Pavel Ignatov - Fotolia
As many as 875,000 small and medium-sized enterprises (SMEs) in the UK – 16% of the total – have been hit by a cyber attack in the past 12 months, according to the latest Zurich SME Risk Index.
Businesses in London are the worst affected, with almost a quarter (23%) reporting suffering a breach within this period.
Of businesses that were affected, more than one-fifth (21%) said it cost them more than £10,000 and one in 10 (11%) said it cost more than £50,000.
Yet despite the volume of attacks and potential losses, the survey of more than 1,000 UK SMEs showed that business leaders are not committing to investing significantly in cyber security in the year ahead.
The survey, by YouGov on behalf of Zurich, found that 49% of SMEs admitted they plan to spend £1,000 or less on their cyber defences in the next 12 months, and almost a quarter (22%) do not know how much they will spend.
The lack of planned investment in cyber defences is also surprising in the light of the fact that business leaders report that strong cyber security is giving them an opportunity to stand out from competitors, with as many as one in 20 claiming to have gained an advantage over a competitor because of stronger cyber security credentials.
This trend is confirmed by a separate survey of SMEs by security e-learning firm CybSafe, which showed that half of SMEs polled have had cyber security conditions included in contracts with enterprise customers in the past five years, and one-third of respondents said they have had their cyber security measures questioned as part of winning contracts in the past year.
Also, 44% said they have been required to hold a recognised cyber security standard, such as ISO 27001, by their enterprise customers in the past five years and 28% in the past year alone, demonstrating a clear trend in enterprise approach to supplier information security.
“While recent cyber attacks have highlighted the importance of cyber security for some of the world’s biggest companies, it is important to remember that small and medium-sized businesses need to protect themselves too,” said Paul Tombs, head of SME proposition at Zurich.
“The survey results suggest that SMEs are not yet heeding the warnings provided by large attacks on global businesses.”
Read more about SME security
- The UK government has announced initiatives aimed at boosting SME cyber security, promoting the cyber security profession and supporting cyber security innovation projects.
- Small and medium-sized enterprises (SMEs) typically face the same threats as bigger organisations, but lack the same level of expertise and other security resources.
- The London Digital Security Centre has been set up by the Mayor’s Office for Policing and Crime as part of the mayor’s business crime strategy.
However, Tombs said that although the rate of attacks on SMEs is troubling, it also shows there is an opportunity for businesses with the correct safeguards and procedures in place to use this as a strength and gain an advantage.
In September 2016, a report by Juniper Research revealed that 74% of UK SMEs believed they were safe from cyber attack, despite half of them admitting having suffered a data breach.
The report showed that 86% of the SMEs surveyed thought they were doing enough to counter the effects of cyber attacks, and 27% believed they were safe from attack because they were small and of no interest to cyber criminals.
“No matter how big the business, no organisation is too small to be a target for cyber criminals,” said Gordon Morrison, director of government relations at security firm McAfee, in response to the Zurich findings.
“For many large enterprises, with the IT and security support in house, taking a comprehensive and strategic approach to cyber security is often high on the priority list.”
For SMEs, one of the greatest challenges is often knowing where to start, said Morrison. “For others, who don’t have substantial budgets for enterprise security products, there is a lack of understanding of how valuable just introducing the basics is.”
Morrison said the government’s Cyber Essentials Scheme has helped many UK SMEs make huge strides in their cyber defences.
“Achieving this basic level of cyber security is claimed to prevent up to 80% of cyber attacks, to which organisations would otherwise be vulnerable,” he said. “The scheme represents a brilliant resource for SMEs that want to take their first steps into better cyber hygiene, and ensure that they are putting their efforts and budget into the most effective defences.”