SMEs are the backbone of the EU’s economy, yet risks and challenges from cyberspace are often underestimated, and resources are limited.
Within this post, you will learn what challenges SMEs face in the cybersecurity world and how consulting can help clients to overcome these.
Why are SMEs especially vulnerable to cyber threats?
SMEs are companies with less than 250 employees and less than an annual turnover of 50 million €. 99,4% of all registered companies in Germany s, with 56% of all German employees working in this sector.  This shows the importance of SMEs to our economic system. SMEs are often part of the supply chain for big enterprises which exposes them to a risk of supply-chain attacks and production downtimes. The importance of SMEs is neglected in science, media, politics, and offerings for consulting, as big enterprises are usually their focus. These circumstances are also noticed by attackers and can be proven by an increase in the number of attacks against SMEs. In 2021, the BSI classified SMEs as especially vulnerable to successful attacks. 
Digitalization can be pointed out as one of the biggest challenges for companies. Most SMEs have recognized that digitalization can be helpful for their businesses. Covid-19 has accelerated the use of technology as many employees needed to work from home, leading to unplanned and hurried digitalization implementations exposing the companies to high risks.
On top of that, most SMEs have less than 50 employees, so there’s usually no dedicated cybersecurity employee to assess the company’s risk.  SMEs often have a limited budget and few employees, which forces them to focus on their business goals rather than IT-Security as a necessary step toward secure digitalization. Consultants can help to keep the costs of cybersecurity low while delivering their expertise and implementing projects in a specific time and budget frame.
What are the biggest challenges for SMEs regarding cybersecurity from a consulting perspective?
There are three pillars that describe the difficulty for SMEs to adapt cybersecurity measures in their digitalization infrastructure. Those pillars are interconnected to each other and can’t be considered individually.
- Awareness: The risks can’t be assessed correctly due to a lack of dedicated and skilled employees who are responsible for cybersecurity. On top of that, the lack of awareness for cybersecurity in top-management needs to be considered as decisions for or against allocating budget for a specific topic are usually made on this level.
- Costs: While the benefits of measures taken in cybersecurity are often invisible, the costs aren’t. Consulting is usually expensive, as well as implementing tools and training employees to use them correctly. Potential costs and consequences of a successful online attack are hard to calculate, while implementing cybersecurity has a price tag.
- Compliance and Policies: As described in our blogpost on security policies, compliance and policies are mandatory to document and ensure cybersecurity in companies. Those policies are often viewed as a barrier to working efficiently. If policies are overwhelming and are not explained to and accepted by the employees, they will search for workarounds to bypass them. Therefore, implementing standards like ISO-2700x and TISAX must be planned carefully and adapted to the company’s needs instead of simply “trying to pass the audit”.
How consultants master the challenges of cybersecurity successfully with their clients
Before discussing possible solutions, it must be said that 70% of all SMEs are older than 21 years, while only 16% of all managers in SMEs are younger than 40 years, and 38% are older than 50.  This means that most SMEs grew mostly independent of IT and digitalization, and most managers were educated during times when IT security was almost unknown.
To serve SMEs best, consultants must be able to view the companies’ landscape from a manager’s point of view. This can help to prepare and structure the consulting strategy. It also helps to visualize the individual company’s risk. On this basis, consultants then use their expertise in specific cybersecurity topics to propose a tailor-made strategy against possible threats. This skill set is essential for cybersecurity consultants to overcome the challenges mentioned above together with their clients.