A 2017 survey by Netwrix identified small and medium sized enterprises as a significantly high risk group when it comes to IT security. It found that SMEs are generally characterised by insufficient presence of dedicated IT personnel and a lack of visibility in terms of what is happening in the broader world of IT and data security. The report is indicative of a typical vulnerability for those that fall into the SME category – many organisations of this type don’t have the big security budgets of larger enterprises but are still vulnerable due to the data that they hold. So, where do the biggest risks for SMEs currently lie?
Employees vs. hackers
The Netwrix survey identified that human errors accounted for around 40% of security incidents for SMEs. That might come as a surprise to many who assume that it’s only hackers that a business has to be prepared to deal with. In fact, given the volume of them, employees present a far bigger security risk than hackers do even though there may be no malicious intent. When it comes to downtime, SMEs found that 21% was the result of malicious activity but roughly the same resulted from accidental or incorrect user activity.
A lack of preparation
Just 26% of SMEs feel that they are well prepared when it comes to countering the cyber risks they face today. Roughly a third put this down to a lack of staff training, something that is clearly a key part of security given the IT risks presented by employees in the business. 59% of SMEs were unprepared due to a lack of sufficient budget to help put protections in place. And 56% felt that this was due to a lack of time.
Exposure via BYOD
In any business there are some areas that are in need of greater resource investment than others. SMEs responding to the Netwrix survey felt that Bring Your Own Device to Work (BYOD) created the most vulnerability. As we are increasingly investing in flexible working and hot desking as opportunities to make a business more agile, this also opens up business systems to a much broader range of risks, making investment in network protection a necessary expense.
Visibility into user activity
Being able to obtain visibility where user activity is concerned is a key part of handling IT risks. 49% of SMEs felt that this was most needed with respect to on-premise systems. A number of reasons were identified for this, including to help identify and handle human errors, to investigate security problems and to ensure network and asset security.
A broader picture
There are a number of key parallels between SMEs and other businesses and organisations across industries. For example, larger enterprises also suffered a similar volume of security incidents from both malware and human error. Two thirds or more of enterprises – large or small – don’t have a separate IT security function and a similar number of businesses across sectors, from government and finance, to healthcare and education, aren’t using software for information security, governance or risk management. So, it’s not just SMEs that are in need of a review of current IT risks – other types of enterprises are too.
If you are concerned about the IT risks to your business we can help – contact the help4IT team to find out how we can enable you to reduce your vulnerabilities and be better prepared.