Some 27% of small to medium sized enterprises (SMEs) are failing to educate staff on the threat of a cyber attack.
According to research by cyber insurance provider CFC this is despite the fact that nearly fourty per cent of CFC’s claims in 2016 were caused by phishing attacks that could have been avoided with better education and training.
According to CFC, the main reason given for this it that SMEs are “not sure where to start”, which could be a result of not understanding their cyber risk profile, with 20% of SMEs never assessing the business exposure to cyber risk.
In September 2016, a Juniper Research report revealed that 74% of UK SMEs think they are safe from cyber attack, despite half of them admitting having suffered a data breach.
There is still naivety about the significance of a data breach, according to the report, which showed that although 69% of respondents would contact someone immediately if they discovered a cyber breach, 18% would wait until the next working day if they did not consider it a big problem.
CFC reported a 78% rise in cyber claims from 2015 to 2016, with 90% of claims by volume coming from businesses with less than £50 million in revenue, highlighting just how vulnerable SMEs are to relatively unsophisticated cyber attacks.
When SMEs were asked what poses the biggest threat to their business, cyber crime came in second, topped only by Brexit.
Some 31% of IT companies report cyber crime as the main threat, followed by 25% in the manufacturing sector. By comparison, just 8% overall are concerned about traditional crime. Despite these worries, 80% of SMEs still do not buy cyber insurance.
At CFC’s recent Cyber Symposium, Inga Beale, CEO of Lloyd’s, said: “It’s one of the most high profile risks businesses are facing at the moment, and yet CEOs seem to be in denial about its impacts and their ability to deal with it.
“Businesses are either not looking for solutions, or if they are, they don’t know where to find them or understand the value of them. Insurers need to explain the benefits cyber insurance can bring.”
Graeme Newman, chief innovation officer at CFC, said it was worrying to see that 56% of SMEs do not have an incident response plan in place that outlines roles and responsibilities in the event of a cyber attack.
“SMEs must take a two-pronged approach to guarding against an attack – implementing good security and risk management practices along with a strong cyber insurance policy,” he said.
“For SMEs that are time-poor and cash-strapped, cyber insurance policies exist not only to pay for financial losses should their systems be compromised, but also to help them handle and resolve incidents quickly and effectively.”
However, Newman predicted that although only 9% of SMEs are worried about regulatory fines as a result of a cyber attack, that figure is likely to increase once companies are required to comply with the EU’s General Data Protection Regulation (GDPR) from 25 May 2018.
Whereas the UK’s privacy watchdog, the Information Commissioner’s Office, is currently able to issue penalties of up to £500,000, the GDPR will introduce fines of up to €20 million or 4% of an organisation’s annual global turnover, whichever is greater.
This means that if data breaches remain at 2015 levels, the fines paid to the European regulator could see a near 90 fold increase, from £1.4 billion in 2015 to £122 billion, the Payment Card Industry Security Standards Council (PCI SSC) has calculated, based on the maximum fine of 4% of global turnover.