By Michael Whitfield is Managing Director at InsurTech firm CPP Group UK.
In the chaos of establishing and growing a small business, it is easy to lose sight of the importance of cybersecurity. Founders and CEOs are often too caught up in the day-to-day running of their businesses to take a moment to consider the vulnerability of their IT systems, or, in many cases, do not have the technical expertise to be conscious of the risks.
As the risks increase, however, it is an oversight that small businesses cannot afford to make.
Headlines are frequently captured by stories of high-profile data breaches and cyber attacks. The past two years have seen massive data breaches at British Airways and Capital One, to name just two. With the prevalence of these stories, small business owners might convince themselves that they are of no interest to cyber criminals, when, in reality, it is very much the opposite.
Cyber criminals are increasingly aware of the easy targets that small businesses can be, and consequently the incidence of attacks is frightening. Research has calculated that UK SMEs are the target of approximately 65,000 cyber attacks every day – about 45 every minute.
Of these attempts, the success rate is nominal, but the sheer quantity means that a UK small business is hacked once every 19 seconds. Almost one in three small business reported suffering a cyber breach in 2018. According to the Ponemon Institute, the number of small and medium businesses across the US and UK that reported an attempted cyber attack in 2017 was 61%; in 2018, this figure had jumped to 67%.
The reasons for the increased focus on SMEs are numerous. Most frequently, however, it comes down to a question of resources. Businesses in the process of scaling-up rarely have dedicated IT departments to ensure that their systems are up-to-date and that risks are quickly dealt with. Seventy-three percent of businesses cite lack of personnel as a reason they feel unprepared to prevent a cyber attack. Insecure and unguarded, these businesses make easy pickings for a competent cyber attacker.
More often than not, a lack of personnel stems from a shortage of cash flow, which is itself a reason for increased cyber vulnerability. While larger corporations often have the ability to spend far more on these products, they also are far more likely to be able to absorb the financial impact of a cyber attack if one does take place. The same cannot be said for SMEs.
A cyber attack has a number of consequences for SMEs. The most immediately appreciable of these is the aforementioned financial impact. The average cost to a small business in the wake of a cyber attack is £65,000, which is enough to put many SMEs under for good. This spend is made worse by the fact it is often required while the business has had to cease operation.
The damage is not only financial. Smaller businesses can find it hard to recover from the reputational damage that a large data breach causes, particularly if they operate within a densely populated sector. Just as they often lack the IT personnel to mitigate the attack itself, these businesses likely lack a PR team who can help mitigate the fallout. Between the financial and reputational damage, it is unsurprising that SMEs can find it impossible to recover from a cyber attack.
There is a wide range of products and solutions that SMEs can use to protect themselves against cyber threats, but given that many are unprotected because of a shortage of available funds, it is important that a budget for cyber security is put to the best possible use.
This stretches beyond the obvious requirements of a firewall and high-quality anti-virus software. Employees are the most common reason for an attack, with 60% of breaches being traced back to a negligent member of staff and 80% of business reporting cyber breaches having experienced at least one attempted phishing attack.
Cybersecurity training for staff is therefore a useful measure to counteract this, giving them the tools and the confidence necessary to recognise threats and deal with them accordingly. It is costly, however, and time consuming, especially for a business with a substantial number of employees. Furthermore, it does not entirely abate the risk; people get tired, lose focus, and make mistakes. Eventually, something is almost certain to slip through the gaps.
Thankfully there are an increasing number of software products that can help ensure that a business is ideally positioned in the face of cyber threats. Much of this software is specifically preventative, and seeks to make a business aware of its most dangerous vulnerabilities.
Software can run a scan of a business’ entire online presence, and identify lapses in security, organising by severity, and offering advice for the best and most efficient ways of remedying the issue. It is particularly useful for CEOs who might lack technical literacy, presenting the vulnerability in plain, understandable terms, and allowing them to approach an IT consultant with a specific list of things to be changed. Ideally, it can be coupled with software that passively and continually monitors for breaches, such as products that can constantly scan the dark web for the appearance of a business’ data.
Regular use of such software can ensure a business is always as secure as possible, making them a much less enticing target for cyber criminals. With the frequency of SME cyber attacks, the difference between being targeted and left alone can be as simple as being a more awkward target than a competitor.
Of course, whilst all SMEs would prefer to avoid a breach altogether, it is impossible to know whether a business’ preventative measures are enough to stop an attack when the strategies used by cyber criminals evolve at such a frightening pace.
This is where cyber insurance can offer a solution. Cyber insurance is sadly under-utilised in the world of business, with only 11% of businesses having a dedicated cyber insurance policy in place, giving it a market size a tenth of the size of the UK pet insurance industry. This is especially surprising given that the pay out rate on cyber policies is 99%, one of the highest across the entire insurance sector.
If, despite a business’ preparations, an attack is successful, a good cyber insurance policy will provide the funding mechanisms necessary to smooth the return to full operation, along with a number of tools to manage the incident itself and mitigate the total damage done.
Ultimately, it can be the difference between a business taking an unfortunate hit and recovering, and a business going under entirely. Without a doubt, coupling high-quality preventative measures with a comprehensive insurance policy gives a small business the best possible protection from the growing cyber risk, making sure an attack is very unlikely to be successful, but giving the business much-needed security and mitigation in the event that it does.