SMEs: The Ransomware Road Less Travelled (But Highly Exploited!)

• by Anthony Orjally
• Advent IM Blog

SMEs: The Ransomware Road Less Travelled (But Highly Exploited!)

Small and Medium Enterprises (SMEs) often think they’re the little fish in a big pond. With cybercriminals focusing on larger enterprises, why would anyone bother with them, right? Wrong. In fact, many SMEs are prime targets for ransomware attacks, and their supply chains might be the real prize. So, if you’re running a small business and think, “we’re too small to be hacked,” it’s time to wake up, smell the cyber-coffee, and rethink your strategy. Let’s dive into why SMEs are often easy prey, and more importantly, how they can flip the script and make themselves attractive (in a good way!) to customers and partners by demonstrating a commitment to security.

Why SMEs Are Ransomware’s Favourite Snack

It’s tempting for an SME to think, “We’re small potatoes. Cybercriminals wouldn’t waste time on us.” But that’s exactly the kind of thinking hackers love! SMEs often lack the robust cybersecurity infrastructure that larger organisations have in place, making them a much easier target for ransomware attacks.

How bad is it? According to the 2023 Hiscox Cyber Readiness Report, 48% of small businesses experienced a cyberattack in the last year, with 23% of these attacks involving ransomware. Furthermore, SMEs are often seen as “easy pickings” because they typically don’t have the resources to invest in the sophisticated protections that larger corporations employ. As a result, 43% of cyberattacks are directed at SMEs, despite their smaller size.

Cybercriminals know that SMEs are typically more vulnerable, less likely to have dedicated security teams, and may not be as prepared to respond to an attack. Even better (for the hackers, that is), SMEs are often part of larger supply chains, which means that compromising them can provide a gateway to bigger, juicier targets.

Think of it like this: if hackers want to break into a secure building (a larger corporation), they’re not going to smash through the front door (where the big security guards and alarms are). Instead, they’ll sneak in through a smaller, unguarded back door (hello, SME!) that’s connected to the building. Once inside, the damage can be catastrophic.

The Supply Chain: The Real Prize

When an SME is hit by ransomware, it’s not always about the SME itself. Often, the true goal is to gain access to their larger, more lucrative partners. If your SME supplies services or products to a big company, hackers may see you as the weak link that can give them entry into a much larger ecosystem.

According to research from Accenture, 60% of cyberattacks happen through the supply chain, and SMEs, being the weakest link in the chain, are prime targets. A hacker might compromise your business as a way to infiltrate a larger enterprise through shared access points, third-party software, or even vendor communication systems.

Supply chains are interconnected, and vulnerabilities in one link can expose the entire chain to attack. A single ransomware attack on a small business can disrupt operations, cause financial loss, and erode trust. Worse yet, your customers and partners may be forced to reconsider whether they want to keep working with you if they see you as a risk.

Why SMEs Don’t See Themselves as Targets

It’s a classic case of mistaken identity: SMEs often believe their size makes them unattractive to cybercriminals. They think that hackers are too busy chasing Fortune 500 companies to bother with their corner-shop-sized business. In reality, hackers see SMEs as easy entry points. According to Verizon’s 2023 Data Breach Investigations Report, 28% of data breaches involved small businesses, largely because many SMEs operate under the illusion that cyberattacks are only for the “big boys.”

This sense of false security means they might not invest in adequate defences, and when they do get hit, it’s a costly wake-up call. The average cost of a ransomware attack for SMEs is £125,000 in recovery costs, lost productivity, and reputational damage, according to the UK’s Cyber Security Breaches Survey 2023.

The Importance of Supply Chain Resilience

So, what’s an SME to do? For starters, it’s time to take a long, hard look at your supply chain. If you’re part of a supply chain that involves larger companies, your security is not just your problem; it’s their problem too. And they know it.

The big companies you work with will want to ensure that every link in their supply chain is resilient, so if you can demonstrate that your business takes security seriously, you’ll not only protect yourself, but you’ll also make yourself a much more attractive partner. This is where supply chain resilience comes into play.

Supply chain resilience means that your business is capable of withstanding and recovering from cyberattacks. It involves implementing proper cybersecurity measures, regularly auditing your security practices, and ensuring that you’re meeting the expectations of your partners. The more resilient your business is, the less likely you are to be the weakest link that lets cybercriminals into the larger ecosystem.

How SMEs Can Up Their Cybersecurity Game (and Become an Attractive Supplier!)

Here’s the good news: even if you’re small, you can still pack a punch when it comes to cybersecurity. And when you do, you become a far more appealing supplier to larger businesses that are looking to work with companies that have their act together. Here’s how to get started:

1. Conduct Regular Security Audits: Regular audits will help you identify vulnerabilities before the bad guys do. You don’t need a full-blown IT department to do this—there are plenty of affordable third-party services that can help you assess your security posture.
2. Implement Multi-Factor Authentication (MFA): This simple step can make a huge difference in keeping your systems secure. According to Microsoft, MFA can block 99.9% of account compromise attacks, making it one of the most effective security measures.
3. Train Your Staff: Often, the weakest link in any cybersecurity system isn’t the technology—it’s the people. Phishing attacks are one of the most common ways that hackers gain access to a system. By training your staff to recognise suspicious emails and avoid common traps, you can significantly reduce your risk.
4. Backup, Backup, Backup: Ransomware attacks are designed to lock you out of your data until you pay up. If you have regular backups stored in a secure location, you’ll be able to restore your data without having to pay the ransom.
5. Show Off Your Security: If you’ve invested in cybersecurity, don’t keep it a secret! Demonstrate your commitment to security to your partners and customers. According to IBM’s 2023 Cost of a Data Breach Report, businesses that are transparent and proactive about their security practices are far more likely to maintain customer trust.

Final Thoughts: Don’t Be the Low-Hanging Fruit

SMEs are no longer flying under the radar when it comes to cyberattacks. Ransomware doesn’t care how big you are—it cares how easy you are to attack. By recognising that your size does not grant you immunity and taking steps to improve your cybersecurity, you’ll not only protect your business, but you’ll also strengthen your position in the supply chain.

So, if you want to stay off the ransomware hit list, it’s time to toughen up, lock the back door, and show your customers that you mean business when it comes to security. After all, in the world of supply chains, no one wants to be the weakest link!