Following an introduction from Mark Weinmeister, Secretary of State for European Affairs of the State of Hessen and Kai Rannenberg, Goethe University Frankfurt and co-ordinator of CyberSec4Europe, moderator David Goodman from Trust in Digital Life introduced the panellists:

• Martin ÜbelhörHead of Cybersecurity Industry and Innovation, DG CONNECT, European Commission
• Annika LinckSenior EU Policy Manager, European DIGITAL SME Alliance
• Nicholas FergusonTrust-IT Services, Partner, CYBERWISER.EU; Project Coordinator, cyberwatching.eu
• José Francisco RuizAtos Spain, Technical Coordinator, Cyber-GEIGER

The goal of the evening’s discussion was to explore issues relating to developing SME’s awareness of cybersecurity in order to improve resilience and responses to cyber attacks which will be an important aspect of the work of the new European Cybersecurity Competence Centre in Bucharest.

SMEs account for the majority of businesses worldwide and are important contributors to job creation, innovation, and global economic development. SMEs represent about 90% of businesses and more than 50% of employment worldwide, and similarly, in the European Union, 99% of enterprises are SMEs who provide two-thirds of private sector employment. In 2018, there were over 25 million SMEs in the European Union, employing 100 million people, of which 93% were micro-SMEs, defined as having 10 or less employees.

Given the size and limited resources of most SMEs, it’s not surprising that SMEs are as susceptible but more vulnerable than larger enterprises to cyber attacks. However, without effective training and support, many SMEs are not sufficiently protected or able to recover from the impact of such attacks with, in many cases, dire consequences. All SMEs are busy building their businesses, what time or resource do they have to worry about cybersecurity?

Martin Übelhör introduced the topic with insights as to what the Commission plans are to help SMEs in terms of cybersecurity by quoting from an ENISA study from the end of 2020 on 250 SMEs in 25 Member States and went on to discuss the Commission’s plans for SMEs.

Annika Linck noted that the European DIGITAL SME Alliance is a network of over 20,000 SMEs, comprising a variety of companies most of which, roughly 90%, are in the ICT sector. In 2019 they carried out a study looking at the hurdles inside organisations to the adoption of cybersecurity solutions. It was apparent that cybersecurity is perceived as a cost rather than something that brings immediate benefits.

Nick Ferguson was on the panel representing cyberwatching.eu and Cyberwiser.eu, both of which have developed strategies for SMEs and understands well how hard the challenge is in actually reaching SMEs understandably very difficult in getting SMEs interested in cybersecurity – sending an employee to get training on a topic which is seen as an extra is challenging.

José Francisco Ruiz participated as technical coordinator of the GEIGER project which evolved from an earlier three-year project, SMESEC. Both projects aimed at working with SMEs on cybersecurity: whereas SMESEC was oriented to technical aspects, GEIGER is focussed on both technical and awareness raising pillars. One without the other cannot be understood. It’s impossible to make an SME understand cybersecurity unless they understand why it is important. They see cybersecurity as something that consumes time, effort, people, resources, everything and it doesn’t bring immediate benefits today. One very important aspect is to make SMEs understand how cybersecurity is beneficial for them.

It was clear that all the panellists were in agreement about the nature and vastness of the problem, how fragmented it is by language, digital maturity and wealth – added to which is the difficulty of reaching out particularly to micro-SMEs and getting them interested enough to see the benefits of a cybersecurity program. Working through intermediaries was touched upon several times and made a lot of sense as did the different roles at the supranational, national and regional levels. Without doubt there is a lot of work to be done. It is a responsibility on the cybersecurity community to create the momentum to get the right messages out to SMEs and also the general public which is equally important. It happens already in the offline world but as we get more immersed in the digital world it’s small businesses and citizens who need to be made aware of the dangers and the malevolent actors that exist.

Finally, we all look forward to meeting again, hopefully in person, when we can continue the discussion in an informal and convivial atmosphere.

Both a full report and a recording of the evening panel discussion are available here.

David Goodman, Trust In Digital Life

Selected CyberSec4Europe references:

• D9.6 SME cybersecurity awareness program 1
• D9.11 SME cybersecurity awareness program 2
• D9.12 Supply chain recommendations 1
• D9.13 Awareness effectiveness study 1

All on https://cybersec4europe.eu/publications/deliverables/