Cyber attacks, such as malware, phishing and ransomware, are a serious threat. According to government data released this week, nearly a third of UK businesses identified a cyber attack in the last 12 months, with a fifth (21%) estimating that attacks happen weekly.
Around seven in 10 (71%) businesses say cyber security is a high priority, according to the 2023 Cyber Security Breaches Survey, but the reality is that many businesses aren’t taking adequate preventative measures.
Just 14% of businesses are aware of the government-backed Cyber Essentials scheme, which helps businesses to get the basics right and offers tools to guard against common online threats. Separate research from the Federation of Small Businesses (FSB) also suggests that few small businesses access the cyber security tools and guidance available to them. What’s more, according to the same government survey, larger organisations are most likely to take action to enhance their cyber security.
We ask the experts why many small businesses aren’t addressing cyber threats and outline some of the steps to consider.
“It won’t happen to me”
Many small business owners may feel the risk of cyber attack is minimal and could underestimate the potential financial and reputational damage. The survey found that smaller organisations are logging cyber attacks less frequently than last year. This may be because their focus is more on making ends meet than monitoring cyber issues. But the cyber threat remains and, as most UK organisations are considered small, this could be cause for concern.
“While small businesses are rarely sufficiently well known to hit the headlines, they are a growing target for cyber attacks,” says Sally Adam, senior director of marketing at security software company Sophos. Its 2022 State of Ransomware Report found that nearly half of organisations with 100 to 250 employees reported an increase in the volume of cyber attacks, and the results can be devastating. “Cyber incidents have a major impact on small businesses,” Adam says, “with 72% of small business ransomware victims reporting that they lost business as a result of the attack.”
The lower level of media coverage about cyber attacks on small businesses could also encourage a sense of complacency.
“The only time we hear about it is when it happens to a very large corporation,” says Amanda Walton, CEO of Enterprise Centres of Excellence at insurance broker Marsh Commercial. “But actually it happens every day of the week to small businesses, and they’ve got very, very little [media] coverage out there. If you think these people could get through to those kinds of secure environments, how easy is it to get to a local butcher or baker? And it’s also the negative PR that this gives that business.”
What do cyber attacks look like for SMEs?
Social engineering scams are common, says Edward George, account executive at independent insurance broker One Broker, who gives the following example of how easy it is for small to medium-sized enterprises (SMEs) to be scammed.
“Hackers impersonate a director asking the accounts department to send a payment to a supplier or customer, and the payment is made. It is then discovered the email is from a spoof account with only a slight difference in the email address, making it very difficult to spot.”
George adds that malware is another threat. “People click on links and attachments, which release malware on to a system,” he explains. “SMEs, in particular, do not have the infrastructure or expertise to deal with a major breach of their systems. Most SMEs we talk to admit they wouldn’t know the first thing to do in the event they couldn’t get into their systems on a Monday morning, for example.”
During the first pandemic lockdown, 16% of small businesses developed or increased their digital presence, with 24% increasing or adopting new digital technologies, according to the FSB. This has increased their exposure to cyber crime.
“Adversaries will take advantage of any opportunity to penetrate an organisation. If you have made changes to your business and technology operations, always take the time to ensure that you have not inadvertently opened up new gaps in your defences,” says Adam.
“It’s complicated and daunting”
It can be tricky to get to grips with cyber threats and the security measures you should take. The government survey revealed a general lack of knowledge about this among senior leaders. This can leave businesses only reacting to cyber attacks when they happen, rather than taking steps to prevent them in the first place.
This complexity can also extend to cyber insurance. A survey by the FSB found that as much as 38% of small businesses that have a cyber insurance policy don’t know what it covers.
This is compounded by the lack of consistency in the standard cover for cyber insurance. For example, it found that in the London market alone, cyber policies use around 50 different definitions of ‘computer system’.
“Cyber insurance covers are broadly split into two categories: cyber liability and cyber crime,” George explains. “Cyber liability is primarily concerned with the loss of data, be it customers, suppliers or employees, for example. It also covers things like ICO [Information Commissioner’s Office] notifications, investigations and reinstatement of data. Cyber crime is primarily concerned with social engineering, fraud and theft.”
Of course, businesses get cyber insurance for a reason. Adam says: “The good news for small businesses that choose to mitigate risk through cyber insurance is that 98% of those who made a claim for ransomware reported that they received some form of payout.” This included payments to help get organisations back up and running, downtime and lost opportunities, and ransom money.
Even so, there are barriers to cyber insurance. These include a recent rise in premiums and more stringent expectations from insurers for the level of cybersecurity measures the business has in place.
Funding for cyber security and in-house expertise may also be in shorter supply for small businesses.
Ways to help combat cyber crime
Putting basic risk management measures in place, such as data back-up, firewalls, antivirus software and secure passwords is a start.
“Steps such as multi-factor authentication and staff training can help a business build digital resilience. Many claims result from human error, so giving staff training is an essential means of reducing the risk of a breach,” says George.
It’s more common for micro and small businesses to use external expertise for cyber vulnerability audits when in-house knowledge is lacking. The National Cybersecurity Centre offers an online guide to cybersecurity for small businesses if you’re not sure where to begin.
Another benefit of cyber insurance is that it may not be restricted to dealing with the fallout from cyber attacks. “Some insurers offer access to training academies for staff to help raise awareness of risk and provide monitoring services,” says George. “This allows them to look for vulnerabilities and alert clients of these vulnerabilities before a breach.
“The reality is hackers’ techniques are changing so quickly, and there are numerous ways of infiltrating a system,” he explains. This is why cyber insurance can be an important consideration alongside cybersecurity measures. After all, he says, “Just because you have a smoke alarm doesn’t mean you shouldn’t insure your building in case of a fire.”
Image source: Getty Images
Do I Need a Business Insurance Broker?
There is a wealth of business insurance options out there, and it can be hard to know what you should consider. A business insurance broker may be able to help you find suitable insurance for your business.
Types of Business Insurance
Business insurance can include a wide range of products, from public liability insurance to cyber cover. Find out what’s available to protect your small business.