SMEs lag significantly behind when it comes to implementing security, compared to large organizations. Research shows that relatively easy-to-implement measures still fall short.
European SMEs score an average of 15 percent lower than large companies on cyber security. That’s according to a survey by insurer Marsh McLennan based on a Cyber Self-Assessment tool completed by 320 SMEs and large organizations in Europe. The assessment provides an overall score, but the survey reveals some very specific shortcomings.
MFA
For example, the importance of multifactor authentication (MFA) has quietly caught on among large companies. For remote login sessions, 91 percent of large companies (with revenues greater than 250 million euros) have MFA enabled. Among SMEs, the figure is only 75 percent. However, locked logins and bad passwords are the main attack vector for hackers, and MFA is a very simple and effective solution. It is not for nothing that major players such as Microsoft mandate the functionality to customers.
If something goes wrong, 61 percent of large companies report not only having a plan, but testing it from time to time. Testing incident response plans thus remains limited, but among companies with revenues below 250 million euros, the numbers are even worse. There, only 40 percent report having and testing such plans. In reality, the numbers are probably worse, since these results come from organizations that already make the effort to contact an insurer and fill out the self-assessment.
Lack of training
There is also a large gap in training, although it is mostly sector-specific. In the financial sector, SMEs recognize the relevance of cybersecurity training and 85 percent foresee it. In the manufacturing sector, only 58 percent do, although attacks there can have far-reaching physical consequences. Criminals can shut down factories, for example.
SMEs are a critical part of the economy and supply chains for products and solutions, including large companies. The gap in cyber resilience between large and smaller companies, is so problematic for everyone. After all, attackers are looking for the weakest link in the chain.