James Henderson

Weakened cyber resilience sounds SME security alarm

Widely regarded as economic engine rooms powering fiscal growth, small and medium enterprises (SMEs) are the jewel in the crown of many nations across the world.

Whether in Australia and New Zealand – where SMEs make up approximately 97% of the ecosystems – or in Singapore (99%) or Malaysia (97%), the power of this business group cannot be understated.

Given such importance, a concerning market trend is emerging from the Tasman to the South China Sea and beyond.

According to World Economic Forum findings, the number of organisations that maintain “minimum viable cyber resilience” is down 30% compared to last year. While enterprise-grade businesses have demonstrated notable gains in cyber resilience, SMEs have showed “significant decline”.

More than twice as many SMEs compared to the enterprise acknowledge a lack of cyber resilience and inability to meet critical operational requirements. As a result, a growing cyber inequity now exists between organisations that are cyber resilient and those that are not.

The Global Cybersecurity Outlook 2024 report – developed in collaboration with Accenture – outlined that SMEs are being “disproportionately affected” by this disparity.

“As the cyber realm evolves in response to emerging technologies and shifting geopolitical and economic trends, so do the challenges that threaten our digital world,” said Jeremy Jurgens, Managing Director of World Economic Forum.

“We urgently need coordinated action by key public-private stakeholders if we are to collectively address these complex, ever-evolving threats and build a secure digital future for all.”

Jeremy Jurgens (World Economic Forum)

Notably, the report defined SME as the category of smallest organisations by annual revenue of less than $250 million in USD. In the context of Asia Pacific however, definitions vary based on the market in terms of revenue and headcount.

For example in Australia – and according to Moxie Research – 57% of mid-market organisations plan to strengthen company cyber defences in the next 12 months, representing a sizeable step-change in approach locally.

Based on a survey of 251 IT decision-makers in Australia – conducted to an end-user audience in January 2024 – findings highlight that in the sub-section of organisations with an employee headcount between 201-999, cyber security ranks as a leading priority. This is behind only artificial intelligence (AI) and machine learning in terms of a top agenda item.

“Cyber resilience is increasingly dependent on a C-suite team that closely collaborates and communicates security priorities across the business and the industry,” added Paolo Dal Cin, Global Lead, Accenture Security.

“This approach provides a clear view of cyber risks and allows security to be embedded from the start in all strategic business priorities as well as across third parties, vendors and suppliers.”

This growing inequity is being fuelled by macroeconomic trends, industry regulation and the early adoption of “paradigm-shifting” technology by some organisations. Perhaps most notably however is that the cyber skills and talent shortage continues to widen at an “alarming rate”.

According to World Economic Forum research, only 15% of all organisations are optimistic about cyber skills and education significantly improving in the next two years.

Supporting this trend – and as outlined by Moxie Research – 34% of SMEs in Australia plan to outsource more cyber security work to channel partners – specifically managed security service providers (MSSPs) and specialised consultants – during the next 12 months.

Cyber inequality impacts SMEs

During the past two years, the cyber security economy has grown at an unrelenting pace – twice as fast as the world economy in 2022 and four times faster in 2023.

While this has undoubtedly triggered a surge in investment across the world, “uneven development” within the SME sector remains a cause for global, regional and local concern.

As outlined by World Economic Forum, the highest-revenue enterprise-grade organisations are 22% more confident than SMEs that their cyber resilience exceeds their operational needs. And yet SMEs are also a “troubling” three times more likely to lack the cyber skills they need to meet their cyber resilience objectives.

“Among small organisations – which are often unable to prevent critical operational disruption from an incident and can incur disproportionate financial loss to recover – only 25% carry cyber insurance,” the report stated.

In comparison, that makes SMEs three times less likely than the largest organisations by revenue, which report a 75% cyber insurance adoption rate. The results are also consistent for organisation size by employee count – the more employees within a company, the higher the adoption rate of cyber insurance.

“As the prices of cyber insurance continue to rise exponentially, the expectation is that this gap will widen in parallel, leaving smaller organisations with even fewer options to reduce their risk,” the report advised.

Source: Global Cybersecurity Outlook 2024 (World Economic Forum and Accenture)

When pressed on the main challenges related to cyber security, organisations cited:

  1. Losing access to important goods / services: 33%
  2. Cyber extortion / ransomware: 27%
  3. Losing my own money or data: 17%
  4. Identity theft: 11%
  5. Monitoring / hacking of personal life: 8%

According to findings, external partners are both the “greatest asset and the biggest hindrance” to the cyber security of any organisation. In fact, 41% of businesses suffered a “material incident” in the past 12 months due to a third-party supplier.

“No country or organisation is spared from cyber crime, yet many are direly under-equipped to effectively face the threats, and we cannot have effective global response mechanisms without closing the capacity gap,” noted Jürgen Stock, Secretary-General of Interpol.

“It is crucial that key stakeholders work collaboratively towards immediate, strategic actions that can help ensure a more secure and resilient global cyber space.”

Source: Global Cybersecurity Outlook 2024 (World Economic Forum and Accenture)

Closer to home – and in a bid to build ecosystem resilience – the Australian Government recently unveiled an $18 million deal to uplift the ability of SMEs to react and respond to cyber incidents.

Announced in November 2023, the package is designed to assist SMEs in a variety of fundamental cyber resilience practices including education materials, requirements on how to up-skill, cyber maturity assessments and guidance on how to better respond to breach incidents.

Meanwhile, the Singapore Government has also increased efforts to strengthen the cyber security posture of SMEs through the delivery of free toolkits and guides.

This is in addition to the Cyber Security Agency of Singapore (CSA) rolling out a new Chief Information Security Officers-as-a-Service scheme, providing eligible SMEs with up to 70% of funding support when working with dedicated MSSPs.

“However, one critical governance issue, which is also at the heart of trust in the digital ecosystem, still needs to be addressed,” the report cautioned. “There is a glaring imbalance of responsibility for security between technology producers and technology consumers.”

For many years, organisations and individuals have had the primary responsibility for ensuring the hardware and software they use is securely and resiliently implemented, operated and maintained.

“When incidents do happen, the burden of remediating and recovering from it similarly resides with the user, along with the associated financial burden,” the report added.

“This situation is indicative of the technology and cyber security industry’s expansive growth over the past two decades, its relative immaturity compared to more established sectors of consumer goods and the associated growing pains as it matures.”


Inform your opinion with executive guidance, in-depth analysis and business commentary.