Small businesses hit hardest in cyber attacks

Authored by Matthew Webb.
4 min read
Laptop and computer servers
Small businesses take longer to recover and costs are high according to our new cyber readiness report explains Matt Webb, Hiscox Group Head of Cyber…

How well prepared are businesses when it comes to fending off cyber threats? This was the key question we set out to investigate in our first major study on cyber risk – The Hiscox Cyber Readiness Report 2017 – which we’ve launched today.

And, having interviewed 3000 businesses of all sizes and from a wide range of sectors in the UK, Germany and the US, we found that more than half of all businesses (53%) are ill-prepared to deal with cyber-attacks, while more than half (57%) have also experienced a cyber-attack over the past year and 42% have had at least two incidents in that period.

We’re deeply invested in protecting new ventures, from the insurance we offer small businesses to latest industry insights. So read on to find out what specific conclusions we came to on the effects of cyber attacks on small businesses.

Cyber-attacks on small businesses often have the biggest impact

The most obvious impact was how, as a proportion, the effect of a cyber attack on small businesses were far greater than their bigger counterparts. For UK businesses with 99 or fewer employees, the average estimated cost of their largest cyber incident over the last 12 months was £25,736, compared to £62,712 for UK businesses with 1,000 or more employees.

Yet these amounts only reflect the immediate direct costs and don’t include the longer term impact on business reputation and consumer confidence. In relative terms, however, smaller businesses are paying the highest price for operating online.

Small businesses take longer to recover

Of course, suffering a cyber-attack is one thing but the time it takes a business to recover can make the difference between long term business success or failure. Asked to agree with the statement that ‘when a cyber security incident occurs, we resolve the problem in the time we expect / have documented it will take,’ nearly a third (29%) of small businesses (1-49 employees) disagreed versus 22% for mid-sized businesses (250-999 employees) and only 11% for larger businesses with more than 999 employees. 

Computer security for small businesses is not yet something we see being prioritised — no matter how robust your cyber risk insurance policy, recovering from an attack can be a difficult and costly process.

Learning the lessons from a cyber-attack should also be seen as an important part of any small business’s cyber security plan but 32% of the businesses with fewer than 50 employees we interviewed said nothing has changed in the past 12 months as a result of security incidents.

Is the government doing enough?

When it comes to recognising how the government is supporting the battle against cyber-attack, our results were mixed. While 48% of all UK businesses felt the government was doing enough to help prevent incidents and protect them against the effects of cyber attacks, 53% of small businesses with less than 50 employees disagreed.

There is no doubt that there is government help available through websites such as Cyber Aware (external link) and the Cyber Essentials (external link) scheme which offers a cyber security certification process. These websites are a good starting point for small businesses looking for a relatively simple way to ensure their cyber security is as robust as possible.

When I put our findings to a Cyber Aware spokesperson they told me: ‘In 2015/16, one million SMEs claimed they were more likely to maintain or take up key cyber security behaviours as a result of Cyber Aware. We are working with private and public sector partners, like Hiscox, to ensure we support even more small businesses this year.’

Cyber security experts versus novices

Our report also assessed whether a company was an expert or novice when it comes to how they manage their cyber security. Overall only 30% of all the companies we surveyed were considered experts – with a disproportionate bias towards bigger companies – while small companies tended to come out as novices.

Of course, it might seem obvious that larger businesses with the resources to employ big IT departments and the latest in prevention and detection technology are more likely to be cyber security experts. But this would be to gloss over the actions that all businesses can take which shouldn’t necessitate a big financial outlay.

In particular, our study shows that better employee training with clear cyber security guidelines – both actions that can be undertaken at little cost – can be very effective in countering the cyber threat.  This is something which could be incorporated into any small business cyber security plan to turn the novices into experts and help SME’s become cyber-savvy.

For more help with cyber security and to protect your small business, consider taking out a Cyber Risk Insurance policy with Hiscox. Find more information on the role this cover plays in protecting your business in our Cyber Insurance FAQs.

For more insights into how cyber security has evolved since 2017, see the latest Cyber Readiness Report, or read our Hiscox complete guide to cyber security

At Hiscox, we want to help your small business thrive. Our blog has many articles you may find relevant and useful as your business grows. But these articles aren’t professional advice. So, to find out more on a subject we cover here, please seek professional assistance.

Matthew Webb

Matthew Webb is our Cyber Line Underwriter at Hiscox. Inspired by his father, who had built up his own independent insurance brokerage in their home town Tunbridge Wells, Matthew also took the leap into the world of insurance and has focused on products for commercial enterprises ever since. He is now a highly regarded UK resource on risks associated with cyber crime and data security.