Plenty more phish in the sea? Cyber risks for SMEs in the supply chain

57% of small and medium-sized enterprises believe they would go out of business from a serious cyber attack, according to a new report by ENISA (the EU’s agency for cybersecurity). The report included a survey of SMEs in the EU, and highlighted that phishing attacks are the most common cyber incident for SMEs. Indeed, 36% of SMEs had experienced such an incident in the last five years.

These findings are of wider concern, as SMEs comprise 99% of all business across the EU, and often form part of IT supply chains for much larger organisations. The report notes that, as well as offering an attractive reward-to-effort ratio, SMEs are often targeted as they provide services to larger organisations, which “can enable criminals [to] attack those larger organizations through their supply chain.”

Recognising similar issues, the UK government published advice for SMEs on their cyber security in April 2021, with various free online tools and resources aimed at helping the small businesses – and with a section on phishing also.

The survey also found that:

1. fewer than 30% of SMEs had a business continuity and disaster recovery plan. ENISA adds that certain SMEs may “lack the capabilities they need to address cyber threats correctly”. Both of these factors will clearly be something for potential customers to consider in any proposed sourcing of IT services to such entities (as well as for the SME itself); and
2. plans are unlikely to match the reality of any real situation (or as Mike Tyson might say, “Everybody has a plan until they get punched in the mouth”). ENISA therefore notes the need for plans to contain clear language and simple actions, with guidance tailored to the organisation itself. This latter point in particular is equally relevant to much larger organisations.

Many of the report’s recommendations are familiar to some extent, emphasising the need for proactive prevention measures and effective planning and preparations if an attack does happen. However, it does provide a simple 12-step guide which SMEs can use to help improve their cyber preparedness and larger organisations can encourage their supply chain to consider.