photonetworkde - Fotolia
“Let’s just wait and see what happens.”
You hear people say that a lot when something starts to unfold before them: “Let’s just wait and see what happens.”
To be fair, there are a number of scenarios where there’s nothing wrong with that approach, such as if you’re watching a film or a sporting event. After all, whatever happens next it doesn’t really affect you.
But what about those times when it does have a direct effect on you? What do you do then? Do you try and do something before it happens or do you wait and do something afterwards? It’s an interesting question. For an SME owner concerned about a potential cyber attack, so concerned in fact that the spectre of it keeps some of them awake at night, what would you expect the answer to be?
Well, according to a survey of 500 SMEs by PolicyBee , 43% would opt for “wait and see” and have absolutely no plans in place to deal with a cyber attack. They say this even though a third of all those surveyed believe a cyber attack is a matter of “when, not if”.
Are we surprised? Not really. Turn those figures the other way around and you’ll see that two-thirds of SMEs don’t expect to be affected by a cyber attack. Why not? My guess is they think they’re too small and insignificant to be worthy of the attention of the malicious forces behind so much cyber criminality. This would explain why so many sole traders (71%) believe they are least at risk.
Coupled with this belief is a kind of fatalism that “we’re so small we shouldn’t be attacked but if we are, we not big enough to afford to put the measures in place to defend ourselves and recover”. I can imagine that thought process leaves many frozen in inaction. For quite a few smaller companies, there’s probably a point below which it makes more sense to shut up shop and start again rather than try and recover the business.
After all, we have a culture where it is far from unusual for companies to go bust and the people behind them to start up again. There are many “acceptable” reasons for business collapses, such as losing a large order or contract and being hit with cashflow problems, why should a cyber attack leading to the complete failure of a company’s IT infrastructure not be added to the list?
That might be slightly simplistic but if an IT failure can be so catastrophic, there surely are only two responses: do whatever it takes and spend whatever is required to ensure the business can recover as quickly as possible after it happens or calculate it will be too expensive to recover if it does happen and be prepared to wind up the company.
Can anything be done to make it more financially viable for SMEs to protect their business from attack and recover if it does occur? That’s partly a question for the IT industry, but it’s a question that could create business for channel partners (even if it’s not exactly large scale in terms of the value of each sale).
Which brings us to the other difficulty for many SMEs looking for a way to implement a disaster recovery plan, one that has dogged them in other areas of IT provision in the past: namely that many IT providers don’t believe it’s rewarding or lucrative enough for them to get involved in the SME space.
In fact, you could say that, for too many in the IT industry, their approach to the SME market has been a case of “let’s just wait and see what happens”.