SMEs and cybersecurity: why they still underestimate the impacts of a cyberattack
These businesses represent a significant portion of the global economy. Despite their economic importance, many SMEs are not sufficiently prepared for cyber risks. They often underestimate the impacts of a cyberattack.
In France, SMEs with fewer than 250 employees represent 44% of GDP, and globally, they generate 50% of added value. However, despite their economic importance, many SMEs are not sufficiently prepared for cyber risks.
An explosion of attacks: numbers and typology
In 2024, nearly 350,000 cyberattacks were identified, of which 330,000 targeted SMEs. A study published in October 2024 (1) reveals that nearly half of businesses believe that they are not sufficiently prepared in the event of an attack.
Cascading attacks, email compromise fraud, ransomware, phishing, and DDoS attacks are particularly high-impact.
Expert stories: when cybersecurity is lacking
” Our customers were affected by attacks based on ransomware that paralyzed their business because they no longer had access to their information system. Until this attack, they were not aware that their IS is their work tool ”, explains Jean-Félix Chevassu, Security Offerings Director at Adista.
All businesses, regardless of their sector of activity, are affected by cyberattacks. It has been a recurring observation for years: it is the companies that are weak, not the attackers that are strong. They don't just lose sensitive data (confidential or personal).
They also lose time and customers or prospects. The theft or leak of intellectual property information can lead to the loss of hundreds of hours of project development, impact growth and damage an organization's reputation.
Complex situations to manage
In a context of very strong competition and digital transformation, the smallest grain of sand can stop a great mechanism. And that grain of sand could be a virus or a malicious act. A data leak (or loss), an inability to use your computer and to access your files (following a ransomware attack) can lead to a loss of turnover.
SMEs are facing a tsunami of attacks. As proof, Dattak processed an average of three per week. For Charlotte Couallier, the stunt attacks were particularly impacting. ” In February 2024, two third-party payment providers suffered a cyberattack that also affected two mutual insurance companies that used these services. We had to manage the crisis, notify their customers, but also pay the operational and legal costs that this entailed. ”, explains the CEO of Dattak.
” When I was a project manager at Altran, we were victims of a cyberattack. I can imagine the reaction of a business manager who realizes that his teams can no longer work. The situation was very complex to manage, as the company was in contact with numerous partners. The awareness of CEOs must be commensurate with the impacts and that is unfortunately not the case. ”, notes Marcel Barelli, CIO/CIO of Foodex Group.
For his part, Sébastien Brunin, CIO/CISO at Absys Cyborg, notes that some sectors, such as Tech, are better prepared than others, such as health, lawyers and accountants.
Charlotte Couallier, CEO of Dattak, a proactive insurance company against cyberattacks, is seeing an increase in cascading attacks and email address compromise fraud. She cites the example of an SME infiltrated by a hacker who hijacked bank transfers for two months.
Risky dependence on IT providers
SMEs tend to rely on their IT providers for cybersecurity, but this can be risky. A Breton SME recently had its IT service provider convicted for negligence after a ransomware attack.
Cybersecurity experts point out that SMEs need to see cybersecurity as a priority rather than just a cost. Charlotte Couallier compares cyber risk to that of a fire, noting that businesses insure against fires, but not against cyberattacks.
Jean-Félix Chevassu uses an analogy with car security systems, which represent about 25% of the cost of a vehicle, to emphasize the importance of protecting your business.
Best practices for building resilience
To better protect themselves, SMEs should strengthen their backups, install security software, educate their employees and insure themselves. Outsourcing cybersecurity, such as for accounting or payroll management, is also recommended.
Training courses and MOOCs, such as those from ANSSI, exist to raise awareness among business leaders. ” But cybersecurity communication is very technical. If you take a person on the street and who does not work in this field, they will have difficulty projecting the impacts. However, as this problem affects everyone, it would be wise to launch campaigns for the general public, as is the case for road safety. ”, underlines Yasmine DOUADI, Founder and CEO of Riskintel Media and Risk Summit.
New threats and regulatory framework
The increasing use of artificial intelligence by cybercriminals is further complicating the situation. According to Acronis, over 90% of organizations were victims of AI-powered phishing attacks in 2023. Regulations like NIS2 will have a direct or indirect impact on all businesses and their service providers. ” NIS2 will be beneficial for SMEs, because this directive provides a framework based on rules already such as that of digital hygiene, ISO 27001 ”, Jean-Félix Chevassu. The entire supply chain is concerned.
In conclusion, SMEs must become aware of cyber risks and invest in appropriate protection measures. Cybersecurity should no longer be seen as a cost, but as a necessity to ensure the continuity and sustainability of their business.
.avif)
(1) Study conducted by Cybermaliciance.gouv.fr, Club EBIOS, the national CPME, the Mouvement des Entreprises de France and U2P.
To find all our other items, see the complete library of our cybersecurity articles.
As for our programs, from which this article is based, you can check out our YouTube channel.
.avif)