With more than 150 countries and 200,000 computers so far affected by the recent ransomware cyber-attacks, no company is too big or too small to be a target.
In our Hiscox Cyber Readiness Report 2017 we found that SMEs are particularly susceptible to cyber-attack as many cyber criminals see them as a soft target and potential gateways into the larger businesses that the SME might work for. If global businesses such as FedEx and Nissan can be affected by this cyber-attack then SMEs undoubtedly can too.
Any business regardless of the industry it operates in is a target for cyber criminals, although some industries have experienced more cyber-attacks than others. Over 40% of healthcare and pharmaceutical firms suffered two or more cyber-attacks in the past 12 months for instance and this will have increased now as the NHS has come under fire.
How to improve your cyber security
We also found that those who ranked as cyber security novices (those with the least developed approach to cyber readiness) were more likely to be SMEs compared to cyber security experts who were more likely to be large companies. While this may not seem surprising given the typical small business does not have the IT resources that a larger business might have, the good news is SMEs can up their cyber security game by following six steps (most at little or no cost):
1. Involve the boss
In our report, one of the defining characteristics of firms that rank as cyber experts is the involvement of their board and executive management in setting cyber security strategy. Of course, most small businesses don’t have tiers of top management but it’s clear that whether you’re a five person operation or a five hundred person business then whoever is in charge needs to step up to the plate when it comes to leading the charge on cyber security – it’s not a job that should be simply left to the IT crowd.
2. Have a formalised cyber strategy
Cyber experts tend to have a formal cyber security strategy in place with clearly defined structures, processes and criteria. In effect, this means that your business should have a clear idea about the cyber risks your business faces and how you manage those risks. For example, if you collect personal data on your customers, how is it stored/protected, and how would you respond if it were compromised?
Do you/your employees know not to click on that suspicious looking link or open that attachment that comes from an unknown source? With some reports saying that over 90% of all successful cyber attacks are related to human error, our study shows there is a wide gulf between cyber novices and experts in the area of employee training. More than nine out of ten experts (93%) in our report say that their ‘organisation incorporates security training and awareness across the organisation’. Among novices, the figure is less than half (43%). As we have seen, most experts say employee training is effective at reducing the number of incidents. Stepping up training can be a quick win.
4. Document your processes
Recording, tracking, documentation – these are areas where the novice firms have scope for improvement at only moderate cost to the organisation. For instance, while the overwhelming majority of experts (96%) say their organisation has a core source of cyber security guidelines for employees, partners and external users, only 42% of novices are as well organised. Consider implementing data classification and information security policies that set out clearly how different types of data should be handled and controlled.
5. Tighten up the technology
An area that SMEs need to tighten up is in email encryption and the integration of strong identity authentication (better password management). In both areas, most are a long way behind both the cyber experts.
6. Transfer risk
Nearly two-thirds of cyber experts (64%) have taken out cyber insurance. That compares with just 28% of novices. It’s worth noting that cyber insurance is not just the preserve of big business, with an increasing number of SMEs taking out cover – 66% of the businesses that bought cover directly from us last year had a turnover of below £100,000.
For more details, see the Hiscox Cyber Readiness Report 2017
Find out more about our cyber and data insurance