Very Small Enterprises or VSEs are companies with less than 10 employees and an annual turnover or balance sheet total of less than 2 million euros. Since the law n° 2008-776 of 2008, they are also called microenterprises. They are true accelerators of national development and are constantly growing, representing a significant part of the country’s activity. In 2015, two thirds of French businesses were VSEs, while today the number of VSEs has reached over 3 million. Together with SMEs, these companies represent the majority and account for 99.9% of all French businesses. It is not surprising that they have become the favorite target of cyberattackers. Especially since in France, these small companies tend to neglect the cyber risk. Subcontractors, suppliers, subsidiaries of large groups … All are easy targets and have much to lose. According to the French National Agency for Information Systems Security (ANSSI) and the Association for Enterprise Risk Management and Insurance (AMRAE), it takes an average of 167 days between a cybercriminal intrusion and its detection. This is an impressive amount of time, which gives hackers plenty of time to cause monumental damage. However, few small businesses are aware of these risks and decide to invest in the cybersecurity of their data and information systems.
Cybersecurity in VSEs and SMEs: some figures
2 out of 5 VSEs have already been the victims of attempts or computer attacks. The techniques are often the same: phishing, spyware, ransomware, malware or fraud to the president to steal confidential data or extort funds … The examples of cyberattacks are not lacking.
According to the CPME (Confederation of Small and Medium-sized Enterprises) survey on cybersecurity of VSEs and SMEs of January 22, 2019, 41% of companies with 0 to 9 employees and 44% of companies with 9 to 49 employees have already suffered a cyber attack.
A trend that is getting worse, as revealed by the Symantec Security Threat report, which shows that attacks on companies with less than 250 employees have increased from 18% to 31% in the space of 4 years. The targeted companies then face dire consequences. For example in February 2019, LVH electronic is paralyzed following the opening of a contaminated email. The computers no longer respond and the employees then find themselves on technical unemployment for two weeks. If the Breton SME finally managed to get out of it, others, less lucky, must face significant financial damage. According to the Medef, 20% of the small businesses concerned have suffered damage in excess of €50,000. For 13% of them, it even exceeds €100,000. In the most serious cases, some companies have to close down. In particular, 71% of small and medium-sized businesses have been forced to close down following a cyber attack.
While cyber attacks can be exclusively virtual, others can also have physical consequences. In 2013, for example, hackers attacked a drinking water plant in Georgia and changed the settings for chlorine and fluoride levels. As a result, the water was rendered unfit for consumption by 400 people.
Although almost all companies now have at least one backup tool, only 17% are insured against computer attacks. Similarly, employee awareness is far from being a priority, with less than half of companies adopting a policy to raise employee awareness of cyber risks. One third have nevertheless appointed an internal contact person in charge of IT security.
New initiatives for SME cybersecurity
But why this neglect on the part of SMEs? In an increasingly digitalized business world, how can you afford to ignore the need to secure your equipment and data?
We can advance a first explanation without taking too many risks. Indeed, the field of cybersecurity may seem difficult to access. Thus, faced with an offer that is not easily understood and is often expensive, companies find themselves at a loss and often prefer to postpone investments that do not seem to be a priority. It should also be borne in mind that these companies are generally not very aware of the cyber risk. In addition, there is the preconceived notion that hackers prefer to attack large corporations. However, breaking into the information system of a multinational company requires more expertise and time than breaking into microenterprises. Sometimes, microbusinesses are even simply indirect targets for larger companies.
On this subject, the CPME survey details the negligence of small businesses in the face of the risks of cyberattack. For example, 45% of them do not have anti-spam solutions for their desktops and 58% do not have any on their network. Preventive actions such as regular password changes are also not common practice: 33% of VSEs change their passwords every 6 to 12 months.
Hackers then take advantage of this to infiltrate their systems and demand ransoms in exchange for unlocking access. Microenterprises are then forced to comply, either out of inexperience or necessity, in order to guarantee their survival.
To respond to these issues, new initiatives are emerging. Among them, the “Digital Risk Management” guide written by AMRAE and ANSSI, which aims to help executives and risk managers build a real digital risk management policy within their organization. We are also witnessing the birth of “security coaches” such as the Oppens platform, which allows users to self-diagnose their company’s level of cyber security online.
To limit the risk of cyberattack on its information system, more and more companies are now turning to advanced threat detection solutions. Gatewatcher is one of the main players in the market with more than 300 probes installed in France and abroad. It publishes the Trackwatch solution, which is capable of analysing network flows in real time to detect and reduce the risks of infection.