Are SMEs paving the way for cyber attacks on larger companies?

According to February 2024 data from IT support provider AAG, around a third (32%) of UK businesses reported suffering a cyber attack or breach last year – this rose to 59% for medium-sized companies and 69% for large organisations.

Findings from Hiscox’s annual Cyber Readiness Report, which was most recently published on 10 October 2023, agreed with the attack uptick recorded by AAG. The insurer’s study revealed that cyber attacks on small businesses with less than 10 employees rose from 23% to 36% over the last three years.

SMEs, however, are seemingly unaware of the seriousness of the cyber criminal threat.

Separate research from cyber insurer Cowbell – published on 19 March 2024 – found that 32% of the 500 UK SME chief executives it surveyed were confident that a cyber attack would not impact their ability to conduct business.

Additionally, 10% of business leader respondents said they saw no need to enhance their cyber risk posture.

The fact that a number of SMEs appear to be putting their heads in the sand when it comes to understanding and mitigating cyber risks could subsequently pose a danger to larger corporates that these SMEs partner with, thanks to greater ”interconnectedness”.

Claud Bilbao, UK underwriting director at Cowbell, told Insurance Times: “As businesses embrace technological advancements to enhance efficiency and foster growth, they are becoming increasingly interconnected, linking numerous endpoints across their operations.

“But this interconnectedness, while offering unprecedented opportunities, also exposes businesses to significant and elevated cyber risks – with more endpoints come heightened vulnerabilities as each device represents a potential entry point for malicious actors.”

Lack of protection

SMEs, therefore, can pose a cyber security risk for larger businesses that it partners with – especially as Cowbell’s research noted that 77% of UK SMEs do not maintain any in-house cyber security.

Matthew Norris, distribution manager at Beazley, explained that SMEs “often have weaker security systems and they are viewed as soft targets by cyber criminals”.

He added: “Large companies can grant privileged access to SMEs [in order] to provide services, which opens a vast opportunity for hackers to infiltrate the larger business.

“Often, large companies focus on their front door – like a website – rather than the back door, like their vendor access.”

This activity could then lead to a third party cyber attack, Norris added, which is when a cyber criminal targets a vendor, supplier or contractor of an organisation in order to gain sensitive information about the company’s partners or customers.

As an example, Norris referenced a high profile data breach that occurred in 2013, where a third party heating and ventilation contractor for American retailer Target, Fazio Mechanical Services, fell victim to a phishing attack.

Norris continued: “The attackers were granted access to Target’s network through the third party and malware started stealing customer information.

“As an integral part of many supply chains, SMEs with weak security systems can act as a gateway in a hack to larger funds. One weak contractor may have several large clients [that] could be targeted as a result.”

Not black and white

For Richard Hodson, founder of R C Hodson Insurance Services, the potential for SMEs to serve as gateways into larger companies for cyber criminals is not as black and white as the statistics may suggest.

He believes this trend depends on several factors, such as the nature of a business’ services and whether it operates in the business-to-business (B2B) or business-to-consumer (B2C) marketplace.

Hodson noted: ”SMEs, like insurance brokers, may not often be the primary gateway into larger companies due to their limited involvement with complex systems.”

Bilbao agreed that the increased complexity of business systems can create potential security gaps that cyber criminals can exploit – for example, the networks, software or hardware provided and maintained by third party IT suppliers.

These suppliers often have privileged access to their clients’ IT infrastructure, including sensitive data and critical systems.

Therefore, when hackers successfully compromise an IT supplier, they can exploit this access to potentially infiltrate multiple larger corporations that rely on the same supplier’s services.

Hodson noted: ”SMEs acting as a gateway to larger companies is not black and white, but a nuanced subject.”

Being proactive

For Norris, ”the scale of the threat” posed by cyber criminals ”is not recognised by many SMEs”. In turn, this affects the penetration of cyber insurance across this demographic, as well as hampers their ability to tap into the preventative measures many insurers offer.

Confirming Norris’ stance, The Cyber Security Breaches Survey 2023, published by the Department for Science, Innovation and Technology in April 2023, found that only 6% of micro businesses and 11% of small businesses had cyber cover.

This report also showed that 29% of micro businesses and 33% of small businesses believed they already had cyber cover as part of a wider policy, despite blanket exclusions now being standard in many commercial policies.

Speaking to Insurance Times back in January 2024, cyber underwriter CFC estimated that the overall penetration for SME businesses buying cyber insurance was only 15% in the UK.

Although these statistics suggest a low uptake of cyber cover among SMEs, Norris explained that “the insurance sector has traditionally played a crucial role in managing cyber risks for SMEs by providing cyber insurance policies that cover the costs associated with cyber incidents”.

He continued: “This role is evolving as cyber attacks become more frequent and cyber crime groups become more specialised and diversified.

“To support SMEs, we find it is much easier for our SME clients to engage with the reality of cyber risk if we not only alert them to issues, but also provide solutions to help them address the risks.

“This is why we are always looking at ways to enhance our services to include proactive measures, such as threat intelligence sharing, risk assessment tools and cyber incident response services.

“These offerings are all designed to mitigate the financial impact of cyber attacks and prevent them by improving SMEs’ cyber resilience.”

Hodson agreed that a proactive cyber policy can be beneficial for SMEs’ risk management, in turn better protecting larger partner businesses.

He added: “Most cyber policies now are generally offering a vulnerability scan straight up. So, you get to see what ports are open. The critical factor will always be the human elements.”

Education

The aforementioned reseach from Cowbell additionally emphasised the need for better education within SMEs about how to deal with a cyber attack – something cyber focused insurers and brokers can assist with.

Its findings flagged that 8% of chief executives would engage with the threat actor directly following a cyber breach.

Catherine Aleppo, UK sales director at Cowbell, said: ”Business owners must give their staff tools and education [to] ensure they’re continually aware of how to protect devices and digital assets more robustly.

”By making training readily available, we as an industry are making an important first step to encourage businesses to adopt a cyber smart culture – but the research shows there’s still more work to be done.”