Are large institutions and government departments more susceptible to cyber attacks?

Cyber attacks loom large every day in our ever-more connected world. As I have said before in previous blog posts, more and more cases of cyber attacks are appearing in the headlines on a daily basis, such as the recent case  of Mole Valley District Council.

From reading the news, it would seem that only large institutions or government departments suffer data breaches. Is it that these organisations are more susceptible to cyber attacks, or is it simply because they are more likely to admit to suffering a data breach?

Large organisations and government departments tend to ‘own up’ after having been compromised. A case in point from the last couple of weeks is Emory State University, USA. Shortly after learning they had suffered a data breach, the university took measures to ensure both faculty and students were protected by making an announcement to those concerned.

Our perception of cyber security issues and that large organisations and government departments are more susceptible is wrong. More often than not, large organisations are better prepared and more resilient than smaller organisations. They have more resources at their disposal and are often regulated more stringently to handle situations such as a data breach.

But what can SMEs do to ensure they are prepared, should a cyber attack occur? The simple answer is to take a balanced approach to cyber security that combines people, processes and technology. A balanced approach to cyber security is offered in PAS 555:2013. This offers an outline of what effective cyber security looks like, rather than focusing on how to achieve it. This means you can focus on using your own internal best practices and ways of working to achieve effective cyber security.

There are other documents for cyber security that are also helpful, such as ISO/IEC 27001 and ISO/IEC 27032.

By reading these documents and getting started with cyber security, you can really make a difference!


  1. says

    This is a perception issue. You see a lot of large organizations in the news that are compromised, but that’s because they’re the big stories. There are a lot of much smaller ones who experience breaches and you don’t hear about them for a few different reasons.

    First, they’re small enough that mainstream news knows it doesn’t affect many people. So the media doesn’t care to report on it. Second, small companies can more easily cover this kind of thing up. Not that it’s easy or that silencing people is effective, but it’s easier to manage a few hundred customers than tens of millions.

    Last, and the biggest problem, is that sometimes these small companies don’t even know that they’ve been compromised. It might be months or years for them to find out because they don’t have the processes, procedures or tools in place to watch for this kind of stuff. They don’t have the dedicated staff or security experts on staff to even know what to look for to see if they’ve been breached.

    How is the end customer supposed to hear about a breach when the vendor doesn’t even know? It comes down to monitoring servers, and most small business don’t bother to do it… at least not until after they’ve already experienced a breach.

Share your thoughts