Recent research and surveys indicate the threat to UK business from Cyber-crime continues to grow; not least because of the need for businesses to work to ever-tightening margins, do more with less and try to compete against businesses with lower overheads, often overseas.
Human involvement (whether negligent or malicious) is a significant factor; the 2019 Code42 Global Data Report revealed that 69% of the data breaches experienced in the previous 18 months had been caused by employees 1. Additionally, 63% of the respondents admitted to bringing data from past employers to their new jobs; with greater employee mobility now being the norm, the threat from insider data theft is only going to increase.
According to Verizon’s 2019 Data Breach Investigations Report, 43% of Cyberattacks target small businesses because they are more likely to succeed 2.
The increased use of contractors and freelancers, as well as flexible working becoming more common, means more electronic devices in more locations. SME’s also face the risk of being hacked by cyber criminals looking to access organisations up the digital supply chain, and according to IBM’s 2019 study, the average cost of a data breach has risen 12% over the past 5 years 3.
Potential data breach fines from The Information Commissioner’s Office (ICO) are now approaching levels that could put many smaller enterprises out of business.
So, there’s never been a more important time for SMEs to have the right cybersecurity strategy in place.
So what can UK SME’s do to protect themselves?
For many small to medium-sized businesses, it’s just not feasible to spend a significant proportion of their profit on a Cyber protection strategy that could withstand attempted hacks from Anonymous or a rogue nation state.
However, you can:
Educate your employees about cybersecurity; creating an environment where they take responsibility for safeguarding the company data and the integrity of the system. This includes only using secure systems for communicating with colleagues wherever possible, and not sharing information via personal email, as well as the obvious avoidance of clicking on links you’re not 100% certain about.
Minimise the threats posed by malicious employees – from restricting access to sensitive data, banning the use of removable memory hardware and limiting BYOD use.
Keep your security software and operating systems up to date
What about Cyber Insurance?
According to research by the Federation of Small Business and the Association of British Insurers (ABI) in 2019, SME’s are subject to 10,000 Cyberattacks per day 4, however only around 11% of UK businesses currently buy Cyber insurance 5. This is despite 60% of medium businesses reportedly* 6 suffering a system breach that incurred an average cost of £9,270 to remedy. Here’s a sample of some of the reasons businesses don’t believe they need Cyber Insurance:
- We’ve never been hacked before
- We’re compliant with GDPR, PCI DSS and other regulations, so we’re secure
- We’ve invested in IT Security, so we don’t need Cyber Insurance
- We outsource IT, so we won’t be exposed to an attack
- We don’t collect or store any sensitive data, so Cyber Insurance isn’t necessary
- We’re too small to have a Cyber attack
- We’re already covered under other insurance policies
However, for many thousands of businesses, the reality is that they were targeted; their systems weren’t robust enough to prevent a breach, and there was no insurance cover in place to help cover the costs.
Cyber insurance is valuable tool to consider in your Cyber strategy; pricing has improved in recent years, and many policies can be tailored to provide cover for the areas that most businesses are concerned about – social engineering, phishing, and ransomware. Some of the policies can also provide access to specialist support in the event of a system breach, help identify why and how the breach occurred, as well as advise on preventing further breaches.
Insurers also actually pay claims – also according to the same ABI report, 99% of claims made on their members policies were settled in 2018.
Given that your IT system is probably vital in keeping your business trading, can you really afford not to have access to expert advice and a financial safety net should that life-support get interrupted?
2 Verizon Data Breach Investigations Report 2019
3 IBM Cost of a Data Breach Report 2019
6 Department For Digital, Media, Culture & Sport Cyber Security Breaches Survey 2019
OAMPS is part of Pen Underwriting Limited which is authorised and regulated by the Financial Conduct Authority (FCA number 314493). Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 5172311.