Executive Summary

Information Security for small and medium enterprises (SME’s) represents one of the most important challenges in this current era. SME organisations account for 99% of enterprises, with many tens of millions employed, this constitutes the backbone of the economy through out the European Union member states. Conversely, they represent a major target for security and data loss or theft. We believe that these guidelines can assist SME’s help to fill the gaps that are constantly identified as potential risk events to organisations.

SME’s need advice and assistance in identifying and defining suitable actions to mitigrate the risk of Information Technology risks, data loss and the issues where the loss of an IT function brings to any organisation. Cyber crime poses a severe risk to all types of enterprises. Preventing these risks requires implementing initiatives based on both education and awareness.

Cyber crime is a growing phenomenon worldwide, representing a threat to citizens and the global economy. Cyber crime provides a huge source of income for criminal organisations. The latest World Economic Forum (WEF) report on global risks confirms that cyber attacks remain among the major risks – both in terms of impact and likelihood of occurrence. Even though large organisations, allocate budgets to combat cyber crime. For small and medium enterprises (SME’s), it is still very hard to perceive cyber crime as a real threat to their businesses, the impact and financial loss and survival in the market. SME’s represent easy targets because they are less protected, unaware of risks, and are often not even able to detect the extent of theft which has taken place in the cyber setting.

SME’s are easy targets for cyber criminals that wish to enter the systems of large corporations via backdoors; Target (Retail Store Chain, USA) in 2013, cyber attack breached their systems through an SME air conditioning contractor’s systems.


Considering the growing trend regarding this type of threat, it is necessary to enhance the current preventative security systems. Many attacks have long term business consequences, increases in targeted attacks that have the aim of appropriating sensitive data, corrupting data or stealing copyrighted material. With the increase in the use of IT tools within SMEs there is more of a chance of a company being attacked – from many different directions.

Cyber Crime

Cyber crime is of a stronger nature and more widespread than one might imagine. In fact, most cyber attacks are still not being detected and/or reported. Losses due to cyber crime for an individual company can reach up to several million euros. Only companies that invest in the appropriate processes, procedures and technology will achieve long-term benefits in terms of security, reputation and profit. It is a fact that SMEs are a very attractive target for cyber criminals.

Many SME’s still underestimate this threat. A study by the UK government found that more than two-thirds of SMEs have never thought that they could become a victim of cyber crime.

A report published by the UK s Department for Business and Innovation Skills and PricewaterhouseCoopers shows that 60% of the SMEs involved had had their computers violated. SME’s are a very attractive target for cyber criminals; nevertheless, decision makers working in these enterprises still often underestimate the threat posed. No matter the nature of an SME’s business, every company is seen as a lucrative target. Various types of information, be it intellectual property, commercial data and contact lists, personal data, financial details or account credentials can be sold on the black market or dark web to individuals intent on committing fraud, spreading malware and facilitating other crimes.

Automated attacks are now cheap and easy to conduct, and being indiscriminate, are not aimed at a particular company or site, but instead have the objective of hitting the largest number of victims as possible through the exploitation of known vulnerabilities. The time in which a cyber criminal is able to exploit a new vulnerability and it being patched is very short. In October 2014, for example, Drupal announced that users who had not patched their Content Management System (CMS) platform within seven hours after the discovery of a bug had to consider their website violated.

The speed of response is a high risk factor for SMEs, as they often lack the resources to tackle these automated attacks and to implement policies regarding patching and updating software; as fast as large companies that are able to depend on prepared IT departments and conduct actions such as penetration tests and vulnerability assessments. In recent research conducted by the UK government through the Cyber Streetwise campaign, it emerged that by underestimating the danger of cyber crime English SME’s put a third of their revenue at risk, be it via susceptibility to data loss, financial loss or reputational damage. The SME’s interviewed in the study believed that security measures are too expensive, and these SME’s often do not know where to start with respect to implementation. It is clear that SME’s require support in order to try and mitigate the damage caused by cyber crime, build awareness, and increase security assets. A recent report by HP reveals that 44% of the violations that occurred in 2014 exploited known computer, software or other IT infrastructure vulnerabilities dating back to 2-4 years prior. Moreover, according to this study, the main flaw exploited by cyber criminals was mis-configuration, which had unnecessarily exposed companies to attack. This not only shows that knowledge in this area is still low, but it also demonstrates the level of superficiality that still exists in the maintenance of IT equipment within companies.

Persistent Threat

According to The Guardian, cyber threats that will generally have the greatest trend increase in past few years are the Advanced Persistent Threat (APT) and increasingly sophisticated spam. In regards to spam, the most interesting aspect is that its volume is decreasing in absolute measure, but at the same time it is becoming increasingly more sophisticated – making it even more difficult for anti-spam software to filter messages.

The main problem is that the risks related to a low IT security prevention level are growing faster than the ability to protect against cyber attacks. While investment in information security has increased in recent years, the number of attacks and their severity level continue to rise. Many incidents (as many as two thirds) are not even reported by the victims due to lack of skills and appropriate tools. Social networks are one of the biggest critical points because of their expansion – not only as a network between users. It makes social networks an attractive platform for the spread of malware and for the purpose of committing fraud.

Point of Sale (POS) systems are another key target sector. Cyber criminals increasingly hit these systems because of the ease with which they can exploit ad-hoc cheap malware used for financial fraud. Another critical point are mobile devices, due to their increased use for making mobile purchases.

Risks to Mobile Devices

The continued growth of mobile malware is mainly due to the use of devices without employing the necessary security precautions, especially in the workplace where the device is used in the same way as it is for personal use. The most prevalent types of malware are spyware: applications used by criminals to spy on the owner of the phone – tracing it, monitoring incoming and outgoing calls and reading text messages. A recent study by Kaspersky Lab and B2B International 18 shows that nearly 30% of users do not even know what malware is. In this environment, the very low level of attention and awareness of users who often download applications and visit unsafe sites is evident.

The spread of cyber crime is undoubtedly facilitated by human behavior. The lack of awareness about the dangers of the web allows for user behavior that aids the spread of viruses and allows for the creation of fraud or other types of attacks – behavior on which cyber criminals rely.

A Kaspersky Lab survey regarding Bring Your Own Device (BYOD) policies shows that 62% of employers and employees regularly use private devices for work purposes, often without effective protective measures.

<http://media.kaspersky.com/en/kaspersky_lab_consumer_security_risks_survey_2014_e NG.pdf>

In fact, 92% of respondents store sensitive corporate data on smartphones and tablets used for both work and private life, and 60% of employees think the activation of security systems is the responsibility of the company they work for. For SMEs, the percentage of workers and business owners who consider cyber threats a real and dangerous risk is still very low, while, conversely, nearly 60% of large companies are seriously alarmed by the phenomenon of cyber crime.


Finally, the continued spread of ransomware, such as Cryptolocker, is persistent threat. This is a very serious phenomenon and the first step to address it is to educate and train staff in the correct use of computer systems. The Man-in-the-Middle attack, for example is a type of silent attack in which the attacker infiltrates the victim s systems (or the victim s partner s system). In this case, the attacker studies the cyber habits of two victims for a long period of time, reading and modifying communications between the two parties whilst keeping his presence hidden.

Understanding IT Risk’s for SME’s

In terms of specific measures for SMEs, I would say that the starting point for any company is to assess the risks:

After evaluating these aspects the company needs to chart a strategy in order to reduce the risks. Technology is important (anti-malware, firewall, encryption, etc.), but it is not enough. The company must also establish policies and procedures that reduce the risk of exposure, for example the segmentation of the network in order to make the spread of an attack more difficult. In addition, raising awareness amongst employees is essential. In fact many attacks today start simply because of a careless employee who unwittingly endangers the security of the company so in order to prevent possible damage caused by people it is therefore important, and at the same time protects digital assets of the company. Seeing security as a process is very important. Putting a greater number of experts in this field who have practical experience in the market is required. Education of future generations plays a key role in balancing the current gap between the skills of the attacker and those responsible for protecting IT systems. Trying to predict what future developments might be in order to deal with such a quickly evolving threat might also be important.

Internal IT Department

In addition, if an SME does not have an IT department of their own, the help of an external consultant is required in order to implement relevant and mandatory actions within the IT area. Technical aspects within the IT area, such as maintaining backup plans, are very important in protecting the company against threats. Having these policies in place are important, for example, for the situation of an accounting firm during the delivery period of tax documentation to its customers, or a firm of architects where it is crucial that the plans for tenders are stored in secure areas of the corporate network, preferably not connected to the Internet.


Obviously, there are common policies that should be employed within several business areas, such as the secure management of passwords and training in detecting fraudulent e-mails, like phishing and spear-phishing e-mails, which are on the increase and becoming more sophisticated. Staff must be constantly informed and updated on the necessary regulations in order to recognise fraudulent e-mails. Simple steps such as passing the mouse cursor over the name of the sender in order to check that the e-mail address matches the one displayed, and that it is not a counterfeit with the purpose of misleading the user, is a simple precaution that can help users from contracting malware on their devices.


The impact of cyber crime on the economy is an issue that is becoming increasingly worrisome. One of the main difficulties in dealing with this type of crime is that the tools and knowledge held by cyber criminals, as compared to those who are responsible for combating it, are disproportionate.

Moreover, the trend of rapidly deploying cheap, malicious tools online has served to bolster cyber criminals capabilities. These tools have an ease of use that allows even those without high technical expertise to take part in cyber crime.

A further security threat for SME’s is the ever-increasing use of legitimate software, in place of malware, in order to gain access to corporate systems. This fact implies two main risk factors for SME’s. 1st, recognising these programs as a threat is very difficult for antivirus software. 2nd, the high speed at which attackers can exploit software issues and flaws, makes it difficult for SMEs to combat this issue in real time.