How well prepared are businesses when it comes to fending off cyber threats? This was the key question we set out to investigate in our first major study on cyber risk – The Hiscox Cyber Readiness Report 2017 – which we’ve launched today.
And, having interviewed 3000 businesses of all sizes and from a wide range of sectors in the UK, Germany and the US, we found that more than half of all businesses (53%) are ill-prepared to deal with cyber-attacks, while more than half (57%) have also experienced a cyber-attack over the past year and 42% have had at least two incidents in that period.
But what specific conclusions did we come to about the effects of cyber attacks on small business specifically?
Cyber-attacks on small businesses often have the biggest impact
The most obvious impact was how, as a proportion, the effect of a cyber attack on small businesses were far greater than their bigger counterparts. For UK businesses with 99 or fewer employees, the average estimated cost of their largest cyber incident over the last 12 months was £25,736, compared to £62,712 for UK businesses with 1,000 or more employees. Yet these amounts only reflect the immediate direct costs and don’t include the longer term impact on business reputation and consumer confidence. In relative terms, however, smaller businesses are paying the highest price for operating online.
Small businesses take longer to recover
Of course, suffering a cyber-attack is one thing but the time it takes a business to recover can make the difference between long term business success or failure. Asked to agree with the statement that ‘when a cyber security incident occurs, we resolve the problem in the time we expect / have documented it will take,’ nearly a third (29%) of small businesses (1-49 employees) disagreed versus 22% for mid-sized businesses (250-999 employees) and only 11% for larger businesses with more than 999 employees. Computer security for small businesses is not yet something we see being prioritised — no matter how robust your cyber risk insurance policy, recovering from an attack can be a difficult and costly process.
Learning the lessons from a cyber-attack should also be seen as an important part of any small business’s cyber security plan but 32% of the businesses with fewer than 50 employees we interviewed said nothing has changed in the past 12 months as a result of security incidents.
Is the government doing enough?
When it comes to recognising how the government is supporting the battle against cyber-attack, our results were mixed. While 48% of all UK businesses felt the government was doing enough to help prevent incidents and protect them against the effects of cyber attacks, 53% of small businesses with less than 50 employees disagreed. There is no doubt that there is government help available through websites such as Cyber Aware and the Cyber Essentials scheme which offers a cyber security certification process. These websites are a good starting point for small businesses looking for a relatively simple way to ensure their cyber security is as robust as possible.
When I put our findings to a Cyber Aware spokesperson they told me: ‘In 2015/16, one million SMEs claimed they were more likely to maintain or take up key cyber security behaviours as a result of Cyber Aware. We are working with private and public sector partners, like Hiscox, to ensure we support even more small businesses this year.’
Cyber security experts versus novices
Our report also assessed whether a company was an expert or novice when it comes to how they manage their cyber security. Overall only 30% of all the companies we surveyed were considered experts – with a disproportionate bias towards bigger companies – while small companies tended to come out as novices.
Of course, it might seem obvious that larger businesses with the resources to employ big IT departments and the latest in prevention and detection technology are more likely to be cyber security experts. But this would be to gloss over the actions that all businesses can take which shouldn’t necessitate a big financial outlay. In particular, our study shows that better employee training with clear cyber security guidelines – both actions that can be undertaken at little cost – can be very effective in countering the cyber threat. This is something which could be incorporated into any small business cyber security plan to turn the novices into experts and help SME’s become cyber-savvy.
For more help with cyber security and to protect your small business, consider taking out a Cyber Risk Insurance policy with Hiscox.
The research was conducted by Forrester Consulting on behalf of Hiscox from November 2016 to December 2016.