Home Our points of view Point of view #4 : Cybersecurity and SMEs Cyber threats, a major new challenge for SMEs
Forced by the Covid crisis to switch massively to remote working, SMEs accepted the situation so as to continue in business. However, most did not adapt the security of their IT systems to these new circumstances. As an inevitable consequence, cyber attacks have multiplied and now target companies of all sizes. Matthieu Douchet and Arnaud Mendelsohn, Managing Partners of Initiative & Finance, warn of the seriousness of the risks facing SMEs and share their experience on the role of private equity in the transition to a re-imagined corporate culture.
SMEs are the very fabric of the economy, representing 99% of French companies*, the vast majority of which have shown resilience over the past two years. 2022 is likely to see an end to the crisis, and some reconfiguration of the issues they face. “Cybersecurity is now a prominent issue, and whereas such attacks used to target large groups and banks, SMEs are now on the front line,” explains Arnaud Mendelsohn. Cyber attacks of all kinds have indeed increased considerably, especially scams and frauds. According to French government figures, almost half of all SMEs have already suffered a cyber attack.
Increased risks with the opening up of IT systems
How can this acceleration, which makes SMEs the new preferred targets, be explained? “Prior to Covid, companies’ IT systems were mainly configured for internal use. With the crisis, an urgent switch to a remote model was needed, which had the virtue of allowing companies to maintain their business activities, but also increased the amount of external traffic passing through insufficiently secure connections, media and applications,” describes Matthieu Douchet. “Every time access to the system is opened and confidential files and documents are transferred, the risks are multiplied.”
Potentially fatal attacks for SMEs
Of the cyber attacks targeting organisations, 80% still take the form of email scams, such as phishing. While these are “low-level” threats, “the number of more sophisticated attacks is increasing, with identity theft such as the CEO scam.These cyber attacks show increased professionalism: working in organised gangs, spending time beforehand learning the corporate culture and environment, as well as greater technical sophistication,” considers Arnaud Mendelsohn.
Another sign of growing sophistication is that ransomware attacks are no longer just targeting large companies, but also SMEs and mid-caps, and can be disastrous. “It is a threat where the risk is often only measured too late, and which can lead to the bankruptcy of an SME by paralysing its business during a crucial phase, around Christmas/New Year for example,” warns Matthieu Douchet. In a sign of the times, business disruption was rightly identified by companies as the number one threat in 2021.
Transforming corporate culture
This threat is therefore a priority as this year begins. And if some of the risk is found inside the company, so too is some of the solution. “The key is corporate culture.By making employees aware of the risks, new, more secure procedures can be put in place to protect against most forms of attack,” reassures Matthieu Douchet. And Arnaud Mendelsohn adds, “Establishing communication protocols, such as running double checks, or doubling up the processes of signing-off and sending orders to banks, protects against identity theft and misappropriation.”
Private equity, a transformation partner
SMEs today find themselves at a crossroads between new ways of working and new threats. Adapting to this situation entails a rethinking of their corporate culture around openness, which lies at the heart of the fight against cyber attacks. Such attacks not only benefit from more open systems, but also from the fact that some of the informal discussions that used to serve to prevent them have become less frequent. “With regard to attacks such as scams or identity theft, we have observed that the risk is reduced or even vanishes whenever employees have the opportunity to discuss them among themselves, and remove the uncertainties on which such threats are based,” reports Matthieu Douchet. The solution therefore also lies here in more openness, but this time in the corporate culture, which must be re-imagined. “This is a very important development, and can only succeed by focusing on three aspects, namely raising the awareness of managers and teams to the threats; setting up verification protocols; and introducing new ways of exchanging and sharing information to encourage physical closeness between employees,” summarises Arnaud Mendelsohn.
Although the using external experts to carry out audits or penetration tests to check a system’s resistance is not yet common practice among SMEs, they are expected to gradually accept it as such. “2022 will mark the transition from theoretical awareness to practical action,” the two Associate Directors hope.