Cybersecurity, reporting and SMEs


With technology woven through core operations, cybersecurity extends beyond mere IT department concerns in today's businesses. Contrary to widespread belief, cyberattacks affect organisations of all sizes. SMEs, often perceived as weaker links in value chains due to limited resources, are not immune to cyberattacks. Cybercriminals target SMEs through phishing, malware, and web-based attacks to breach larger organisations through supply chain connections.

The lack of cybersecurity resources and skills, coupled with the rise in cyberattacks, poses a severe threat to SMEs' competitiveness and the integrity of their value chains. According to a study by the European Union Agency for Cybersecurity (ENISA), 90% of surveyed SMEs acknowledge the severe impact of cybersecurity issues, with over half fearing bankruptcy or closure within a week of a cyber incident.

Cybercrime is a growing risk

According to a recent study, the global cost of cybercrime will surge to $23.84 trillion by 2027, almost tripling from $8.44 trillion in 2022.

The World Economic Forum (WEF) Global Risks Report, based on a survey of 1,490 experts and 11,000 business leaders, demonstrates the growing concern over cybersecurity. Cyber risk has surged four positions on the short-term top 10 risks list, now ranking as the fourth most severe global risk over the next two years.

Additionally, the WEF report ranks AI-powered misinformation and disinformation as the highest among near-term risks, and generative AI is increasingly used for sophisticated phishing campaigns that target less secure individuals and infrastructures. More often than not, that means SMEs.

Regulatory approaches

As a response to these escalating cybersecurity threats, governments worldwide are responding by implementing stringent measures to compel companies to mitigate risks effectively.

In the EU, the Accounting Directive mandates companies to detail the fundamental risks and uncertainties they face. Furthermore, by October this year, Member States must enact measures to comply with the NIS 2 Directive to enhance EU-wide cybersecurity standards.

They must ensure that important entities implement appropriate technical, operational, and organisational measures to manage network and information systems risks, using an all-hazards approach to minimise the impact of incidents on their services and the services of others.

The UK Government is enacting cybersecurity reforms that include expanding the NIS Regulations to cover more organisations and incidents, introducing a 'cyber duty to protect' for online personal accounts, and requiring large organisations to include a 'resilience statement' in their annual reports detailing their threat management strategies.

Meanwhile, in the US, the Securities and Exchange Commission (SEC) has introduced new regulations requiring all listed companies to report material cybersecurity incidents within a tight 72-hour window. Furthermore, annual reporting on preventive cyber risk management measures is now mandatory for all companies, emphasising the significance of proactive risk mitigation strategies.

Proactive best practices for protecting your data and your clients'

Although SMEs often face budget constraints, cybersecurity remains a necessity. A proactive and informed approach to cybersecurity helps achieve regulatory compliance, and builds trust with clients and stakeholders, ensuring an organisation's long-term resilience.

Cybersecurity doesn't have to be expensive; affordable measures like role assignment, staff awareness, and simple technical solutions can substantially enhance security. Addressing the core fundamentals—people, processes, and technology—can significantly improve SME cybersecurity without substantial costs.

ENISA has published a Cybersecurity guide for SMEs that includes the following 12 high-level steps SMEs can take to enhance their cybersecurity defences and ensure the protection of their systems, data, and business operations:

1. Cultivate a strong cybersecurity culture

Establishing a robust cybersecurity culture is crucial. Assign specific management responsibility and ensure leadership support. Engage employees through regular communication and conduct cybersecurity audits to identify vulnerabilities.

2. Provide continuous training

Provide continuous training covering phishing awareness and data handling. Well-informed employees are a critical defence against cyber threats.

3. Manage third-party risks

Manage third-party risks by enforcing security standards. Regularly review and update agreements to ensure compliance with security requirements.

4. Develop an incident response plan

Develop an incident response plan with clear guidelines, and implement monitoring tools to detect suspicious activity and respond promptly to potential breaches.

5. Implement access controls

Enforce access controls and use multi-factor authentication to add an extra layer of security, making unauthorised access more difficult.

6. Secure your devices

Keep software patched and employ antivirus software for device security. Encrypt sensitive data and implement mobile device management solutions to secure mobile devices.

7. Fortify your network

Protect networks with robust firewalls and review remote access solutions to ensure security. Use virtual private networks for encrypted data transmissions and prevent unauthorised access.

8. Enhance physical security

Enhance physical security measures to control access to premises and secure sensitive areas. Implement surveillance and access control systems to detect unauthorised physical access.

9. Regularly backup data

Back up critical data regularly and ensure that it is securely stored. Test backup procedures to verify quick data restoration in case of cyberattacks or data loss incidents.

10. Utilise cloud services securely

Utilise cloud services securely, following best practices outlined in resources like the Cloud Security Guide for SMEs by ENISA. Regularly review cloud providers' compliance with security standards.

11. Maintain secure online sites

Maintain secure online sites by regularly testing vulnerabilities, and configuring personal and financial data protection. Conduct periodic reviews to ensure sites are updated and secure against potential threats.

12. Stay informed and share information

Stay updated on the latest developments and best practices in cybersecurity. Engage with industry groups and forums to share information, and collaborate with peers to enhance collective cybersecurity strengths.

Future trends in cybersecurity reporting

Cybersecurity reporting is set to transform as threats and regulatory pressures intensify. As organisations face heightened scrutiny, breach reporting requirements are expected to increase, demanding businesses enhance their reporting capabilities.

Technology, particularly AI and automation, can significantly help in this evolution by enabling businesses to transition toward real-time incident response and recovery.

Supply chain risks will remain a top concern globally. With supply chain attack breaches surpassing malware-linked compromises by 40%, the focus on supply chain security will only intensify, necessitating Zero Trust architecture and comprehensive reporting.

Data privacy will remain crucial, with transparent data management and breach responses essential for maintaining trust. Enhanced threat intelligence sharing and the integration of ESG factors will highlight the role of reporting within broader sustainability goals.

In Europe, regulatory changes, including the Digital Operational Resilience Act (DORA) and NIS2 Directive revisions, are set to standardise cybersecurity practices. DORA mandates incident reporting and resilience testing, while NIS2 expands sector coverage and tightens reporting requirements. SMEs across sectors like healthcare, energy, and digital services must implement robust security measures and comply with GDPR.

Simplified reporting requirements and support mechanisms are being considered, recognising SMEs' vital role in the digital economy. However, compliance will require investment in infrastructure, training, and monitoring to ensure operational protection and regulatory alignment.

Navigating evolving cybersecurity regulations

As the regulatory landscape changes, complying with new cybersecurity regulations will require implementing more stringent measures and reporting practices.

Businesses of all sizes and across different sectors must stay ahead by continuously updating their cybersecurity strategies to meet new standards and protect against emerging threats.

HLB Global can assist by providing expert guidance on regulatory compliance, offering tailored cybersecurity solutions, risk assurance services, and ESG advisory services, and delivering comprehensive training programs.

What is the HLB Brighter Futures Community?

Our Brighter Futures Community champions emerging leaders within the HLB network, and helps to disseminate the HLB strategy – and support its implementation – throughout the network’s operational framework.

The community has a four person leadership team which rotates annually; our Brighter Futures leaders work closely with the HLB Global and executive teams on our strategic goals, with progressive pathways mapped out up to 2027.

To learn more about our Brighter Futures leaders, including Carlos, click here.

Get in touch
Whatever your question our team will point you in the right direction.
Start the conversation

Sign up for HLB insights newsletters