How well prepared are businesses when it comes to fending off the cyber threat? This was the key question we set out to investigate in our first major study on cyber risk – The Hiscox Cyber Readiness Report 2017 – which we’ve launched today.
And, having interviewed 3000 businesses of all sizes and from a wide range of sectors in the UK, Germany and the US, we found that more than half of all businesses (53%) are ill-prepared to deal with cyber-attacks, while more than half (57%) have also experienced a cyber-attack over the past year and 42% have had at least two incidents in that period.
But what specific conclusions did we come to from a small business perspective?
Cyber-attack costs are high for small businesses
The most obvious impact was how, as a proportion, the losses suffered by small businesses were far greater than their bigger counterparts. For UK businesses with 99 or fewer employees, the average estimated cost of their largest cyber incident over the last 12 months was £25,736, compared to £62,712 for UK businesses with 1,000 or more employees. Yet these amounts only reflect the immediate direct costs and don’t include the longer term impact on business reputation and consumer confidence. In relative terms, however, smaller businesses are paying the highest price for operating online.
Small businesses take longer to recover
Of course, suffering a cyber-attack is one thing but the time it takes a business to recover can make the difference between long term business success or failure. Asked to agree with the statement that ‘when a cyber security incident occurs, we resolve the problem in the time we expect / have documented it will take,’ nearly a third (29%) of small businesses (1-49 employees) disagreed versus 22% for mid-sized businesses (250-999 employees) and only 11% for larger businesses with more than 999 employees.
Learning the lessons from a cyber-attack should also be seen as an important part of any business’s cyber strategy but 32% of the small businesses with fewer than 50 employees we interviewed said nothing has changed in the past 12 months as a result of security incidents.
Is the government doing enough?
When it comes to recognising how the government is supporting the battle against cyber-attack, our results were mixed. While 48% of all UK businesses felt the government was doing enough to help protect them from cyber security incidents, 53% of small businesses with less than 50 employees disagreed. There is no doubt that there is government help available through websites such as Cyber Aware and the Cyber Essentials scheme which offers a cyber security certification process. These websites are a good starting point for small businesses looking for a relatively simple way to ensure their cyber security is as robust as possible.
When I put our findings to a Cyber Aware spokesperson they told me: ‘In 2015/16, one million SMEs claimed they were more likely to maintain or take up key cyber security behaviours as a result of Cyber Aware. We are working with private and public sector partners, like Hiscox, to ensure we support even more small businesses this year.’
Cyber security experts versus novices
Our report also assessed whether a company was an expert or novice when it comes to how they manage their cyber security. Overall only 30% of all the companies we surveyed were considered experts – with a disproportionate bias towards bigger companies – while small companies tended to come out as novices.
Of course, it might seem obvious that larger businesses with the resources to employ big IT departments and the latest in prevention and detection technology are more likely to be cyber security experts. But this would be to gloss over the actions that all businesses can take which shouldn’t necessitate a big financial outlay. In particular, our study shows that better employee training with clear cyber security guidelines – both actions that can be undertaken at little cost – can be very effective in countering the cyber threat and turning a novice into an expert.
The research was conducted by Forrester Consulting on behalf of Hiscox from November 2016 to December 2016.
To read the complete report go to The Hiscox Cyber Readiness Report 2017.
For more help with cyber security read our Hiscox complete guide to cyber security