Reliant on the internet to trade, already the target of online scams but without any formal staff cyber training or a plan for dealing with a hacker attack. Those are some of the key points to come out of an Institute of Directors (IoD) survey of UK firms on cyber security, which formed the basis of its recent cyber security report.

We took a deep dive into the report to focus on the responses of small businesses with a turnover of less than £100,000. Here’s what the results say:

  1. Web reliant – and vulnerable

85% are reliant on the internet for their business – 37% said they are completely reliant on it. The web has transformed the way in which business is done, but can make firms – especially small ones that depend on it – vulnerable if they are attacked. 71% said their biggest worry is a cyber attack that results in them losing IT services.

  1. Update those patches

38% say cyber security – firewalls, anti-virus and encryption software and the like – is very important to them. “It is standard for any computer or network to have these safety features built-in upon purchase and the awareness of users with anti-virus protection is well marketed,” says Professor Richard Benham, the IoD report’s author. “What becomes interesting is how many of these features are kept up to date; an answer I suspect few would wish to admit to”.

  1. Little specific investment in cyber security

12% spent nothing on IT security in the past year. Although companies don’t tend to spend money specifically on cyber security unless they have been hacked according to Professor Benham who adds: “I would hope next year for this figure to be approaching nil”.

  1. No training or Plan B

57% don’t have a formal cyber or data security strategy, while 62% didn’t offer their staff cyber awareness training. “Any cyber security strategy should include awareness training to be effective,” says Professor Benham. “The biggest risk as technology becomes more sophisticated is human failure.”

  1. Outsourcing data – but where?

56% outsourced their data storage to an IT firm or cloud provider, but 59% said they did not know where their data was physically stored. Benham says companies’ ignorance about where the servers holding their information are located is “truly frightening – it effectively means businesses are losing control of their data, which may well be their biggest asset”. While Stephen Ridley, our acting Head of Technology, Cyber & Data, says: “Many businesses are also under the mistaken impression that the outsourcer will indemnify them if something goes awry, but that is often not the case, as the outsourcing firms look to exclude, or severely limit, their liability in contract.”

  1. Already scam targets

63% have received bogus invoices or demands for electronic payment. “This shows the extent of social engineering and how the internet can be used to defraud businesses,” says Professor Benham.

  1. Unaware of tough new EU data rules

63% are unaware of the new European Data Protection Regulation.

The regulation has recently been passed by Brussels and will come into effect on 25th May 2018, with tough new rules on storing data and reporting attacks, with the threat of stiff fines if companies aren’t compliant by then.

  1. Most go uninsured

77% don’t have cyber insurance – a further 13% aren’t sure whether they do or not. “With cyber-crime now the most prevalent crime in the UK and corporate attacks on the increase, cyber insurance is becoming a must-have for businesses,” says Professor Benham. That said, 72% aren’t considering buying it in the next 12 months.

“While these stats would indicate that 23% of companies purchase cyber insurance, that doesn’t tie in with what we are seeing on the front line,” says Stephen Ridley. “Unfortunately companies may well think they’re covered when they’re not.

“What these results show is that there’s a real need for small businesses to take steps to protect themselves. With the new GDPR now confirmed to come in to force on 25th May 2018, businesses have no choice but to take steps to improve their security posture and data protection processes, and they would be well advised to commence that process sooner rather than later”.

We are the Institute of Director’s preferred insurance partner and the IoD offers our cyber and data risks insurance to its members at a preferential rate. For more information and to get a quote call Hiscox on 0800 280 0354