Dismantling the myth that only large multinationals are cyber-attack targets
When large organisations like eBay, British Airways or Equifax suffer cyber breaches, the news quickly spreads around the world. This is understandable, of course, since such attacks can potentially affect the data of millions of individuals worldwide.
But our news feed doesn’t highlight the story of the local accountant, unable to use her computer system for a week due to a destructive malware attack, nor the plastic surgeon whose patient details are being held to ransom. The fact that these attacks are largely out of public view and not reported in the mainstream media doesn’t mean they’re not happening.
Gauging the cyber risk to SMEs
In fact, almost half of all cyberattacks (43%) are directed at small businesses, according to data compiled by SCORE, mentors to America's small businesses.
Anecdotal evidence suggests that cyber-criminals see smaller businesses as easier targets since they often lack the resources necessary to invest in IT security or provide cyber-security training for their staff.
A small business is hacked roughly every 19 seconds. Hiscox’s research shows that it is now more likely than not (59%) that an SME will be attacked.
Nevertheless, the 2019 SMB Cyberthreat Study, which surveyed more than 500 senior-level decision makers at companies with 500 employees or less, revealed that two out of three business leaders surveyed (66%), don't believe they'll fall victim to a cyber-attack.
This may explain the lack of action. One in three small firms (35%) say they have not installed security software over the past two years, according to research by the UK’s Federation of Small Businesses (FSB). Four in ten (40%) do not regularly update software, and a similar proportion do not back up data and IT systems. Fewer than half (47%) have a strict password policy for devices.
Besides, businesses don’t even need to be the “target” to be hit by a cyber-attack. The NotPetya malware affected thousands of computers worldwide in 2017 and whilst crippling multinational companies, the collateral damage to SMEs was indiscriminate. As one of the fastest propagating pieces of malware ever seen, within hours of its first appearance NotPetya had spread to countless SME systems around the world.
Small businesses are collectively subjected to almost 10,000 cyber-attacks a day, according to FSB. Last year saw a 424% increase in new small business cyber breaches, most frequently due to phishing attempts, malware, ransomware and fraudulent payment requests.
Recent comments by the FSB Policy & Advocacy Chairman, Martin McTague, underscore the risks: “These findings demonstrate the sheer scale of the dangers faced by small firms every day in the digital arena. The issue of business crime is overlooked too often – even more so of late in this climate of sustained political uncertainty and inaction. Meaningful steps must be taken to safeguard our small firms, and by extension the wider economy.”
Stakes are high, with the potential for loss of income and reputational damage, as well as liability to third parties, particularly in relation to compromised customer data and ensuing GDPR implications. Factoring in additional expenses such as regulatory compliance, legal fees, technical investigations and loss of customer relationships, ancillary costs associated with cyber-attacks can quickly compound for a small business.
Ten percent of small businesses hit with a cyberattack in 2019 were forced to shut down as a result, researchers found in a report, commissioned by the US National Cyber Security Alliance and conducted by Zogby Analytics.
To reduce their risk exposure, SMEs should invest in three components: resources, education and insurance.
• Whilst it’s accepted that SMEs must concentrate their resources on knowing their own industry, overlooking security threats and the ensuing business risks, will be at the firm’s peril. If a business owner doesn’t have the requisite understanding, or the in-house personnel to address IT security in protecting the firm’s operations against cyber-attacks, engage a knowledgeable, trusted technology partner. Adequate IT support is the first line of defence. We are working in an era where this is no longer a discretionary spend. In fact, industry experts say a small business’s cyber security budget should be at least 3% of a company’s total spending.
Consider also the rogue employee, undermining your business by giving your data to a competitor or holding your clients’ or customers’ private information to ransom. This is an increasingly common event and easily averted with simple cybersecurity measures.
• Invest in educating your staff. We know that human error and system failure account for 52% of data security breaches - no amount of firewalls or anti-virus software will protect against a simple employee mistake. Weak passwords, mistakenly giving out personal data, and clicking on dodgy attachments - 1 in 323 emails sent to small businesses are malicious - are common themes.
• Cyber insurance is the third part of the cyber-security jigsaw puzzle. Many people mistakenly believe that cyber cover may already be addressed in other insurance policies already purchased. Whilst some overlaps exist (as they do with all lines of insurance), traditional insurance policies lack the depth and breadth of standalone cyber cover, and won’t come with experienced cyber claims and incident response capabilities.
A standalone cyber insurance policy protects businesses from risk relating to IT infrastructure and activities. It covers risks resulting from some malicious attacks as well as some inadvertent incidents which can cause harm to a business’s computer network or to its business data.
Cyber insurance will reimburse some of the business’s own costs of dealing with the cyber event, but will typically also cover liability to third parties that emanates from the event.
A significant benefit of a cyber policy is the breach response services provided, whereby the insured gets immediate access to expert consultants; very welcome help when the business is in a particularly vulnerable position. Cyber threats create considerable pressure, confusion and concern and having immediate access to a breach response team which includes IT forensics, lawyers as well as PR and crisis management consultants, can assist the business in good decision-making. Access to experienced ransom negotiators is also often provided.
Cyber policies extend to reimbursing the insured for expenses in dealing with the breach, dealing with the resultant damages and defence costs of third party liability.
Taking these very simple steps to mitigate cyber risk is essential. The nature of our digital world is such that attacks are ever-changing and the threat landscape is dynamic. What is clear is that any business that ignores cyber-security is taking on a substantial risk to themselves, their customers and clients as well as their business partners. The very clear message for SMEs is that they are not immune. SME business owners must be aware of the very real dangers and take appropriate action to mitigate the risk. Be ever watchful and do your investigations; the fraudsters are doing theirs.
For further information, please contact:
Vanessa Cathie, Account Executive, Global Professional & Financial Risks
T: + 44 (0)20 7933 2478
Businesses are increasingly finding cyber risk exclusions in their policies at renewal time as carriers are pressed to reduce the volume of policies which don’t clearly define the extent to which they cover cyber risk, commonly referred to as “silent cyber”. For clients this might be a positive development as it forces an opportunity to analyse their true cyber risk and think about the range of cover and support services available that address their specific needs.
A recent IT failure has highlighted some of the risks companies can face when digitising their business.
How the data breach is judged by regulators, and possibly by the courts, could tell us a lot about how GDPR might be applied to other UK companies.
Despite recent data breaches, possible fines and compensation claims, companies should not just focus on compliance.