A recent report in Computer Weekly highlighted that SMEs in the Nordics cannot afford to protect themselves against cyber security risks. The Danish Business Authority says that cost is the biggest barrier to adoption; while a survey by YouGov found that SMEs in Norway haven’t prioritised IT security spending due to a false sense of security.
As worrying as this is, it is not just Nordic SMEs that are at risk. The 2019 Verizon Data Breach Investigations Report (DBIR) found that 43% of cyber-attacks targeted small businesses, while 63% of attacks against small businesses succeeded.
However, SMEs still lack the resources and know-how to secure themselves – often relying on consumer security software or, by default, their suppliers. For example, according to the Ecosystm Cybersecurity study, 54% of Australian SMEs rely on their cloud providers to secure their IT operations.
No matter how secure their Cloud provider is, this will not protect SMEs from the entire range of threats they are faced with. Another recent report from CybSafe, for example, found that 43% of SMEs in the UK had been targeted by phishing attacks in the previous year, as cyber criminals shift their attention to easier targets. Many could reduce their risk simply by training their own staff, as human error and phishing remain primary causes of breaches in the sector.
“SMEs are the workhorse of the European economy, representing 99% of all businesses in the EU. In the past five years, they have created around 85% of new jobs and provided two-thirds of the total private sector employment in the EU. Although many SMEs are digital natives, they are not security professionals. They need to be secured against hackers that are extremely adept in their approach to targeting their prey and diversifying their approach by using direct (DDoS, SQL injection, cross site scripting, etc) as well as indirect (spear phishing, drive-by attacks, eavesdropping attacks, etc) attacks.” Kevin Bailey, MD, Omnisperience
Even when SMEs take security seriously, they struggle to recruit IT security specialists, who can achieve far higher salaries working for enterprises. They also struggle to consume security technology which is often not designed to meet their needs, as it requires them to select, integrate, implement and manage a range of different and overlapping products. Smaller businesses in particular need fully managed, cost-effective solutions.
Matt Gyde, CEO Security at NTT comments: “Businesses need their security to be holistic to their solutions and this means fully embedded, not just added on. Having security intrinsic to any infrastructure is the only way to predict, detect and respond intelligently to cybersecurity threats, ensuring they are beaten long before they become an issue”.
Adding pressure to the situation is the fact that not only do SMEs face increasing risks as they become ever-more connected to customers and business partners, and as cyber criminals go after the low-hanging fruit they represent, but they are also increasingly being forced to adopt enterprise-level security standards just to keep trading. This is because regulators are now demanding that entire supply chains are secured to achieve compliance with standards.
For example, the Australian banking regulator, APRA, recently introduced new prudential standard, CPS 234 (July 2019). To meet this standard, organisations must be able to not only demonstrate their own compliance, but that of their entire supply chain. Small businesses that have been selling to banks for years are now having to deal with their customers demanding they fill out questionnaires and comply with complex IT security processes that are beyond their knowledge or capabilities – even when the sale is offline and not IT related.
Maintaining a workable level of profitability is key to survival for SMEs, who do not have the cash resources of larger enterprises. The cost of a data breach – which according to the IBM Ponemon ‘Cost of a Data Breach‘ report 2019, is typically $4.88 million in the UK (£3.8 million), up nearly 11% in a year – plus fines and sanctions under the EU General Data Protection Regulation (GDPR), is sufficient to bankrupt smaller companies.
The opportunity for B2B service providers
Security vendors perceive B2B service providers to be good potential partners and channel into the SME sector, because of their existing billing relationship with small business customers. B2B service providers are also able to offer fully managed services and solutions configured to the SME sector and the individual needs of different types of SME.
However, in order to be successful, B2B service providers first need to know which of their customers are SMEs. This, in itself, can be challenging for service providers that have both consumer and business divisions. Many small and micro businesses opt for consumer packages and therefore are often not identified as business users by their service provider. This challenge is increasing as more people work from home, use their own devices, applications and networks for work (BYOD, BYON and BYOA), or become part of the gig economy.
Upselling security solutions into the sector therefore begins with better profiling and segmentation of the customer base, along with the melting of hard lines between consumer and business packages to allow for dual profile customers to be better served and targeted.
As this market continues to grow, service providers who make assumptions about their customers, and cannot identify micro & nano businesses and those who regularly work at home, will fail to maximise their opportunities and lose out to rivals.
This is not a mistake that NTT intends to make, with their reorganisation specifically aimed at upselling broader capabilities to their customers. NTT’s Gyde explains: “By bringing the NTT family closer together, we are better positioned than ever to enable our clients to do great things with technology – and, importantly, securely so they can concentrate on running their business. We know a secure-by-design approach is becoming a big focus for service providers, which we see as a great opportunity for us as a business. Ultimately, the integration now enables us to support clients at every stage of the digital transformation journey while helping them navigate the critical business issues and pressures that come with it.”
“Using effective SME targeting, B2B service providers can address this vast market opportunity by resolving two critical SME needs: (1) educate the SME around security solution best practices and (2) provide a security managed service so the SME can focus on growing their business.” Kevin Bailey, MD, Omnisperience