It’s fair to say that cyber is an undervalued risk for small and medium sized businesses, and it’s easy to see why. Cyber breaches and data hacks of huge, global brands like Marriott, Cathay Pacific and Talk Talk dominate the headlines. But away from the media glare the reality is very different, in fact 43% of small businesses have suffered a cyber security breach in the last 12 months* - but when was the last time you read about that in the news?
Perception Between Perceived Threat and Actual
Worryingly our own research data highlights that only 36% of small companies view cyber a priority concern.
Whilst SME’s may not have the same scale of personal data as larger businesses, they still hold valuable information that cyber criminals want, and also have the same exposures and weaknesses as larger businesses.
What are SME’s Common Cyber Exposures?
It’s not highly sophisticated State-sponsored cyber criminals that should concern SME’s. Cyber attacks are usually opportunistic and exploit weakness, be it human error; like employees clicking on an infected link in an email and spreading it to colleagues, customers and suppliers, or poorly maintained systems and operational processes. Look at WannaCry as an example, the NHS was breached because it’s Windows software hadn’t been kept up to date.
The simple things matter.
Social engineering/impersonation fraud attacks are becoming more common and are a complicated issue for SME’s because they trick staff to exploit human weakness, like opening phishing emails, paying fraudulent invoices or sharing personal data.
Add human error into the mix, like losing laptops and USB sticks, and in particular, mobile phones and the exposures can be huge. Take phones as an example, they are used by staff for online banking, checking work emails, storing PDFs and documents. But how secure is the phone? Do employees update the latest software and use password protection? Do you do that?
Are you on top of your third party suppliers?
Many businesses now use external hosting for service functions including websites, email, data storage and customer services. These providers have their own cyber exposures and weaknesses which could leave a business liable, so ensure due-diligence is carried out.
In 2017, 26,000 Debenhams customer records were compromised due to a cyber-attack that targeted Ecomnova, a third-party e-commerce supplier for Debenhams.
Reputation & Livelihood At Risk
Cyber criminals will often target smaller companies because of their relationships to other higher value companies in the same supply chain, so a cyber breach can cause reputational damage to multiple businesses.
The Costs of a Breach Quickly Add Up
The average cost of a breach is £8,180* which might seem manageable as an isolated cost, but 77% of businesses** suffer from multiple cyber-attacks in the same year, escalating costs considerably.
The largest fine for an SME was £60,000 to Boomerang Video Ltd. An SQL injection breach exposed personal details of 26,331 customers.
So How Can SMEs Protect Themselves?
There are many things SME’s can do to address their cyber exposures. Here are three tips from our expert cyber underwriters:
Company Culture is Vital
Ongoing staff education and training on cyber threats and exposures is vital. Cyber security should be embedded to everyone in the business.
Improved Understanding of Technology risks
Cyber exposures will continue to rise as businesses adopt new technology to innovate and improve efficiency. For advice on Business Continuity Planning read Stuart Kenyon’s blog here.
Cyber Insurance
Comprehensive cyber insurance is available for all businesses, regardless of their size. Coverages should protect against malfunctions, malware and hacking, with costs for operating losses, and restoration costs included. The best solutions will also cover costs for legal advice and PR consultancy to limit reputational damage too.
As a specialist insurer, it is our role to help businesses surmount the cyber and regulatory risks which dominate today, respond to the challenges for tomorrow, and identify the gaps in risk analysis which could impact SME business growth plans. For more information on what our Cyber Policy provides, click here.
|
Mark Armstrong
Underwriting Manager, Cyber & Tech
UK Regions & Ireland
[email protected]
|
* Cyber Security Breaches Survey 2018 Report.
** 2018 Cyberthreat Defense Report, cyber edge Group.