Prioritising social engineering risk reduction measures for UK-based small and medium-sized enterprises

The field of cybersecurity devotes time and effort to raising awareness of threats and measures to be implemented to reduce the risks. It is difficult for organisations, especially small ones with limited resources, to implement all possible threat mitigation measures. They have to satisfice by implementing only the measures they can afford and those that make the biggest impact in terms of reducing their vulnerability. Unfortunately, there is limited evidence to support such prioritisation. We explored the prevalence of threats and the relative efficacy of a range of commonly implemented measures that mitigate the most pervasive of these. First, to explore prevalence, we consulted industry and government reports. Second, to explore mitigations, we analysed data gathered by the UK government on the cost and impact of cyberattacks on businesses, charities, and educational institutions, as well as the risk mitigation measures they take (n = 3991). Social engineering was identified as the most common UK threat vector, and the most effective mitigations to social engineering were (1) National Cybersecurity Centre’s Cyber Essentials (standard) certification and (2) up-to-date malware protection. These findings can inform small business' prioritisation of threat mitigation measures.