apinan - Fotolia
This is despite the fact that nearly four in 10 of CFC’s claims in 2016 were caused by phishing attacks that could have been avoided with better education and training.
According to CFC, the main reason given for this it that SMEs are “not sure where to start”, which could be a result of not understanding their cyber risk profile, with 20% of SMEs never assessing the business exposure to cyber risk.
In September 2016, a Juniper Research report revealed that 74% of UK SMEs think they are safe from cyber attack, despite half of them admitting having suffered a data breach.
There is still naivety about the significance of a data breach, according to the report, which showed that although 69% of respondents would contact someone immediately if they discovered a cyber breach, 18% would wait until the next working day if they did not consider it a big problem.
CFC reported a 78% rise in cyber claims from 2015 to 2016, with 90% of claims by volume coming from businesses with less than £50m in revenue, highlighting just how vulnerable SMEs are to relatively unsophisticated cyber attacks.
When SMEs were asked what poses the biggest threat to their business, cyber crime came in second, topped only by Brexit.
Some 31% of IT companies report cyber crime as the main threat, followed by 25% in the manufacturing sector. By comparison, just 8% overall are concerned about traditional crime. Despite these worries, 80% of SMEs still do not buy cyber insurance.
Read more about GDPR
- Businesses dealing with EU citizens’ data urged to ensure they are on track to comply with the GDPR in less than 16 months, as the world marks Data Protection Day 2017.
- The Information Commissioner’s Office sets out its plans for publishing guidance on the EU GDPR.
- The Information Commissioner’s Office is to publish a revised timeline for the UK implementing the EU’s General Data Protection Regulation after Brexit.
At CFC’s recent Cyber Symposium, Inga Beale, CEO of Lloyd’s, said: “It’s one of the most high-profile risks businesses are facing at the moment, and yet CEOs seem to be in denial about its impacts and their ability to deal with it.
“Businesses are either not looking for solutions, or if they are, they don’t know where to find them or understand the value of them. Insurers need to explain the benefits cyber insurance can bring.”
Graeme Newman, chief innovation officer at CFC, said it was worrying to see that 56% of SMEs do not have an incident response plan in place that outlines roles and responsibilities in the event of a cyber attack.
“SMEs must take a two-pronged approach to guarding against an attack – implementing good security and risk management practices along with a strong cyber insurance policy,” he said.
“For SMEs that are time-poor and cash-strapped, cyber insurance policies exist not only to pay for financial losses should their systems be compromised, but also to help them handle and resolve incidents quickly and effectively.”
Read more about cyber security for SMEs
- Cloud network and security systems could be the answer for SMEs looking for enterprise-level services on a small-business budget.
- It is easy for SMEs to consider themselves below the radar when it comes to cyber security.
- A risk-based approach to information security can help drive investment decisions and keep costs down for SMEs.
However, Newman predicted that although only 9% of SMEs are worried about regulatory fines as a result of a cyber attack, that figure is likely to increase once companies are required to comply with the EU’s General Data Protection Regulation (GDPR) from 25 May 2018.
Whereas the UK’s privacy watchdog, the Information Commissioner’s Office, is currently able to issue penalties of up to £500,000, the GDPR will introduce fines of up to €20m or 4% of an organisation’s annual global turnover, whichever is greater.
This means that if data breaches remain at 2015 levels, the fines paid to the European regulator could see a near 90-fold increase, from £1.4bn in 2015 to £122bn, the Payment Card Industry Security Standards Council (PCI SSC) has calculated, based on the maximum fine of 4% of global turnover.
For UK SMEs, this could see regulatory fines for data breaches rise to £52bn, a 57-fold increase, averaging £13,000 per SME. .........................................................................................