Cybersecurity, reporting and SMEs
With technology woven through core operations, cybersecurity extends beyond mere IT department concerns in today's businesses. Contrary to widespread belief, cyberattacks affect organisations of all sizes. SMEs, often perceived as weaker links in value chains due to limited resources, are not immune to cyberattacks. Cybercriminals target SMEs through phishing, malware, and web-based attacks to breach larger organisations through supply chain connections.
The lack of cybersecurity resources and skills, coupled with the rise in cyberattacks, poses a severe threat to SMEs' competitiveness and the integrity of their value chains. According to a study by the European Union Agency for Cybersecurity (ENISA), 90% of surveyed SMEs acknowledge the severe impact of cybersecurity issues, with over half fearing bankruptcy or closure within a week of a cyber incident.
Cybercrime is a growing risk
According to a recent study, the global cost of cybercrime will surge to $23.84 trillion by 2027, almost tripling from $8.44 trillion in 2022.
The World Economic Forum (WEF) Global Risks Report, based on a survey of 1,490 experts and 11,000 business leaders, demonstrates the growing concern over cybersecurity. Cyber risk has surged four positions on the short-term top 10 risks list, now ranking as the fourth most severe global risk over the next two years.
Additionally, the WEF report ranks AI-powered misinformation and disinformation as the highest among near-term risks, and generative AI is increasingly used for sophisticated phishing campaigns that target less secure individuals and infrastructures. More often than not, that means SMEs.
Regulatory approaches
As a response to these escalating cybersecurity threats, governments worldwide are responding by implementing stringent measures to compel companies to mitigate risks effectively.
In the EU, the Accounting Directive mandates companies to detail the fundamental risks and uncertainties they face. Furthermore, by October this year, Member States must enact measures to comply with the NIS 2 Directive to enhance EU-wide cybersecurity standards.
They must ensure that important entities implement appropriate technical, operational, and organisational measures to manage network and information systems risks, using an all-hazards approach to minimise the impact of incidents on their services and the services of others.
The UK Government is enacting cybersecurity reforms that include expanding the NIS Regulations to cover more organisations and incidents, introducing a 'cyber duty to protect' for online personal accounts, and requiring large organisations to include a 'resilience statement' in their annual reports detailing their threat management strategies.
Meanwhile, in the US, the Securities and Exchange Commission (SEC) has introduced new regulations requiring all listed companies to report material cybersecurity incidents within a tight 72-hour window. Furthermore, annual reporting on preventive cyber risk management measures is now mandatory for all companies, emphasising the significance of proactive risk mitigation strategies.
Proactive best practices for protecting your data and your clients'
Although SMEs often face budget constraints, cybersecurity remains a necessity. A proactive and informed approach to cybersecurity helps achieve regulatory compliance, and builds trust with clients and stakeholders, ensuring an organisation's long-term resilience.
Cybersecurity doesn't have to be expensive; affordable measures like role assignment, staff awareness, and simple technical solutions can substantially enhance security. Addressing the core fundamentals—people, processes, and technology—can significantly improve SME cybersecurity without substantial costs.
ENISA has published a Cybersecurity guide for SMEs that includes the following 12 high-level steps SMEs can take to enhance their cybersecurity defences and ensure the protection of their systems, data, and business operations:
Future trends in cybersecurity reporting
Cybersecurity reporting is set to transform as threats and regulatory pressures intensify. As organisations face heightened scrutiny, breach reporting requirements are expected to increase, demanding businesses enhance their reporting capabilities.
Technology, particularly AI and automation, can significantly help in this evolution by enabling businesses to transition toward real-time incident response and recovery.
Supply chain risks will remain a top concern globally. With supply chain attack breaches surpassing malware-linked compromises by 40%, the focus on supply chain security will only intensify, necessitating Zero Trust architecture and comprehensive reporting.
Data privacy will remain crucial, with transparent data management and breach responses essential for maintaining trust. Enhanced threat intelligence sharing and the integration of ESG factors will highlight the role of reporting within broader sustainability goals.
In Europe, regulatory changes, including the Digital Operational Resilience Act (DORA) and NIS2 Directive revisions, are set to standardise cybersecurity practices. DORA mandates incident reporting and resilience testing, while NIS2 expands sector coverage and tightens reporting requirements. SMEs across sectors like healthcare, energy, and digital services must implement robust security measures and comply with GDPR.
Simplified reporting requirements and support mechanisms are being considered, recognising SMEs' vital role in the digital economy. However, compliance will require investment in infrastructure, training, and monitoring to ensure operational protection and regulatory alignment.
Navigating evolving cybersecurity regulations
As the regulatory landscape changes, complying with new cybersecurity regulations will require implementing more stringent measures and reporting practices.
Businesses of all sizes and across different sectors must stay ahead by continuously updating their cybersecurity strategies to meet new standards and protect against emerging threats.
HLB Global can assist by providing expert guidance on regulatory compliance, offering tailored cybersecurity solutions, risk assurance services, and ESG advisory services, and delivering comprehensive training programs.
What is the HLB Brighter Futures Community?
Our Brighter Futures Community champions emerging leaders within the HLB network, and helps to disseminate the HLB strategy – and support its implementation – throughout the network’s operational framework.
The community has a four person leadership team which rotates annually; our Brighter Futures leaders work closely with the HLB Global and executive teams on our strategic goals, with progressive pathways mapped out up to 2027.
To learn more about our Brighter Futures leaders, including Carlos, click here.