--- description: In this second installment of our two-part series, we will look at the importance of an incident response plan for cyber security threats. image: https://gdm-localsites-assets-gfprod.imgix.net/images/software_advice/og_logo-55146305bbe7b450bea05c18e9be9c9a.png title: Cyber security at SMEs 2: How to prepare for cyber security threats --- # Cyber security at SMEs part 2: Beyond the technical defences Canonical: https://www.softwareadvice.co.uk/blog/2524/cyber-security-threats-smes Published on 08/02/2022 | Written by Sukanya Awasthi. ![Cyber security at SMEs part 2: Beyond the technical defences](https://images.ctfassets.net/63bmaubptoky/p9gaSZ9gMsRClh5zXhI3c1xvyaIpRJjzvYvuGZWfX7Y/d496d98e93f104f8c792929e72c08f34/Cybersecurity-Concerns2-UK-SA-header.png) > Cyber security threats remain a pressing issue for leaders in small to medium enterprises (SMEs). But for those that are not technical experts, it can be difficult to know the steps to take to protect their business, data, and people. ----- ## Article Content Cyber security threats remain a pressing issue for leaders in small to medium enterprises (SMEs). But for those that are not technical experts, it can be difficult to know the steps to take to protect their business, data, and people.In this articleWhy have a cyber security programme?Less than one-third of SMEs have a cyber incident response planTwo-thirds of SMEs audit their security at least annuallyEmployee knowledge is key for identifying cyber security threatsThe road to a more secure SMEIn summaryIn this two-part series, we explore the results of a survey conducted by Software Advice of 500 managers at UK SMEs. In part one, we looked at the cyber threats SMEs face, their vulnerabilities, and some of the cyber security software that can help to keep them safe. In this article, we go beyond the technology to look at how processes and people complete the picture.For a full methodology of our survey, scroll down to the bottom of this article.Why have a cyber security programme?From our survey, it is clear that SMEs recognise the need for protection against threats. The most common type of sensitive information that respondents are keen to protect is customer data, including names, contact information, and credit card data. Businesses are subject to strict regulation about the protection of this information, including the European General Data Protection Regulation (GDPR) for personal information and the Payment Card Industry Data Security Standard (PCI-DSS) for card payments, so it is not surprising that they are on top of this issue. But the responses also indicate the broad range of sensitive data that SMEs want to protect.Because cyber threats are a digital problem, it makes sense to think of solutions purely in digital terms: what software do I need to buy to make sure my computer’s stay safe? However, this is only part of the answer.Technology covers the hardware and software defences an organisation has. To this, we can add people —ensuring staff have the skills and awareness to avoid threats— and processes —ensuring that procedures are in place to mitigate, handle, and recover from threats as quickly as possible.Working together, these three elements will improve the security posture of any business, whether large, medium, or small. And the good news is that improving the process and people aspects can be less expensive than purchasing the necessary technology.60% of SMEs we surveyed said they had a comprehensive cyber security programme in place (defined as ‘a roadmap for security management practices helping create a defence against cyber threats.’) Outsourcing this was common, with 18% choosing to bring in a third party, but nearly one-third (32%) said they have no programme in place.Less than one-third of SMEs have a cyber incident response planDefence is only one part of a good cyber security programme. Knowing what to do when a data breach happens will minimise the impact and reduce the time it takes to get back to business as usual.One in five (21%) of the SME managers responding to our survey said their company has fallen victim to a cyber security attack or data breach in the past 2 years. The most common type of attack for these companies was phishing, affecting 57%. Malware affected a similar proportion (54%), with ransomware attacks some way behind at 19%.Did you know? A cyber incident response plan is defined as a plan “formulated by an enterprise to respond to potentially catastrophic computer-related incidents, such as viruses or hacker attacks.” According to Gartner, the plan should help you determine the source of the incident and set out steps to contain the threat and isolate your business from the source of the danger.Despite the prevalence of attacks, few of the SMEs we spoke to have a formal incident response plan in place. Half (50%) say they have no such procedure, while nearly one in five SME managers (18%) said they don’t know if their company has an incident response plan for cyber attacks.This general lack of formal procedures and uncertainty about how to respond to attacks may go some way to explaining the impact of cyber attacks within SMEs. Of the small and medium-sized enterprises that experienced an attack in the last two years, the most widely reported outcome was increased stress and anxiety for employees (40%). Many also reported disruption to daily operations (38%) and a loss of customer trust (32%).Two-thirds of SMEs audit their security at least annuallyThe nature of cyber threats changes all the time. Criminals work to exploit new-found vulnerabilities in software and constantly change tactics to keep their success rates up. What might have been sufficient to protect a business 12 months ago is probably no longer sufficient, so organisations should regularly audit their security posture and stay on top of industry news. As an example, in December 2021, researchers discovered the Log4j vulnerability, which affected millions of computers and had IT teams working overtime to fix it. Of the SMEs we surveyed, around two-thirds (64%) carry out security audits at least once a year, with one-third (35%) doing so once a quarter or more. However, nearly one in four (24%) said they have never had a security audit.Employee knowledge is key for identifying cyber security threatsThe ‘people’ element of cyber security cannot be underestimated. Take phishing attacks, for example. Experts agree that training people to spot these attacks (which our survey revealed was the most successful type of attack among SMEs) is vital: the NCSC lists it as the second step in preventing phishing, for example.Phishing attacks work when people get tricked into clicking malicious links or downloading malicious attachments. It is difficult for software alone to spot and block all of these attacks, so educating employees on the warning signs of phishing attempts adds an extra layer of security. Despite this, less than half of the managers responding to our survey (44%) say that their employees have had cyber security training in the last two years. Did you know? SMEs can use training software to educate employees about cyber security or any other topic.Moreover, more than one-third of SME managers (35%) said they don’t know how to report an attack at their company. Reporting cyber attacks —whether successful or not— is vital to improve both company-internal security and may be a legal requirement, depending on the type of data lost.The road to a more secure SMEWhen asked what they perceived as the greatest barrier to protecting their SME against cyber threats, 38% of managers said budget, 33% said lack of skilled IT personnel, and 27% said low security awareness among employees.It is true that software can represent a significant ongoing investment, especially for small businesses with limited cash flow. That said, improving the people and processes around cyber security is just as important as the software SMEs use, and managers clearly recognise this challenge. Fortunately, internal education and developing processes are usually less costly than buying software, although hiring skilled cyber experts is not. There is a significant skills gap in this area nationally —a government infographic from Mach 2021 shows that 50% of UK businesses have a gap in basic cyber skills, for example.In summaryIt seems that the COVID-19 pandemic, with its accompanying rise in cyber attack volume, has changed how SMEs think about cyber threats. 62% of SME managers in our survey said they have seen an increase in attacks in the last two years, but many firms are updating their technology, training, and strategy to handle this increase. Here are the key takeaways from the study:60% of SMEs in our survey have a security programme —a roadmap of security management practices.Less than one-third of SMEs have a cyber incident response plan.The most commonly reported consequence of a cyber attack is stress and anxiety for the affected employees.Two-thirds of SMEs conduct security audits at least once a year.Employee security training occurred in less than half of SMEs in the last two years.Budget is the biggest barrier to better cyber security for SMEs.Want to know more? Check out our  catalogue of cyber security software. ## Disclaimer > Methodology:To collect the data for this report, we conducted an online survey on cyber security from November 2021 to December 2021.  Of the total respondents, we were able to identify 500 UK respondents that fit within our criteria:UK resident.Over 18 years of age.Business owner or decision-maker for a UK SME (a company with 250 employees or less). ## About the author ### Sukanya Awasthi Sukanya is a Content Analyst for the UK and India market. Committed to offering insights on technology, emerging trends and software suggestions to SMEs. Café hopper and a dog mom. ## Related Categories - [IT Asset Management Software](https://www.softwareadvice.co.uk/directory/1888/it-asset-management/software) - [IT Ticketing Systems Software](https://www.softwareadvice.co.uk/directory/1630/it-ticketing/software) ## Related Articles - [4 in 5 UK consumers use a loyalty programme](https://www.softwareadvice.co.uk/blog/3272/how-many-customers-use-loyalty-programs) - [39% of UK consumers think around half the reviews on seller sites are fake](https://www.softwareadvice.co.uk/blog/2701/uk-consumers-believe-around-half-online-reviews-are-fake) - [Q-commerce: Are UK online consumers opting for fast-delivery services?](https://www.softwareadvice.co.uk/blog/3683/quick-commerce-usage-uk) - [How to create an effective customer engagement strategy](https://www.softwareadvice.co.uk/blog/2623/how-to-create-an-effective-customer-engagement-strategy) - [AR and VR are now used by 40% of SMEs for training](https://www.softwareadvice.co.uk/blog/2236/ar-in-training-now-used-by-40) ## Links - [View on SoftwareAdvice](https://www.softwareadvice.co.uk/blog/2524/cyber-security-threats-smes) - [Blog](https://www.softwareadvice.co.uk/blog) - [Home](https://www.softwareadvice.co.uk/) ----- ## Structured Data