What many SME companies don’t realise is that underestimating cyber resilience is what makes them an easy target for attackers. Cybercriminals don’t just seek out large corporations – they often target smaller companies that don’t have robust enough security measures in place. We reached out to representatives from three companies that are responsibly handling cybersecurity and asked them: why do they think businesses still don’t place a high priority on protecting themselves from threats? And what might persuade them to change?
Matej Krempaský, IT Administrator, Security Manager, KÚPELE LÚČKY a. s.
The top management of SME companies are completely unaware of the impact that a fatal failure in cyber security can have. They blindly believe that their company is not at risk or that they will quickly recover from a potential incident. IT is usually not their primary concern, including issues such as cyber threats. Rather, their interest lies in the benefits – how much money can be saved or earned by deploying IT solutions.
The size of the company and the quality of its management play an important role in this. The smaller or less profitable a company is, the less it has to invest in IT security and the more difficult it is to get good people or relevant information. In cases like this, management will usually not be so easily persuaded by anything towards cyber resilience solutions, and will look at the issue mainly from a business perspective.
Milan Ševčík, IT Manager Tauris Group, TAURIS, a. s.
It is important for companies to know the cardinal rule: ‘Cybersecurity Is Business Issue’ – cybersecurity is a business issue. IT and CISOs are often seen as mere cost items (so-called capex and opex eaters) and are only seen as a necessity by management. There is a lack of education that currently both IT and CISO positions are just as crucial to the functioning of the business as the CFO or COO.
Jozef Donoval, Head of IT, ELBA a. s.
Small and medium-sized businesses live in a false sense of security. They believe that if they have a well-configured network and security systems costing hundreds of thousands of euros, they are sufficiently protected. Another problem is understaffing – in smaller companies, there are only one to three IT specialists who, alongside their regular duties, do not actively deal with or monitor cyber security. The reluctance and disinterest of management also plays a role, who often consider these costs unnecessary or believe that their company will not be the target of an attack.
Real attack and data loss, high fines from regulators, deployment of simple and affordable solutions (e.g. secure open-source software, applications and services at an affordable price) or subsidies for cybersecurity could be effective motivators.
