Cyberattacks are a major challenge for organizations of all sizes, but small and medium enterprises (SMEs) face distinct threats when it comes to cybersecurity. Unlike large companies, often they do not have the resources and expertise to implement extensive security measures or manage complex solutions, making them targets for malicious actors
To help us better understand the security needs and trends of SMEs, Microsoft partnered with Bredin, a company specialized in research and insights about SMEs, to drive aresearch focused on security for companies with 25 to 299 employees. By sharing the insights below and the initial actions that can be taken to address them, SMEs can find additional best practices to stay safe in theBe Cybersmart(in English)
- One in three SMEs was a victim of a cyberattack
With the increase in cyberattacks, SMEs are increasingly affected. Research shows that 31% of SMEs have been victims of cyberattacks, as ransomware, phishing or data breaches. Despite that, many SMEs still hold misconceptions that increase their risk and vulnerability. Some believe they are too small to be targets for hackers or assume that compliance equals security. It is crucial to understand that malicious actors pose a threat to companies of all sizes, and complacency in cybersecurity can lead to significant risks
How can SMEs approach this
A Microsoft, in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCA), outline four simple recommended practices to create a solid cybersecurity foundation
- Use strong passwords and consider a password manager
- Enable multi-factor authentication
- Learn to recognize and reportphishing.
- Make sure to keep your software updated
- Cyberattacks cost SMEs more than 250 thousand dollars on average and up to 7 million dollars
The unexpected costs of a cyberattack can be devastating for an SME and hinder financial recovery. These costs may include expenses incurred for investigation and recovery efforts to resolve the incident and fines associated with the data breach. Cyberattacks not only present an immediate financial strain, but they can also have long-term impacts on an SME. The diminished trust of customers due to a cyberattack can cause broader reputational damage and lead to lost business opportunities in the future
It is difficult to anticipate the impact of a cyberattack because the time required to recover can vary from one day to more than a month. Although many SMEs are optimistic about their ability to withstand a cyberattack, some fail to accurately estimate the time required to restore operations and resume normal business activities
How can SMEs approach this
SMEs can conduct a cybersecurity risk assessment to understand security gaps and determine steps to address them. These assessments can help SMEs identify areas vulnerable to attacks to minimize them, ensure compliance with regulatory requirements, establish incident response plans and more
Planning effectively and proactively can help minimize financial costs, reputational and operational risks associated with a cyberattack, in case it happens. Many organizations provide self-assessment evaluations, and working with a security specialist or security service provider can bring additional expertise and guidance during the process, as needed
- 81% of SMEs believe that AI increases the need for additional security controls
The rapid advancement of AI technologies and the ease of use through simple interfaces create notable challenges for SMEs when used by employees. Without the proper tools to protect the company's data, the use of AI can lead sensitive or confidential information to fall into the wrong hands. Fortunately, more than half of the companies that currently do not use AI security tools plan to implement them in the next six months for more advanced protection
How can SMEs approach this
Data security and governance play a critical role in the successful adoption and use of AI. Data security, that includes labeling and encryption of documents and information, can mitigate the chance of restricted information being referenced in AI prompts. Data governance, or the process of managing, understand and protect data, can you help establish a structure to effectively organize the data
- 94% consider cyber security critical to their business
Recognizing the critical importance of cybersecurity, 94% of SMEs consider it essential for their operations. Although it has not always been considered a priority, given the limited resources and internal expertise, the increase in cyber threats and the growing sophistication of cyberattacks now pose significant risks to SMEs. Manage work data on personal devices, ransomware and phishing are cited as the main challenges that SMEs are facing
How can SMEs approach this
For SMEs that want to start with the resources available to train and educate employees, security topics inCybersegurança 101, Phishing(in English) and more are provided through the site ofAwareness of Cybersecurityfrom Microsoft
- Less than 30% of SMEs manage their security internally
Given the limited resources and expertise within SMEs, many turn to security specialists for assistance. Less than 30% of SMEs manage security internally and usually rely on security consultants or service providers to manage their protection needs. These professionals provide crucial support in research, selection and implementation of cybersecurity solutions, ensuring that SMEs are protected against new threats
How can SMEs approach this
Hire a Managed Service Provider (MSP – Managed Service Provider is commonly used to complement internal business operations. MSPs are organizations that help manage broad IT services, including security, and serve as strategic partners to improve efficiency and oversee daily IT activities. Examples of security support may consist of researching and identifying suitable security solutions for a business based on specific needs and requirements. Furthermore, MSPs can implement and manage the solution by configuring security policies and responding to incidents on behalf of SMEs. This model allows SMEs more time to focus on the main business objectives, while the MSPs keep the company protected
- 80% intend to increase their spending on cybersecurity, with data protection as the main area of investment
Given the growing importance of security, 80% of SMEs intend to increase spending on cybersecurity. The main motivators are protection against financial losses and safeguarding customer and consumer data. It is no surprise that data protection is the main area of investment, with 65% of SMEs saying that is where the increase in spending will be allocated, validating the need for additional security with the emergence of AI. Other main areas of spending include firewall services, protection against phishing, ransomware and device protection, access control and identity management
How can SMEs approach this
Prioritizing these investments in the areas above, SMEs can improve security posture and reduce the risk of cyberattacks. Solutions such as Data Loss Prevention (DLP – Data Loss Prevention helps identify suspicious activities and prevent sensitive data from leaking outside the company, Endpoint Detection and Response (EDR – Endpoint Detection and Response help protect devices and defend against threats, and Identity and Access Management (IAM – Identity and Access Management helps ensure that only the right people have access to the appropriate information
- 68% of SMEs consider secure access to data a challenge for remote workers
The transition to hybrid work models has brought new security challenges for SMEs, and these problems will continue as hybrid work becomes permanent. With 68% of SMEs employing remote or hybrid workers, ensuring secure access for remote employees is increasingly critical. A significant 75% of SMEs are concerned about data loss on personal devices. To protect sensitive information in a hybrid work environment, it is vital to implement security and device management solutions so that employees can work safely from anywhere
How can SMEs approach this
Implement measures to protect data and devices connected to the internet, including the immediate installation of software updates, ensuring that mobile apps are downloaded from legitimate app stores and avoiding sharing credentials via email or text message, doing this only by phone in real time
Next steps with Microsoft Security
- Read thefull reportto learn more about how security continues to play an important role for SMEs
- Get theBe Cybersmart(in English) to help educate everyone in your organization with cybersecurity awareness resources
To learn more about Microsoft's Security solutions, visitthe site. Favorite orsecurity blog(in English) to follow specialized coverage on security issues. Furthermore, follow on LinkedInMicrosoft Segurança) and in X@MSFTSecurityfor the latest news and updates on cybersecurity.v
