Cybersecurity Strategies for SMEs in the Nordic Baltic Region

Morten Falch^*, Henning Olesen, Knud Erik Skouby, Reza Tadayoni and Idongesit Williams

Dept. of Electronic Systems, Aalborg University Copenhagen, Denmark
E-mail: falch@es.aau.dk
*Corresponding Author

Received 31 August 2022; Accepted 07 October 2022; Publication 31 January 2023

Abstract

Cybercrime has become the most widespread kind of economic fraud and is a serious challenge for businesses around the world. The topic of this paper is how SMEs in the Nordic Baltic Region should face this challenge. Possible technical and organisational tasks to be performed by SMEs in order to ensure cybersecurity of their business are analysed. The paper looks at the different types of hackers and their motives. On this background, current cyberthreats and corresponding security measures are presented. It is concluded that awareness, training, and financial incentives are all important elements in defining a cybersecurity strategy for SMEs. The paper is based on research made in the DINNOCAP project funded by EU regional funds.

Keywords: Cybersecurity, small and medium-sized enterprises (SMEs), Nordic Baltic Region, NIST framework, change management.

1 Introduction

In this paper we will explore and characterise the challenges and problems for SMEs in relation to cybersecurity. Cybersecurity has become a serious challenge for businesses around the world. PwC has reported cybercrime to be the most widespread kind of economic fraud [1]. Distributed Denial of Service (DDOS), ransomware and other kinds of cyberattacks are happening more and more frequently, and for businesses they can lead to severe consequences, e.g., interruption of work processes and customer services, loss and compromising of data, violation of data protection and privacy laws, a lot of time wasted, and large costs. The ongoing process of digital transformation is affecting all businesses and organisations, large and small, and this puts further focus on the challenges related to cybersecurity.

World Economic Forum has in 2019 recognized cybersecurity to be among the top 10 global risks [2]. The EU has published a common strategy on cybersecurity [3], and several major initiatives are being launched by the EU to increase awareness and protect critical infrastructure, e.g., the NIS2 (Network and Information Security 2) Directive [4]. In Denmark, research shows that business leaders see cybercrime as the most important challenge, more important than the pandemic and the climate change [5].

The debate on cybersecurity tends to focus on attacks on large companies and critical infrastructures, but cybersecurity is also important for Small and Medium-sized Enterprises (SMEs). Even though the potential gain for attackers might seem smaller and hardly worth the effort, SMEs cannot neglect the growing threats and feel safe that they will not become the target of an attack. As mentioned above, digital transformation also affects SMEs, even the ones that have not traditionally been involved with the use and development of technology. Contrary to bigger enterprises, SMEs with typically 5–50 employees often lack the competences, resources, and capabilities to deal with cyber threats and protect their assets [6]. Depending on the type of SME different measures may need to be applied, and SMEs need a better understanding of the attackers’ motives.

Despite its importance, research on cybersecurity in SMEs specifically is still rather limited, as shown in a recent literature review [7]. Therefore, the purpose of this paper is to contribute to this research by providing an overview of cybersecurity challenges faced by SMEs, how these challenges are met today, and suggestions for what can be done to improve cybersecurity in SMEs in the future.

The paper is based on research carried out as part of the DINNOCAP project funded by the EU [8]. The objective of the project was to empower the use of ICT opportunities among SMEs, involving industry organizations and public sector authorities in the Baltic Sea Region (BSR).

First, we present an overview of the major cyber threats and attacks and the types of countermeasures that can be applied to prevent and detect cyber-attacks in organisations – with a particular focus on SMEs. Next, we will discuss and analyse what SMEs have been doing so far, based on published surveys and a survey prepared as part of the DINNOCAP project, and how SMEs can prioritize their limited resources to address the challenges from cybersecurity. Finally, we will discuss how various policy initiatives can contribute to enhance cybersecurity in SMEs.

We will use the following definition for cybersecurity: “cybersecurity aims at protecting the cyberspace (which includes both information and infrastructures) from any cyber threat or cyber-attack”, following the suggestion of [9], who carried out a review of different alternative definitions. Cybersecurity is not just a technical issue, but should be addressed as an interdisciplinary issue, especially when it comes to implementation of security measures. According to [10], recommendations on cybersecurity should address three different aspects, people, processes and technical.

2 Methodology

The paper is based on a combination of primary and secondary data. All primary and most secondary data are collected as part of the research activities carried out in the DINNOCAP project [8] and its predecessor DIGINNO. Both projects are funded by the EU Interreg programme and address digital transformation of SMEs in the Baltic Sea Region (BSR).

Secondary data include a literature review of the kind of possible cybersecurity challenges, surveys on implementation of cybersecurity measures in SMEs, and suggested policy initiatives. We will draw on surveys on cybersecurity & SMEs mainly from ENISA [10] and from the Danish Business Authority that have made several analyses in this area. These data and analyses are examined and compared with data from EUROSTAT [11] and with information and primary data from the BSR countries. Input has been gained from discussions with industry organisations and from a survey done by the DINNOCAP [8]. The companies, who have participated in the survey are mainly based in Kaliningrad; however, the data and the information obtained support that the cybersecurity challenges to SMEs in the BSR countries are similar to challenges generally faced by SMEs.

Adoption of cybersecurity safeguards in SMEs is mainly about making changes in how organisations implement IT systems. Therefore, business process engineering and change management has been considered as a suitable framework for the analysis.

2.1 Hacker Types and Incentives

If we look at the attackers doing the attacks, it is important to be aware that hackers can have different motivations for hacking into IT-systems, and the harm they are doing differ. Criminals aren’t always after profit. Some hackers attacking your business out of revenge or just because of the challenge, and because they think it is fun [12]. The way they are working depends on both motives and competences. A large number of categorizations of hackers have been developed. They define from 3 (black, white, and grey) up to 14 different categories of intruders (black, white, grey, script kiddies, green, blue, red, state sponsored, insiders, hacktivists, elite, crypto hackers, gaming hackers, and botnet hackers) [13]. [14] Defines 8 different types of hackers and evaluate thread properties for each type.

[15] offers the most comprehensive overview of hacker types and motivations applied in the literature. The paper identifies 13 different types of hackers with seven different types of motivations.

Table 1 Hacker types and their motivations

	Motivation
Hacker							Sexual
Types	Curiosity	Financial	Notoriety	Revenge	Recreation	Ideology	Impulses
Novices	$\sqrt$	–	$\sqrt$	–	$\sqrt$	–	–
Cyberpunks	–	$\sqrt$	$\sqrt$	$\sqrt$	$\sqrt$	–	–
Insiders	–	$\sqrt$	–	$\sqrt$	–	$\sqrt$	–
Old Guards	$\sqrt$	–	$\sqrt$	–	$\sqrt$	–	–
Professionals	–	$\sqrt$	–	$\sqrt$	–	–	–
Hacktivists	–	–	$\sqrt$	$\sqrt$	$\sqrt$	$\sqrt$	–
Nation States	–	$\sqrt$	–	$\sqrt$	–	$\sqrt$	–
Students	$\sqrt$	–	–	–	–	–	–
Petty Thieves	–	$\sqrt$	–	$\sqrt$	–	–	–
Digital Pirates	–	$\sqrt$	–	–	–	–	–
Online Sex Offenders	–	–	–	–	–	–	$\sqrt$
Crowdsources	–	–	$\sqrt$	$\sqrt$	$\sqrt$	$\sqrt$	–
Crime Facilitators	–	$\sqrt$	–	–	–	–	–
Source: [15].

Some hacker types share motivations and can first of all be distinguished by their levels of skills. Here it suffices to make a distinction among following groups and purposes. Inspired by [16]:

1. Insiders (people working inside the organization)

2. Cybercriminals (hackers with financial motives)

3. Script kiddies (hacking for fun, and to impress others)

4. Hacktivists (using their skills for political purposes)

5. Foreign states

6. Grey hats (just for fun hackers)

These six groups vary according to both purposes and skill levels. Attacks from insiders seems to be on decline but are reported to be more costly than attacks from outside [14]. Cybercriminals include highly professional hackers as well as petty thieves. Petty thieves may prefer to target SMEs, as they are less well protected. Petty thieves benefit from the increasing availability of hacking tools such as ransomware as a service. While script kiddies may attack SMEs for fun, it is unlikely that hacktivists, foreign states or grey hats will have SMEs as their primary target.

Looking at the purposes, it is important to distinguish between financial purposes and purposes with financial implications, and those driven by curiosity and recognition.

(1) Curiosity and recreation: Include the mere retrieval of information. This may be the innocent motives of students and novices as suggested by [15] but information retrieval can also be a motive of foreign states and industrial spies, and it may have financial or political implications even though the IT system itself is not affected.

(2) Recognition (correspond to notoriety in Table 1): Some hackers do it just for fun and recognition among their peers. They don’t hack to do any harm, but just to prove they can. They can be very skilled but will often be so-called script kiddies using hacker tools developed by others. They will not necessarily do any harm to the systems they are attacking.

(3) Financial motives: Cybercriminals include highly skilled and well-organized hackers. The market for cybercrime includes hackers as well as crime facilitators developing the tools, which are necessary for performing the hacking. Cybercriminals can either make profit by misuse of for instance financial information or they can lock it-systems and demand a payment for unlocking them again. Also, digital pirates, who want access to information protected by copyright have financial motives

(4) Revenge is not directly a financial motive, although it can have severe financial implications, as may lead to permanent destruction of data and IT systems. Revenge can either be political motivated by foreign states, hacktivists or insiders.

The relation between hacker types and purposes are illustrated in Figure 1.

Figure 1 Hacker types and their motivations. The size of the bubbles indicates the level of damage inspired by [16].

Most SMEs might not possess data, which are valuable for third parties. Still, it can be argued that SMEs first of all should take precautions against cybercriminals. Just for fun hackers are less harmful and hacking an SME is not something that will create much recognition among experienced hackers. Few SMEs will be of interest for nation states or political motivated hackers. However, SMEs may suffer from attacks by different types of hackers, as they may be affected even though they are not their primary target. Moreover, their systems may be used as a remedy for attacks on other organisations.

3 Cyber Threats and Their Relevance for SMEs

Hackers are using a wide range of methods to attack companies. The European Union Agency for Cybersecurity, ENISA has in their recent report on the threat landscape identified the following prime threats [17]:

• Ransomware

• Malware

• Crypto jacking

• E-mail related threats

• Threats against data

• Threats against availability and integrity

• Disinformation – misinformation

• Non-malicious threats

Ransomware where attackers encrypt an organisation’s data and demand payment to restore access is reported to be the prime thread. The most high-profile cases are related to big companies, but small companies can also be hit. They are unable to pay high amounts for restoring data, but they are more vulnerable and easier to attack. Malware ‘intended to perform an unauthorised process that will have an adverse impact on the confidentiality, integrity, or availability of a system’ [17] is also a prime threat. Data from SMEs may not be that interesting for cybercriminals – only a few small companies host sensitive data such as credit card data and others, which can be misused by criminals or sold to third parties.

Cryptojacking where criminals steal computing power to generate cryptocurrency can hit any owner of computer. An increase in this type of cybersecurity breach has been observed.

E-mail related threats are reported to be increasing in spite of educational campaigns to increase awareness. Infected e-mails can be sent to anybody, but in organisations with less formal procedures for data-handling and updating of filters are the most vulnerable.

The treat of data leaks of sensitive data depends on the kind of data the business is handling. As noted above SME have less data of interest for hackers than large companies have.

Availability and integrity of data can be compromised in different ways, of which Denial of service and web-based attacks are the most important. According to ENISA this threat ranks high [18]. For SMEs however, the risk of being the primary target is rather limited, but they can be used as a remedy for attacking other companies. This means that Servers of an SME can be used in the attack of another company.

Disinformation and misinformation delivered through social media is on the rise. However, its relevance for SMEs is limited.

Non-malicious threats include threats where the malicious intent is not apparent. These do not originate from cyber criminals or other types of hackers, but are mostly based on human errors or misconfigurations. Nevertheless, incidents must be addressed also by SMEs.

Another report from ENISA includes a survey of the most common types of incidents in SMEs [10]:

• Phishing (41%)

• Web based attack (40%)

• General malware (39%)

• Malicious insider (19%)

• Denial of service (12%)

• Social engineering (11%)

• Compromised/stolen device (7%)

The categorisation of incidents differs slightly from the list presented in the threat landscape report mentioned above. But it confirms the importance of malware (which probably includes ransomware although this is mentioned in the report) as a threat. Furthermore, it underlines the web and email as the dominating points of attacks (assuming that phishing is mainly performed via fake e-mails).

Figure 2 The core functions of the NIST cybersecurity framework [19].

3.1 The NIST Framework for How to Protect Businesses

The National Institute of Standards and Technology at the U.S. Department of Commerce (NIST) has developed a framework for what organisations should do in order to be protected [19]. ISO has developed international standards (ISO 27001 and ISO 27002) based on the same principles. The NIST cybersecurity framework includes five core functions, which must be addressed by any organisation in order to address cybersecurity threats (Figure 2).

• Identify includes identification of the critical processes and resources. SMEs may not possess a lot of data that could be of interest to others, but if they are critical to the operations of the company they need to be protected. Moreover, GDPR demands that personal data – for instance customer data – must be protected.

• Protect includes protection of the sensitive data identified above. Much of the protection is built into the standard software applied by SMEs. Still the SME has an opportunity to implement additional measures such as long passwords and two-factor identification. Moreover, access to any system should only be allowed to those, who actually need it. SMEs do not always have an IT responsible, who make sure that security measures such as regular back-ups and updates are followed. It is therefore up to the individual employee to do this.

Email filters with blacklisting or even whitelisting can help to avoid phishing and emails with harmful content to be opened, but awareness of employees is even more important in this respect.

• Detect includes detection of cybersecurity attacks. IT-systems must be monitored in order to detect any cybersecurity events. Anomalies in data flows could be a sign of such an event. Few SMEs will be able to do more monitoring than is offered by standard tools, and they will have difficulties to interpret the data provided themselves, and they will need to leave this to external consultants. Maintenance of logfiles can be an important tool for security experts to identify anomalies.

• Respond includes guidelines for how to react, if a cybersecurity attack is detected, and how to limit damages. An early response from the user of an infected machine may prevent potential damages to be spread to other parts of the IT-system itself, as well as damages on other operations of the company.

• Recover includes guidelines for reestablishment of damages made in an attack, and reestablishment of data, systems, and business processes. Many SMEs may not be prepared for an attack and lack established procedures for reestablishing damaged data.

It follows that the controls to be implemented by SMEs include technical as well as organisational measures. Many SMEs have outsourced the responsibility of managing IT systems, but without an understanding of the importance of cybersecurity, they will not be willing to finance the necessary investments. Moreover, SMEs have less formal organisational structures than large companies. This implies that it is even more important to engage all employees in the organisation in the implementation of cybersecurity safeguards.

4 Cybersecurity Measures Implemented in SMEs

In a forerunner of the DINNOCAP project, DIGINNO, an overview of the level of ICT usage among SMEs in the BSR was obtained, including the state of the art of Industry 4.0 digitalization. Main drivers and barriers in the take-up of ICTs were identified, and it was among others concluded that there has been less take-up of ICT in the ‘Eastern’ area than in the ‘Western’ area (i.e., Denmark, Finland, Norway, and Sweden), and that there are some structural differences among the Eastern BSR countries in relation to the ICT take-up. However, for the BSR as a whole, there has during the last years been an increasing take-up due to awareness raising from industry organizations (including facilitation from DINNOCAP) and to the COVID-situation, leading to a growth in online-shopping and remote working. As reported by the OECD [20] and others, the increased take-up is a general development, exemplified in the increased use of online meetings. Exchanges with industry associations have confirmed that this also covers the situation in the BSR. This amplifies the cybersecurity risk in SMEs and calls for initiative to protect SME against cyber-attacks.

4.1 Cybersecurity in European SMEs

The ENISA survey from 2021 [10] indicates an increasing dependence on IT in SMEs. The most used information services include teleworking, banking transactions, e-mail, and information services, while E-learning and e-commerce are less used. SMEs utilise the cloud for different kinds of information services and remote access tools of “various types, functionalities and security levels”. Some of the findings are:

• 25% of the SMEs participating in the survey, who used remote access, have during the pandemic relied on cloud services that allow, as a minimum, access to and processing of e-mails, file processing and communication.

• However, over 90% of these SMEs “did not implement any new security measures, or any additional security measures, to ensure the security of these solutions”.

• 80% of the SMEs process critical information, making cybersecurity a key concern.

• 70% of the companies participating in the survey take precautions like installing firewalls and anti-virus programs, making back-ups, and systematic update of software.

• Less than 30% of the companies that make use of removable media management, Information Security Management Systems (ISMS), or Cyber information, have appointed a security officer, have an incident report structure, or have a business continuity and disaster recovery plan.

The survey was supplemented with qualitative interviews with 16 SMEs in 14 EU countries, including Germany, Sweden, Estonia and Poland from the Nordic Baltic Region. Based on this, ENISA identifies seven types of challenges:

• low cybersecurity awareness of the personnel,

• inadequate protection of critical and sensitive information,

• lack of budget,

• lack of ICT cybersecurity specialists,

• lack of suitable cybersecurity guidelines specific to SMEs,

• shadow IT, i.e., shift of work in ICT environment out of SME’s control,

• low management support.

Moreover, it is stated that 84% of the cyberattacks rely on social engineering.

The EUROSTAT database provides more systematic information on the status of implementation of cybersecurity measures in businesses within the EU. 41 different cybersecurity indicators are defined. Comparing with the NIST framework, the indicators have primarily a technical focus and most of the indicators relate to protection. The indicators are available per country and per company type. At the time of writing (June 2022), most data are available for 2019 only. In the following these indicators are used to uncover the situation for SMEs in the Nordic Baltic region, to identify national differences, and to analyse how the conditions differ from EU as a whole.

The indicator “The enterprise’s ICT security policy was defined or most recently reviewed within the last 24 months” can be used for representing the level of seriousness in different companies regarding cybersecurity. Looking at figure 3 it follows that SMEs in general are not as good as other companies to define their own security plans. This may not be surprising. More interesting is it to look at national differences. Here it follows that SMEs in Denmark, Sweden and Finland are much more up to date than companies from the rest of the EU, while companies from Estonia and Poland are below the EU average.

Figure 3 Percentage of enterprises for which the enterprise’s ICT security policy was defined or most recently reviewed within the last 24 months. Source: [11].

A comparison shows that the SMEs in the Nordic Baltic countries are close to the EU average (Figure 4). However, within the region there are considerable national differences (see the Table in Appendix A).

Figure 4 IT Security measures applied by SMEs (2020). Source: [11].

Figure 5 illustrates the percentage of SMEs’ access to security expertise, grouped by internally, externally, and in total.

Figure 5 SMEs access to security expertise. Source: [11].

4.2 Survey Among SMEs in the Baltic Sea Region

In order to validate and update the above analysis and a survey among SME in the Baltic region has been performed. Data from the survey were provided by 33 respondents representing 33 SMEs. The respondents were from Russia (Kaliningrad) (24), Poland (5), Latvia (2), Lithuania (1) and Estonia (1), respectively. The positions held by the respondents were: Director (16), CEO (4), Head of IT (2), Head of technical department (2), managers (2), IT practitioner (3), IT specialist (1), Technical Director (1), Accountant (1), and Business development manager (1). The sectors represented were Education (8), Service (7), Manufacturing and production (7), Information Technology (6), Automotive (1), Shipping (1), Research and development (1), and the Financial sector (1). 29 out of 33 companies had 1–50 employees. Although Kaliningrad is highly overrepresented, and Kaliningrad is somewhat behind some of the Baltic countries, the data (depicted in Fig. 6) are considered to be fairly representative for the Baltic region.

Figure 6 Number of SMEs using different security measures in the DINNOCAP survey.

4.3 Cybersecurity Among SMEs in Denmark

Denmark seems to be among the countries within the Baltic region, where most SMEs have implemented IT security measures. It is therefore worthwhile to look further into the status of cybersecurity within Danish SMEs. The Danish Business Authority (Erhvervsstyrelsen) recently published a report on digital security in Danish SMEs, based on 2 major surveys [5]:

• An annual survey from 2020 by Statistics Denmark, covering 3,947 SMEs with 10–249 employees, and

• A survey conducted by Epinion in the fall 2020 covering 1,806 Danish SMEs with 5–249 employees

The report uses to a large extend the same parameters as those included in the EUROSTAT database. The main findings – referring to the security measures mentioned above – were:

• 40% of the Danish SMEs have an insufficient level of digital security in relation to their risk profile.

• Only 76% of the Danish SMEs used both of the 2 essential security measures in 2019: Keeping the software (including operating systems) up to date and doing backup of data. This was at the same level as in 2018.

• Even among SMEs working with digital technologies (cloud, IoT and big data analysis), 15% do not use any of these 2 security measures.

Regarding the perceived challenges among the SMEs, 28% of the respondents mentioned

• uncertainty whether it pays off to invest [21]in digital security,

• lack of IT knowledge and competences, and

• lack economic resources.

More than 70% of the SMEs expressed that their focus on digital security would be enhanced by having simple guidelines about IT security, receiving continuous information about current security threats, and having access to concrete tools.

10% of the SMEs had experienced security incidents, and they were mostly worried about potential loss of valuable data, shutdown of networks and systems, and loss of revenue. Finally, 74% of the SMEs answered that the management “to a high degree” was involved in decisions regarding the company’s work with digital security.

Figure 7 shows an overview of the use of security measures in Danish SMEs, following the list suggested by ENISA (see above).

Figure 7 Use of security measures in Danish SMEs. The highest-ranking measures are systematic software updates, access control for networks, strong passwords for authentication, and backup of data. Source: [5].

The trend on how SMEs use security measures in Figure 4 (EUROSTAT), Figure 6 (the DINNOCAP survey) and Figure 7 (Danish Business Authority) is similar, but with minor differences. Although the sample size used by EUROSTAT is larger and covers more countries, the outcome of the DINNOCAP survey and the Danish survey corresponds to the outcome of the ENISA survey.

5 Analysis

Our goal is to provide recommendations to SMEs that can help them to address the challenges and threats from cybersecurity. How can SMEs and their employees become better informed, and how should they prioritize their efforts, given their limited manpower and capabilities? They need to have a clear picture of how exposed they are to cyber-attacks, what the hackers’ motives and incentives are, and what could make their business attractive for cyber-attacks (risk assessment). Based on this understanding, they will be in a better position to target their efforts and countermeasures in the most efficient way. As a part of this they must also decide whether they are able to cope with the challenges themselves, or they need to involve external resources.

On 16 Sept. 2021 the DIGINNO project hosted an online seminar on ‘Cybersecurity and SMEs in a transnational context’. This seminar discussed the status of implementation of cybersecurity measures within SMEs in the Baltic Sea region and policy issues related to this. Among the main conclusions of the seminar were that:

• The biggest and most manifest attacks have targeted bigger companies (such as Sony, Google, Maersk …), but it is also a problem for SMEs.

• The guidance and solutions offered by public and international organisations are in reality directed towards – and only useful for – bigger companies.

• The awareness raising on cybersecurity for SMEs by organisations in the BSR has generally been limited so far.

In the following we will review the classification of SMEs introduced by the Digital SME Alliance. Here, e.g., it is important for SMEs to understand how dependent they are on parts of their business processes being outsourced. Following a short review different models on Business Process Reengineering (BPR), we will then investigate how elements of BPR can inform and support the decision on measures to be applied in SMEs. In our context, SMEs are facing a continuously evolving threat of cybersecurity and a constant need for monitoring, risk assessment, and prioritisation of resources.

5.1 Different Types of SMEs

It is necessary to make a distinction between different types and sizes of SMEs and for role in the digital ecosystem in order to make sure that solutions are tailored to them [22].

The DIGITAL SME Alliance study [22] distinguishes between

• digital enablers, providing software and services,

• ‘digitally based’ SMEs, which are connected to digital enablers via clusters and value chains, and where the businesses do not have digital or cyber as a core but are highly dependent on digital solutions, and finally,

• ‘End user’ or ‘digitally dependent’ SMEs that use regular ICT for running their businesses.

Furthermore, the paper indicates that the size and maturity level of the company should be considered: “Micro-enterprises (up to 10 employees) are less likely than larger SMEs (10–250 employees) to implement security measures. For smaller SMEs, complexity needs to be reduced as e.g., micro-enterprises are likely to lack the internal resources to deal with complex standards and guidelines” [22].

Most SMEs, especially end user SMEs, have either outsourced their ICT activities or rely on standard solutions offered on the market. This implies that their cybersecurity to some extent depends on the security offered by their network and IT providers. Still, the SMEs need to take their own precautions as well.

Some of the conclusions are that “less digitally mature SMEs are perhaps the most vulnerable to cybersecurity threats of all organizations” [23] and that “A highly specialized ‘digital enabler’ that provides IT security solutions will be more fit to adopt a complex IT-security standard and should assist ‘digitally based’ companies in doing so. ‘End user’ SMES on the other hand may require secure-by-design solutions and a set of basic standards with relevant certifications they can follow to make sure they meet the basic level of cybersecurity ‘hygiene’ ” [22].

5.2 Change Management in SMEs

Cybersecurity is not only about technology. It is also about people and business processes. This is reflected in the ENISA report, where recommendations to SMEs are given in all of these three areas. This implies that SMEs must implement a complete business process re-engineering (BPR) of all processes involving IT. When BPR was introduced by Davenport in 1993 [24], the focus was on altering business processes, organisational structures, and employee responsibilities in order to improve cost, quality, service and speed [25]. Even though BPR has been on the table for more than three decades, and that digitalisation is implemented in many European companies, the concept is still relevant for many SMEs and its implementation is just as important as it is in large organisations [26].

Also today, the remedy for BPR is digitalisation. This includes both hardware and software as well as people [27]. Today the objective is however slightly different. For companies, which have been digitalised already, the task is to take up the cybersecurity challenge created by increasing use of technologies like cloud computing and web-based service solutions. Therefore, performance indicators applied in BPR must be modified in order to take this new challenge into account. Still the concept BPR is relevant in this context as business processes, organisational structures, and employee responsibilities need to be modified in order to meet this new challenge.

There are different options for organising a BPR process: It can be done without having any formal structure, by creating a separate committee or department, or even a separate business unit, or it can be outsourced to a separate operating company [28]. SMEs have less capacity to address issues such as cybersecurity, and it is likely that it will be addressed either without any formal structure, or that it will be outsourced to a consulting company. However, even if cybersecurity is outsourced, or if it is built into the standard software applied by the SME, it is necessary for the employees to become aware of security issues. “People are a major weakness in cybersecurity, but when engaged and correctly trained they can become a first line defence against attacker” [29].

When defining public policies for supporting SME in redesign of their business processes in order to become cybersecure, it is important to be aware of how changes in business processes are made.

Several models have been developed with the purpose of preparing a prescription for how changes or innovations should be implemented in an organisation [30, 31]. Although most of these focus on large organisations they offer some take-aways for small companies as well.

Lewin’s change model [32] includes three phases: unfreeze, change, and re-freeze. There needs to be a motivation before an organisation is ready for a change. The employees are at the heart of the change, as they need to discontinue past practise adapt to new routines. Even if goals are desirable there will often be resistance towards change.

Kotter’s model includes 8 steps an organisation must go through in order to make a successful implementation of a change [33]. The model emphasizes on the need for a clear vision, which has to be communicated to the employees, and generation of motivation through creation of short-term wins for the employees. The model represents a top-down approach, which may not be suitable for implementation in small companies. It is however relevant for policy makers in their formulation of initiatives in the area of cybersecurity. Here it will be important to set out clear visions and to communicate and motivate the companies. However, visions are not enough. It follows from the surveys presented above that the awareness of using standard protection measures built into the software is high. This indicate that an unfreeze of present routines is possible, as a sense of urgency of the management in most SME are created. Still, it is necessary that implementation of safeguards protecting against cybersecurity threats must involve all employees in the organisation not just the management and the IT people. The vision must be shared, and employees must be empowered to act on the vision.

Finally, the ADKAR model [34] is worth to mention, as it opposed to the previous focuses on changes in people’s behaviour, which is a key for achieving a higher level of cybersecurity. In addition to awareness motivation, which also is included in the previous model, this model also pay attention to the required knowledge and skills among the employees, so they can participate and act as ambassadors for implementation of a change.

Table 2 shows an overview of the 3 models.

Table 2 Overview of 3 models for change management

Lewin	Kotter	ADKAR
1. Unfreeze 2. Change 3. Re-Freeze	1. Create a sense of urgency 2. Create a core coalition 3. Develop and form a strategic vision 4. Communicate and share vision plans 5. Empowering employees to act on the vision 6. Generate short-term wins 7. Consolidate gains and produce more change 8. Initiate and set new changes	1. Awareness 2. Desire 3. Knowledge 4. Ability 5. Reinforcement
Source: Prepared on basis of [30].

Lewin

Kotter

ADKAR

1. Unfreeze

2. Change

3. Re-Freeze

1. Create a sense of urgency

2. Create a core coalition

3. Develop and form a strategic vision

4. Communicate and share vision plans

5. Empowering employees to act on the vision

6. Generate short-term wins

7. Consolidate gains and produce more change

8. Initiate and set new changes

1. Awareness

2. Desire

3. Knowledge

4. Ability

5. Reinforcement

Source: Prepared on basis of [30].

Defining implementation strategies of cybersecurity measures in SMEs must take the limitations of SMEs into account. [2] represents one of the few studies, which explicitly dealing with security issues in SMEs. Based on an extensive review of IS literature on the subject, they formulate conceptual framework of SME constraints in relation to IT security. The framework includes a following constraints:

• Limited Resources

• Small Asset Base

• Low Formalization level

• Ingrained culture

• Geographical insularity

These constraints interact with leadership characteristics such as managerial skills, IS/IT knowledge, attitude and values, and strategic outlook. The framework is tested in a qualitative study. Limited resources such as finance, time and know-how were among the most important constraints. The small asset base did not seem to play an important role. Low formalization was also important. This implies that that many processes are undefined and undocumented. This will complicate introduction of new cybersecurity measures. Business relations are often based on a trust-based relationship among employees and business partners. Finally, many SME were constrained by access to IT based expertise – especially if located in rural areas.

6 Recommendations

The EU strategy on cybersecurity is formulated in [35] and [3]. The strategy is mainly concerned with cybersecurity in public infrastructures although the special needs of SME are acknowledged. In the paper titled ‘A Threat-Based Cybersecurity Risk Assessment Approach Addressing SME Needs’ [23] a framework for assessment in combination with means for motivation of SMEs is presented. The approach of the paper is that it is not enough to come with solutions that manage SME’s cybersecurity risks but also motivate them to take actions.

Awareness and how to raise awareness is addressed in [29, 36]. [36] argue that senior management don’t see themselves as likely targets for cyber-attacks. SME IT leaders may be aware of the threat, but they don’t have enough information on how to reduce the risk. Therefore, a combination of awareness creation and empowerment is needed.

It follows from the surveys presented above that the awareness of using standard protection tools is generally high among SMEs, while there is less focus on the other parts of the NIST framework.

Based on a review of other reports on cybersecurity in ENISA has prepared a checklist for SMEs in three different areas: People, process, and technology and there are also detailed recommendation in the ENISA report [10]. The people related checks involve responsibility; involvement/buy-in; awareness; cybersecurity training; cybersecurity policies; third party management. The process related checks concern audits; incident planning and response; passwords; software patches; data protection. The technology checks are network security; anti-virus; encryption; security monitoring; physical security; secure backups. Whereas some of the checks simply are generally relevant (e.g., awareness, passwords and backups), others (e.g., third party management and security monitoring) and especially the extent of checks are dependent on the type and size of an SME.

Based on the activities in DIGINNO and DINNOCAP we have suggested activities to be developed in the BSR and most of these are well-suited to be developed as macro-regional activities in collaboration between at least the three Baltic states; but possibly involving support from other countries in the region, e.g., involving the already established digitalization training programmes offered by RISE in Sweden.

Suggested activities are:

• Awareness raising programmes targeting SMEs and based mainly on illustrative examples on problems and solutions. The examples should address difference in sizes and types of SMEs.

• The programmes should be integrated into the activities of European Digital Information Hubs (EDIHs) promoted by sector regulators such as business registers, and promoted by industry associations

• Developments of training programmes resulting in a pool of experts able to assist SMEs in the region

• Development of certified, ‘automated’ procedures that SMEs can implement for typical/common activities

• Financial incentives to develop cybersecurity infrastructure in SMEs – e.g., via EU projects

• Incorporate the NIST Cybersecurity Framework into the e-delivery standards developed as building blocks by CEF (Connecting Europe Facility) such as eID (Electronic Identity) and EBSI (European Blockchain Services Infrastructure). When SMEs adopt these building blocks, they can automatically consider and also implement the cybersecurity framework as well.

• Industry associations should adopt tools that enable SMEs to measure and upgrade their cybersecurity readiness

• Industry associations should guide SMEs to understand how to take advantage of the cybersecurity financing and technical possibilities developed by ENISA

The suggestions would imply that eDIHs and industry associations, themselves, possess the cybersecurity competence to assist the SMEs.

7 Conclusion

From the findings cited above it is quite clear that SMEs are vulnerable to cyber-attacks and that there is a need for upgrading the cybersecurity among SMEs. This is in line with the EU cybersecurity policy, under which substantial investments are provided via the Digital Europe programme, the recovery funds, and the Horizon Europe programme. Further, technical support is planned to be provided to SMEs, e.g., via the European Digital Information Hubs.

However, it appears that there is an even greater need for upgrading cybersecurity measures among countries in the Baltic Sea Region compared to the EU countries in general. It appears from our findings that the security activities and awareness generally – even if there are differences between the countries – are at a lower level. Further, it is our conclusion that this situation is a barrier for the digitalization process. In our initial surveys of the digitalization process, cybersecurity was not mentioned as an important issue by companies and organizations. During a workshop and associated interviews in 2021 it was clear that cybersecurity is now seen as a serious problem. This calls for measures in the BSR that are organized and coordinated as macro-regional activities.

Appendix A

Table A1: Security measures applied by SMEs by country in the Nordic Baltic Region (2020)

	ICT Security Tests	ICT Risk Assessment	Maintaining Log Files for Analysis After Security Incidents	Use of VPN	Network Access Control	Data Backup to a Separate Location	User Identification and Authentication via Biometric Methods	Keeping the Software Up-to-Date	Strong Password Authentication
Denmark	45	44	55	57	83	84	11	86	81
Germany (until 1990 former territory of the FRG)	33	28	55	50	68	88	9	95	83
Estonia	23	18	30	34	54	60	7	68	58
Latvia	28	25	18	21	52	57	10	72	86
Lithuania	24	19	18	21	48	65	14	77	62
Finland	40	56	44	48	74	80	15	93	90
Sweden	47	47	53	50	69	81	9	89	71
Norway	32	39	44	36	69	79	12	90	70
Poland	21	20	22	24	56	53	6	78	73
Nordic Baltic Union	33	33	38	38	64	72	10	83	75
European Union – 27 countries (from 2020)	31	28	41	37	61	74	8	85	74
Source: EUROSTAT.

References

[1] PwC, “PwC’s Global Economic Crime and Fraud Survey 2022,” PwC, 2022.

[2] M. Heidt, J. P. Gerlach and P. Buxmann, “Investigating the security divide between SME and large companies: How SME characteristics influence organizational IT security investments,” Information Systems Frontiers, pp. 1285–1305, 21(6) 2019.

[3] “JOINT COMMUNICATION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL The EU’s Cybersecurity Strategy for the Digital Decade, Join(2020)18,” 2020.

[4] “NIS2 Directive,” 16 Dec. 2020. [Online]. Available: https://eur-lex.europa.eu/resource.html?uri=cellar:be0b5038-3fa8-11eb-b27b-01aa75ed71a1.0001.02/DOC\_1\&format=PDF.

[5] Danish Business Authority, “Digital sikkerhed i danske SMV’er (Digital Security in Danish SMEs,” Danish Business Authority, Copenhagen, 2021.

[6] A. Horn, “Why cybersecurity should be a top concern for middle-market companies,” SmallBizDaily, 2017.

[7] T. Tam, A. Rao and J. Hall, “The good, the bad and the missing: A Narrative review of cyber-security implications for australian small businesses,” Computers & Security, 109, 102385. 2021.

[8] “DINNOCAP,” [Online]. Available: https://www.diginnobsr.eu/dinnocap.

[9] M. Lezzi, M. Lazoi and A. Corallo, “Cybersecurity for Industry 4.0 in the current literature: A reference framework.,” Computers in Industry, pp. 97–110, 2018.

[10] A. Sarri, V. Paggio and G. Bafoutsou, “CYBERSECURITY FOR SMES – Challenges and Recommendations,” European Union Agency for Cybersecurity, ENISA, Heraklion, Greece, 2021.

[11] European Commission, “EUROSTAT,” Brussels, 2022.

[12] C. Paulsen and P. Toth, “Small Business Information Security: The Fundamentals. NISTIR 7621 Revision 1,” NIST, 2016.

[13] “14 Types of Hackers to Watch Out For,” 10 5 2022. [Online]. Available: https://www.pandasecurity.com/en/mediacenter/security/14-types-of-hackers-to-watch-out-for/.

[14] S. L. Hald and J. M. Pedersen, “An updated taxonomy for characterizing hackers according to their threat properties.,” in In 2012 14th International Conference on Advanced Communication Technology (ICACT), IEEE, 2012, pp. 81–86.

[15] S. Chng, H. Y. Lu, A. Kumar and D. Yau, “Hacker types, motivations and strategies: A comprehensive framework.,” Computers in Human Behavior Reports, 5, 100167. 2022.

[16] J. M. Pedersen, Writer, Teaching material. [Performance]. 2022.

[17] “ENISA threat landscape 2021,” ENISA, 2021.

[18] ENISA, “Guidelines for SMEs on the security of personal data,” ENISA, 2016.

[19] “Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1,” 16 April 2018. [Online]. Available: https://www.nist.gov/cyberframework.

[20] OECD, “OECD Policy Responses to Coronavirus (COVID-19): Teleworking in the COVID-19 pandemic: Trends and prospects,” OECD, 2021.

[21] “Digital sikkerhed i danske SMV’er (in Danish),” Danish Business Authority, 2021.

[22] DIGITAL SME Alliance 2020, “. European Digital SME alliance 2020. The EU cyber security Act and the role of standards for SMEs- Position paper. Technical report.,” Brussels.

[23] M. van Haastrecht, I. Sarhan, A. Shojaifar, L. Baumgartner, W. Mallouli and M. Spruit, “A Threat-Based Cybersecurity Risk Assessment Approach Addressing SME Needs,” in The 16th International Conference on Availability, Reliability and Security, 2021.

[24] T. H. Davenport, Process innovation: reengineering work through information technology, Harvard Business Press, 1993.

[25] M. Hammer and J. Champy, Business process reengineering, London: Nicholas Brealey, 1993.

[26] W. A. Aziz, “Business process reengineering impact on SMEs operations: evidences from GCC region,” International Journal of Services and Operations Management, pp. 545–562, 33(4) 2019.

[27] E. I. Edoun, G. B. Fotso and C. Mbohwa, “Business Process Reengineering: An Evaluation of Soft versus Hard,” in Proceedings of the 2018 International Conference on Internet and e-Business, 2018, pp. 90–93.

[28] D. Chaffey, E-business &E-commerce Managemnt, London: Prentice Hall, 2011.

[29] C. Ponsard, J. Grandclaudon and S. Bal, “Survey and Lessons Learned on Raising SME Awareness about Cybersecurity,” ICISSP, pp. 558–563.

[30] B. J. Galli, “Change management models: A comparative analysis and concerns,” IEEE Engineering Management Review, pp. 124–132, 46(3) 2018.

[31] J. Stouten, D. M. Rousseau and D. De Cremer, “Successful organizational change: Integrating the management practice and scholarly literatures,” Academy of Management Annals, pp. 752–788, 12(2) 2018.

[32] K. Lewin, Field theory in social change, New York, NY, USA : Harper & Row, 1951.

[33] J. P. Kotter, Leading change, Cambridge, MA, USA: Harvard Business, 1996.

[34] J. M. Hiatt, Employees Survival Guide to Change: The Complete Guide To Surviving and Thriving During Organizational Change, Loveland, CO, USA: Prosci Research, 2013.

[35] European Commission, New EU Cybersecurity Strategy and new rules to make physical and digital critical entities more resilient, Brussels, 2020.

[36] M. Benz and D. Chatterjee, “ Calculated risk? A cybersecurity evaluation tool for SMEs,” Business Horizons, pp. 531–540, 63(4) 2020.

Biographies

Morten Falch is Associate Professor at Center for Communication, Media and Information Technologies (CMI) located at Aalborg University Copenhagen. He holds a PA in Mathematics, a master degree in economics and a Ph.D. and has since 1988 specialised in research on socio-economic issues related to Information and Communication technologies. This includes economic analysis of applications and telecommunication networks and services (e.g. Cost analysis of telecom networks), e-government, regulation of the telecom sector, ICT and industry policy, the role of competition in innovation of new services and frequency management.

Henning Olesen received the master’s degree in electrical engineering in 1980 and the philosophy of doctorate degree in electrical engineering in 1983, both from the Technical University of Denmark (DTU). He is currently working as an Associate Professor at the Department of Electronic Systems, Technical Faculty of IT and Design, Aalborg University. His research areas include digital identities and identity management, cyber security, personal data protection, and service architectures. He has authored or co-authored more than 120 international journal and conference papers and has been serving as a reviewer for many highly-respected journals.

Knud Erik Skouby professor emeritus, Aalborg University. Has a career as a university teacher and within consultancy since 1972; focus on ICT since 1987. Project manager and partner in a number of international, European and Danish research projects. Invited speaker on international conferences; published a number of Danish and international articles, books and conference proceedings. Editor in chief of Nordic and Baltic Journal of Information and Communication Technologies (NBICT); Chair of WGA in Wireless World Research Forum.

Reza Tadayoni (b 1962), Associate Professor, M.sc.E.E., Ph.D., Head of the section, Communication, Media and Information technologies (CMI)/Electronic Systems/Aalborg University. He holds M.Sc.E.E. from DTU (Danish Technical University), specializing in broadband communication, and holds a Ph.D. from DTU in the field of media convergence. His research and teaching areas have, for the last 30 years, been within the ICTs, focusing on media convergence, including technology and business perspectives.

Idongesit Williams is Assistant Professor at Aalborg University Copenhagen. He holds a Bachelor in Physics, a Master degree in Information and Communications Technologies and a Ph.D. He has since 2010 researched into socio-economic, socio-technical related to Information and Communications Technologies. His research areas include the following. The facilitation of telecom and ICT infrastructure using Public Private Partnerships; the development and the sustenance of Community-Based Networks, and e-government; He has authored more than 60 research publications, including journal papers, books, book chapters, conference papers and magazine articles.