1. Introduction
The advancement of information and communication technologies has impacted many areas of our society, from online shopping to social interaction. Despite the positive impacts that such technologies have had, they also present many risks; for example, the use of information and communication technologies introduces the risk of cybersecurity attacks. A recent report estimated that the economic cost of cybersecurity attacks would reach more than
$1 trillion worldwide for the period from 2017 to 2021 [
1]. The same report indicated that two thirds of the organizations investigated had experienced some kind of cybersecurity threat in 2019. The cost of cybersecurity incidents goes beyond the direct cost to include various kinds of indirect harm, such as damage to the enterprise’s reputation, data breaches, etc. [
2]. Thus, many organizations of different sizes have utilized technical and non-technical solutions to deal with cybersecurity threats.
Small and medium-sized enterprises (SMEs) play important roles in the economies of many countries. The majority of businesses are considered to be SMEs and they are responsible for a significant share of job creation. The World Bank estimated that seven out of ten jobs will be created by SMEs by 2030 [
3]. SMEs are also responsible for more than 50% of employment worldwide [
3]. Additionally, SMEs contribute more than 40% of the gross domestic product (GDP) in emerging economies [
3]. Considering the importance of SMEs, the increase in the number of cybersecurity attacks targeting SMEs is alarming. For example, the percentage of cybersecurity attacks that targeted SMEs increased from 34% to 43% in the United States of America (USA) in 2015 [
4] and increased again from 61% in 2017 to 67% in 2018 [
5]. Consequently, to support SMEs in improving their cybersecurity practices and competencies, many authorities around the world have developed strategies and initiatives specially tailored to small businesses. The United Kingdom’s government developed a security guide to help small-sized organizations improve their cybersecurity practices [
6]. Other countries also developed their own frameworks to promote increased awareness of cybersecurity threats such as by publishing the Framework for Improving Critical Infrastructure Cybersecurity in the USA [
7] and instituting the National Agency for the Security of Information Systems (ANSSI) certification in France [
8].
Measuring the impact of cybersecurity attacks on small businesses is an important matter that still requires further investigation. Although many research efforts have addressed cybersecurity education and awareness in small businesses [
9], only a few studies have discussed in detail the impact of cybersecurity practices on the level of harm done to small enterprises by cybersecurity attacks [
10,
11]. Our research paper is among the first to analyze the impact of cybersecurity practices on the amount of damage resulting from cybersecurity attacks on small enterprises in Saudi Arabia. The aim of this research is to measure how certain security practices can affect small enterprises and the level of harm that may result from cybersecurity attacks.
This research tries to answer the following research questions:
What is the impact of cybersecurity practices at small enterprises in Saudi Arabia in the event of cybersecurity attacks?
What is the relationship between cybersecurity practices and the level of harm that may result from cybersecurity attacks?
The research questions can be reached through the following research objectives:
To identify the current cybersecurity practices that can be used by small enterprises.
To identify the possible harms that may result from cybersecurity attacks.
To formulate a theoretical framework for determining the impact of various security practices on the harm caused by cybersecurity attacks, especially for small enterprises in Saudi Arabia.
To conduct a survey to identify the relationship between cybersecurity practices and the level of harm that may result from cybersecurity attacks.
To analyze the results of the survey using multiple regression analysis.
2. Background
The world is facing a high level of risk as new emerging technologies advance and improve. Cyber-attacks are considered a threat to individuals, businesses, and governments. They manipulate users to gain access to their information [
12]. Many of the issues under the umbrella of cybersecurity relate to system applications, operating and communication systems, and electromagnetic equipment [
13]. Cyberattacks can be defined as:
“A hostile act using computer or related networks or systems, and intended to disrupt and/or destroy an adversary’s critical cyber systems, assets, or functions. The intended effects of cyberattack are not necessarily limited to the targeted computer systems or data themselves—for instance, attacks on computer systems which are intended to degrade or destroy infrastructure or C2 capability. A cyberattack may use intermediate delivery vehicles including peripheral devices, electronic transmitters, embedded code, or human operators. The activation or effect of a cyberattack may be widely separated temporally and geographically from the delivery” [
14].
In 2020, a report reviewed the main cybersecurity incidents that occurred in 2019 [
15]. It indicated that more than 21 million unique passwords, and more than 770 million emails, had been hacked. It also pointed out that the details of 620 million web accounts had been stolen and offered for sale. In addition, more than half a billion Facebook accounts were unprotected from attack.
Figure 1 shows the total cost of cyberattacks in various countries in 2018.
Saudi Arabia (SA) is one of the countries that has suffered the most from cyberattacks. The percentage of Saudi companies affected by cyberattacks increased from 19% in 2012 to reach 31% by 2018. Such attacks cost 2.6 billion SAR for the same period. One of the worst such crises to occur in the Kingdom of Saudi Arabia (KSA) was the 2012 attack on the Saudi Aramco oil company, which destroyed 30,000 computers [
16]. Therefore, the cybersecurity market in the KSA is expected to increase from
$2.9 billion in 2019 to
$5.7 billion by 2023 [
17].
Figure 1.
Total cost of Cyberattacks in various countries source [
18].
Figure 1.
Total cost of Cyberattacks in various countries source [
18].
A study conducted by [
18] critically reviewed the definition of SMEs. It indicated that there is no universal definition for SMEs and that different terminologies are used for enterprises that are not considered large, including small businesses, small and medium-sized enterprises, and micro, small, or medium enterprises. Nevertheless, these terminologies are used interchangeably. The study mentioned that the International Labour Organization has found more than 50 definitions in 75 different countries [
18]. However, the European Commission stated that enterprises can be defined based on the number of employees, annual turnover, and financial criteria. The World Bank has used three criteria to define SMEs: number of employees, annual sales in U.S. dollars, and total assets in U.S. dollars.
The World Bank conducted a study across 132 countries in order to define SMEs. A third of the countries (64 out of 132) defined SMEs as businesses that have fewer than 250 employees, but every country has the freedom to define SMEs according to their needs [
19].
Saudi Arabia established Monshaat in 2016. The objectives of Monshaat are to organize, support, develop, and sponsor the SME sector in the KSA in accordance with international best practices to raise the productivity of these enterprises and increase their contribution to the gross domestic product from 20% to 35% by 2030. Monshaat has identified three categories for SMEs: micro, small, and medium. SMEs are categorized according to two criteria: the number of full-time employees and the total volume of revenue [
20].
Table 1 shows the categorization of SMEs according to Monshaat.
One of the sectors most affected by cyberattacks is small and medium-sized enterprises (SMEs). The reason behind the increasing attacks on SMEs is the weakness of their infrastructures compared to those of large enterprises [
9]. SMEs regularly have difficulties in complying with new regulations and deploying security measures in their systems and hardware due to lack of resources, lack of experience, and lack of awareness [
9]. A report indicated that 93% of SMEs have been affected by cybersecurity incidents that caused a financial loss [
21]. Fifty percent of SMEs have faced a problem in operating their businesses because of cybersecurity issues. Thirty-one percent have seen their reputations damaged, causing a loss of customers. The report indicated that cyberattacks are increasingly targeting SMEs and that 50% of all cyberattacks in 2017 were against SMEs. Cybersecurity can heavily disrupt SMEs’ business, negatively impacting the financial bottom line, and it can be difficult to recover from such incidents. There are two reasons why an SME may be targeted: the SME does not have strong and robust security, or the SME does not invest sufficiently in security relative to large enterprises [
21].
In 2017, the Office of the New South Wales Small Business Commissioner estimated the average cost of a cybersecurity event was
$50,000 per incident and that 60% of SMEs would be affected by a cybersecurity incident [
22]. Another study was conducted by [
5] to identify the state of cybersecurity among SMEs in the United States and the United Kingdom. The study encompassed 1045 individuals from different companies and showed that the percentage of cyberattacks targeting SMEs had increased from 61% in 2017 to 67% in 2018. The average cost for companies to recover also increased from
$1.03 million in 2017 to
$1.43 million in 2018. The average cost of returning to normal operations after the cyberattack increased from
$1.21 million in 2017 to
$1.56 million in 2018 [
5].
Even so, many SMEs do not understand how to protect themselves from cyberattacks, which further contributes to SMEs coming under attack [
17,
23] especially when the attackers take advantage of some security vulnerabilities such as DNS typo-squatting attacks as mentioned by [
24].
4. Research Method
This study aims to measure the effectiveness of security practices at small enterprises in Saudi Arabia in the event of a cybersecurity attack. Thus, a questionnaire was developed targeting a variety of stakeholders in small enterprises in Saudi Arabia.
A literature review was conducted to identify the items to include in the questionnaire that was then developed. Subsequently, the questionnaire was reviewed by a panel of experts in the computer science department of Shaqra University to check the validity of the content. The questionnaire was then translated into Arabic by the authors and reviewed by an expert to check the quality of the translation. The pilot study was conducted with a group of master’s degree students to identify any spelling or timing issues. The researchers obtained ethical approval for this research from the Research Ethics Committee at Shaqra University in Saudi Arabia.
Google Forms was implemented as an online survey tool. The subjects of this research consisted of various stakeholders who are involved in small enterprises in Saudi Arabia such as employees, customers, owners, supporters, or partners. The researchers sent the link via email to the participants and applied the snowball sampling technique to reach more participants. Although the snowball sampling technique has the possibility of the respondents sharing the same characteristics, the researchers try to select the initial participants carefully and with a diversity of roles to avoid such limitations [
26].
The questionnaire consisted of 19 questions and was divided into four sections. The first section included information about the study and research team and provided the consent form. The second section collected demographic information about the participants such as gender, age, and their role in the small enterprise. The third section included the factors being examined to measure their impact on the damage caused by cyberattacks on small enterprises in Saudi Arabia. The fourth section encouraged participants to leave additional comments regarding the study.
6. Discussion
This study aims to identify what factors may impact the level of damage done by cybersecurity attacks on small enterprises in Saudi Arabia in terms of three different aspects, namely financial damage, the loss of sensitive data, and the length of time required to restore the system to its normal functioning. While 20.5% of respondents stated that their organizations had lost sensitive data during the attacks, only 14.2% of the participants reported that the cybersecurity attack caused financial damage to their enterprises. The results are similar to findings from the Australian Competition and Consumer Commission (ACCC) [
23], which indicated that 26.4% of small-sized organizations in Australia faced financial harm due to cybersecurity events. The amount of time it took SMEs in this study to restore their systems to normal functioning varied between enterprises and reached days (22.3%) or months in some cases (9.6%). This is considered a long time when compared with other enterprises, as mentioned in [
29].
This study also aims to discover the impact certain cybersecurity practices have on the three above-mentioned aspects.
The results indicate that only two factors—inspection team and recovery plan—have an impact on the financial damage caused by cybersecurity attacks on small enterprises. The multiple regression analysis shows that small enterprises that have an inspection team and a recovery plan are less likely to suffer major financial damage in the event of a cybersecurity attack. This result shows the importance of having a dedicated team in place to review the procedures related to information security measures, as required by many authorities in Saudi Arabia, such as the Capital Market Authority [
30]. Having a recovery plan at the ready is also recommended by many international organizations such as the International Organization for Standardization and International Electrotechnical Commission (specifically, ISO/IEC 27031) [
31] as well as the National Cybersecurity Authority (NCA) in Saudi Arabia [
32].
Regarding the loss of sensitive data, three factors were identified as having an impact: cybersecurity awareness, knowledge of cybersecurity damage, and professionals’ salaries. It was surprising to find a positive relationship between the knowledge of cybersecurity damage and the loss of sensitive data among small enterprises. However, a possible explanation of this finding may be that when employees have the cybersecurity knowledge necessary to identify data security breaches, more such breaches will be reported [
33]. Many studies have indicated the effectiveness of cybersecurity awareness in reducing the impact of cybersecurity attacks [
9]. Professionals’ salaries were also found to have an impact on the loss of sensitive data from cybersecurity attacks; specifically, enterprises that provided higher salaries were less likely to lose sensitive data. The positive relationship between economic incentives and improved levels of cybersecurity was also identified in [
34].
Only two factors, contact with cybersecurity authorities and having an inspection team, were found to have statistically significant effects on restoration time. Contacting the national cybersecurity authorities is compulsory in many cybersecurity frameworks, such as [
35], especially in the event of mid-level or highly classified security breaches. Doing so could reduce the impacts of cybersecurity incidents and ensure that organizations are following the security protocols provided by the authorities. Having a security operations team that can inspect cybersecurity activity has also been recommended by many authorities [
30,
32,
35]. Based on this study’s findings, the establishment of such a team can prove highly beneficial for small enterprises in the event of a cybersecurity attack.
9. Conclusions
As the importance of information and communication technologies has increased, the need to protect these technologies has increased likewise. Thus, cybersecurity is becoming a vital consideration for any organization. However, small enterprises still face difficulties in providing the required cybersecurity protection for various reasons such as the high cost of cybersecurity solutions. Our paper discusses the relationship between various cybersecurity practices and the damage caused by cybersecurity attacks, which is an emerging research topic. Twelve cybersecurity practices and three possible impacts of cybersecurity attacks were discussed and tested using multiple regression analysis. The results showed that having an inspection team and a recovery plan may limit the financial damage caused by cybersecurity attacks on small enterprises. The results also indicated that cybersecurity awareness, knowledge of cybersecurity damage, and professionals’ salaries were related to the loss of sensitive data. Furthermore, the results showed that contact with cybersecurity authorities and having an inspection team have statistically significant effects on restoration time. The implication of this study is that small enterprises should focus more on certain cybersecurity practices that can decrease the impacts of cybersecurity attacks. Future studies are suggested to overcome the limitation of this research. For instance, it would provide valuable insight to increase the sample population to include large organizations, apply a similar research framework to them, and compare the results with those of the current study.