August 7, 2023
Small and medium-sized enterprises (SMEs) are the backbone of the world’s economies, accounting for almost 90% of businesses and over half of all employment, according to the World Bank.1 As many SMEs rapidly digitized in response to the challenges of Covid-19, an unfortunate side effect has been an equally rapid rise in their vulnerability to cybercrime.
SMEs are key targets of cyberattacks since they have limited resources and are unable to invest in robust security systems. Breaches of SMEs grew 152% in 2020 and 2021 compared with the prior two years—a figure twice as big as that of larger companies over the same period.2 Equally challenging is that post-breach remediation is disproportionately more expensive for SMEs relative to their size than for larger businesses.3
Breaches of SMEs grew 152% in 2020 and 2021 compared with the prior two years.
A combination of economic importance and vulnerability to cybercrime make SMEs an important focus for governments. Whether it is through risk identification & quantification, risk management tools, or education, governments can ensure a more resilient ecosystem by strategically investing resources that bolster the security and resilience of SMEs. To that end, governments can play a coordinating role in this ecosystem, where they act as the central node with interconnected lines running between SMEs.
Evolving notions of cybersecurity demonstrate how the concept of ecosystem resilience is evolving from a “me versus them” mentality to a collective “us”, establishing a financially efficient herd immunity across governments and businesses. The concept derives from how a sprawling payment network secures the connected members of its ecosystem. Payment networks add value to their participants by managing cybersecurity across the network, an approach that governments, should look to replicate for the SMEs driving their economies.
While the perpetrators, including state-sponsored hackers or private criminals, and the aims, such as state-wide disruption or financial gain, may differ based on target, the attack techniques on governments and SMEs are largely the same. The tools already exist for governments to deploy advanced cybersecurity solutions to protect themselves. The next step is to share that protection across SMEs by harnessing the collective security of a payment network, leveraging the technology expertise and ensuing economies of scale.
The impacts of Covid-19 on customer interactions and daily operations drove many SMEs to shift all or most of their business operations online (figure 1):
Figure 1: Percentage of SMEs reporting to have shifted all or most of their businesses online since the onset of Covid-19 (source: Ipsos 2022)4
The shifts were often a question of survival and were not without challenges. Gaps in digital capabilities impeded many SMEs from efficiently serving customers and securing their digital infrastructure. With ramifications going beyond individual SMEs to affect entire economies, government assistance was often provided:
- SMEs in Ireland with up to ten employees and annual revenues of less than €2 million were eligible to receive grants of up to €2,500 to develop e-commerce or online trading platforms to help digitize and expand internationally. More than 2,000 SMEs benefited from the program and reported average increases of 20% in sales and 80% in sales leads. Three in five participating SMEs began to export for the first time, and 35% reported an increase in employment.5 Based on the success of the program, the government conducted a second round of the program in 2022.6
- As part of a $250M commitment to support SMEs through the pandemic, Mastercard launched the Digital Doors program in partnership with the Asian Business Association of San Diego, the New York City Department of Small Business Services’ Black Entrepreneurs NYC (BE NYC) initiative, the New Orleans Business Alliance, and the St Louis Development Corporation.7 Digital Doors provides SMEs with diagnostic tools to help them assess the digital preparedness of specific areas of their operations, such as payments capabilities and cybersecurity.
Government support through these and many other programs was critical to keep SMEs and the economy afloat during the peak of Covid-19’s impact, but there is more work to be done. Governments and SMEs need to continue to work together to secure this new digital infrastructure. Without a joint, coordinated, scaled effort, the impact of increasing cyberattacks may be severe.
The number of cyberattacks per company is increasing globally: 31% year-over-year in 2021, according to one estimate.8 And 69% of respondents to a 2021 global survey of C-level executives noted a significant increase in cyberattacks following digital transformation at their companies.9 The rapid rise in digitization during the pandemic has widened organizations’ points of vulnerability, with SMEs as frequent targets.
Top attacks on SMEs (2022 to mid-2023)
1. Phishing
2. Malware to steal data or gain backdoor access to systems
3. Ransomware to encrypt or exfiltrate data and hold it hostage
4. Credential access attacks via brute force or compromised usernames
5. Supply-chain attacks mainly via third-party software
The top three attacks on SMEs from 2022 to mid-2023 were phishing, malware to steal data or gain backdoor access to systems, and ransomware to encrypt or exfiltrate data and hold it hostage. Perhaps most alarming is the rise in use of ransomware by organized crime groups and by individual “blackhats” who rent usage via ransomware as a service (RaaS). The focus until a few years ago was “big game hunting” (BGH) on the assumption that larger businesses would pay out more. In 2021, governments started noticing the attacks occurring on SMEs as well.10
Around 70% of SMEs responding to a 2022 multi-country survey now expect the impact of a ransomware attack to be significant or worse.11 Among them, 17% suggest it would be difficult to recover from one.
Third-party risk
The impressive speed with which many SMEs shifted online often came at the expense of updating security protocols. Innovative technologies are essential to business success, but most SMEs lack sufficient resources to effectively protect themselves.
The interconnectedness of businesses today also means SMEs need to pay as close attention as large organizations to their third-party providers. In addition to broader concerns for the national economy, governments have a vested interest since their third-party contractors are often SMEs themselves.
Unfortunately, third parties tend to be an afterthought in many cybersecurity policies, and fourth parties and beyond are often ignored entirely. The fifth most common attacks on SMEs between 2022 and mid-2023 were supply-chain attacks that mainly involved third-party software.
Prime target or easy target, a breach affecting seemingly innocuous data can rapidly infect other data and spread into other organizations. Better protected SMEs can help large businesses and the overall economy as well by contributing to a more resilient ecosystem with reduced third-party risk.
1. Risk quantification
Governments must find partners that can help them mitigate the cyber risks in their economies and build ecosystem resilience. This can be done by educating SMEs about the risks involved with increased digitization and how to respond systematically. Instead of inefficient manual approaches, SMEs can stay ahead of perpetrators with ongoing cycles of quantifiable risk identification. The quantifiable self-assessments may be customized internally for specific business needs and contextualized externally based on ever-evolving threats. Government entities can use the outputs to elevate the overall cyber resilience of the broader business ecosystem.
Regional views and sector-by-sector benchmarks can identify high-risk sectors, perform benchmark analyses for potential exposures and risk, and assess individual organizations’ assessment results. Cyber Quant, Mastercard’s online self-assessment platform tailored for SMEs and governments, empowers users to understand their cyber risks as a first step toward greater ecosystem security. It works in combination with Mastercard’s Cyber Insights, which elucidates the who and why, or attribution and motive, of ongoing and future threats.
2. Risk management
Breach & attack simulations, such as those offered by Mastercard Cyber Front, may then follow risk identification with risk detection by copying cyberattacks before perpetrators even have the chance.
The concept isn’t new; wargame simulations have formed part of military strategy for years. But cost-effective cybersecurity versions have been unaffordable for businesses until recently. The simulations then create virtuous loops by providing enhanced data for risk identification that in turn feed the simulations. Further inputs come from automated detection of third-party risks associated with web presence.12 A solution such as Mastercard’s RiskRecon conducts third-party risk management non-invasively to enable proactive engagement with vendors around custom risk remediation.
Bavaria uses Mastercard’s RiskRecon solution as part of a project to assess over 1,000 businesses.13 The project enables businesses to understand potential cyber threats and helps raise awareness around how the Bavarian government can promote cybersecurity for SMEs in Bavaria and in surrounding municipalities.
3. Risk education
A third fundamental component critical to SME resilience is risk education to establish a common understanding and knowledge of the cybersecurity ecosystem. Some of that education may be directed toward the providers of cybersecurity to ensure a consistent approach, but the principal focus is on the SMEs themselves to rally them around a unified approach.
Several global and regional initiatives follow that approach:
A key tenet of GCA is that “cyber risk requires a global effort.” GCA is a non-profit organization partnered with over 140 organizations that span multiple countries and industries. It builds programs, partnerships and tools to make the connected world safer and more secure for all. GCA’s Cybersecurity Toolkit for Small Business is specifically sponsored by Mastercard and provides free and effective tools and resources for SMEs to take immediate action to reduce their cyber risk, regardless of expertise or budget.
CRI is a non-profit organization that brings together the expertise of senior executives at global companies, including Mastercard, to develop free resources to improve the cyber readiness of SMEs and to secure global value chains. Its Cyber Readiness Program trains a designated cyber leader within the SME to implement cybersecurity best practices throughout their organization. A follow-up professional credential, the Cyber Leader Certification Program, further trains cyber leaders in how to manage people, process, and technology to create a cyber-ready culture.
An initiative of Singapore’s Cyber Security Agency to help Singaporean organizations protect themselves, the program includes a Cybersecurity Toolkit for SME Owners, which specifically tackles issues around limited resources and access to cybersecurity knowledge. The associated SG Cyber Safe Partnership Programme links to supporting resources from multiple organizations, including Mastercard.14
“The Digitisers”, as it translates literally in English, is offered by the French Chamber of Commerce and Industry (CCI) in partnership with several organizations to help SMEs with digital transformation. In January 2022, Mastercard began an 18-month cybersecurity educational program with CCI to offer a series of monthly webinars and provide SMEs with access to Mastercard’s Cyber Quant risk identification tool. The program is part of the French government and Mastercard’s “partnership for the digital economy” that began in 2020.
Curated online resources and tools can also help lay out how organizations can defend their critical assets and reputations. For example, the Mastercard Trust Center offers centralized access to free education, tools and offers guidance around related services, such as cyber insurance.
Cybercrime is not slowing down in terms of scale or sophistication. Costs from breaches are predicted to exceed $10 trillion worldwide by 2025.15 As institutional bodies, governments need to protect their economies by helping SMEs protect themselves. To drive safety and security across their digital ecosystems, governments and their private sector partners must work together to build a connected and resilient ecosystem with a network approach to security along the lines of a sprawling payments network.
No matter how powerful and tailored the tools, a truly successful approach to cybersecurity is no longer an independent case-by-case proposition. An increasingly connected digital world demands an equally connected collective mindset — a responsibility that runs from governments to small businesses and back again.
To learn more about how Mastercard’s cyber toolkit helps governments and SMEs fulfil their collective cybersecurity responsibilities, please reach out to your Mastercard representative or request a demo.
2 Data from Risk Recon, a Mastercard company.
3 “Cost of a data breach report 2021.” IBM, 2021.
4 “Almost half of small and medium sized businesses globally plan to extend their online reach.” Ipsos, 1 September 2022.
5 “Reimagining support for small businesses: The path to creating stronger and more resilient small business through and beyond Covid-19.” Mastercard & Kearney, 2021.
6 “Minister English encourages retail businesses to enhance their online capability.” Department of Enterprise, Trade and Employment, Government of Ireland, 5 May 2022.
7 “Sweetening the recovery for San Diego’s Asian businesses”, “How DA SPOT NYC pivoted to survive the pandemic”, “Mastercard and the city of St. Louis help small businesses go digital.” Mastercard, 15 August 2022, 9 February 2021, 11 May 2022.
8 “State of cybersecurity resilience 2021: How aligning security and the business creates cyber resilience.” Accenture, 2021.
9 “The Deloitte 2021 future of cyber survey” Deloitte, August 2021.
10 “2021 trends show increased globalized threat of ransomware.” FBI Department of Justice, Cybersecurity & Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), National Cyber Security Centre (NCSC), 9 February 2022.
11 “Datto SMB cybersecurity for MSPs report.” Datto, 2023 (Survey markets: US, Canada, UK, Germany, Netherlands, Australia, New Zealand, Singapore).
12 “RiskRecon: Helping you optimize business outcomes and reduce risk.” A Forrester Total Economic Impact (TEI) spotlight commissioned by Mastercard, 2022.
13 The project is being conducted by CIMA, a consulting and marketing agency for the public sector, under the patronage of the Bavarian Ministry of Economic Affairs.
14 “Partnering to protect Singaporean SMEs on the frontlines of cybersecurity.” Mastercard, 11 October 2021.
15 “Cybercrime to cost the world $10.5 trillion annually by 2025.” Cybercrime Magazine, 13 Nov 2020.