the type of sector they are in,” explains Michael Thumann and adds, “For example, machines in the manufacturing sector need to be considered. The topic of IoT security is playing an increasing role.” One thing is for sure and that’s that small and medium-sized companies are not investing enough into their IT security.
The security budget is too low.
According to a survey of 1,000 SMEs by the BSI, they spend only one to ten percent of their IT budget on cyber security. However, around 20 percent would be recommendable. “More often than not, a successful cyber attack threatens the existence of these companies”, says Michael Thumann. Adding to the numbers of the BSI, for micro and small enterprises with fewer than 50 employees, one in four cyberattacks has consequences that threaten the existence of the company.
More often than not, a successful cyber attack threatens the existence of these companies.
Michael Thumann, IT security specialist, Bechtle Lake Constance
Michael Thumann
Even comparatively low-cost measures such as mobile device management, emergency drills or the principle that “IT security is a matter for the boss” are usually not implemented. The last point is often decisive for the vulnerability of SMEs as managing directors usually lack awareness of the risks posed by cyber attacks. This makes SMEs particularly vulnerable to threats. And then there’s the fact that due to rapidly advancing digitalisation, the threat situation is continuously intensifying.
Cyberattacks – Mid-sized businesses are ill-prepared.
The urgency to act is also shown by the results of a Forsa survey carried out for the German Insurance Association (GDV) in 2020, which found that about half of the SMEs surveyed (48 percent) neither have an emergency plan nor an existing agreement with an IT service provider making them ill-prepared for cyberattacks. Little has changed about this in the meantime. The LBBW SME radar 2021 showed that 51 percent believe that cyber crime is one of the largest threats for business. But a current study by Cisco found out that the technical frameworks are not appropriate. Almost half of the security technology used in Germany is outdated. This fact also means that only one fifth of security and data protection experts see themselves as capable of managing the most important risks and avoiding major incidents. The Cyber Risk Index from Trend Micro at least shows that those responsible are aware of the risk. 84 percent of the German companies surveyed expect to be affected by a successful cyberattack in the next twelve months.
For Christian Grusemann, Business Manager Security at Bechtle, one thing is certain, “SMEs are facing major challenges in the face of the increasing number of threats. Stable business operations, the protection of expertise and reputations, and not least, use of the latest technologies are all crucial in order to rise above the competition.”
How a cyberattack works.
Michael Thumann describes what a typical attack on a company with 100 to 300 employees currently looks like. “First, the criminals try to get a foot in the door. They send e-mails with an infected attachment or exploit security vulnerabilities in the software. The second step is to gain control of the network and become an administrator. This way, hackers can not only tap sensitive data, but also encrypt it. They then demand a ransom and release the data.”
To take steps towards more IT security, he recommends simple but effective measures for SMEs. “A gap analysis checks the company’s security system for possible weaknesses and gateways. The actual state is compared with a target state and individual factors are taken into account.” He also focuses on the issue of proportionality. “SMEs do not need a Security Operations Centre (SOC) to be prepared for all eventualities. As a rule, they cannot afford it. Nor do they need a service provider who sounds the alarm 24/7. They need a sensible, affordable strategy, advice and operational support that secures them against the common approaches of cybercriminals.”