With two thirds of SMEs being hit by cyber criminals, it’s important to know how to respond, says Lindsey Nelson
From the first spate of large-scale data breaches 10 years ago to the global ransomware attacks we’ve witnessed more recently, cyberattacks have evolved dramatically. Our increased reliance on technology to conduct business has introduced a new form of crime – cybercrime – and these types of attacks are occurring more frequently than ever before, posing a growing threat to businesses of all types and sizes.
Although the cyberattacks that make headlines usually involve a breach or outage at a large or well-known company, the reality is that small and medium-sized organisations are just as likely to fall victim to cybercrime. In fact, the Federation for Small Businesses reports that 66% of small businesses have been a victim of cybercrime. To make matters worse, SMEs are not only generally less equipped to deal with the immediate aftermath of a cyberattack should they experience one, but they are also less likely to have the resources in place to prevent such an incident in the first place. This makes SMEs so-called low-hanging fruit for cybercriminals.
The full and lasting effects of cyberattacks are not to be underestimated: they come burdened with a plethora of impacts ranging from loss of or damage to data, system downtime leading to significant financial loss, and reputational damage. A small firm with less than £1m in turnover and five employees that CFC insured, for example, was subject to a six-figure loss after it fell victim to a common type of ransomware attack.
This makes SMEs so-called low-hanging fruit for cybercriminals
With an average estimated loss totalling up to $86,000, which in many cases could account for a large portion of a small firm’s assets, it is easy to see how a bad cyber incident could lead to total devastation for SMEs.
So, what can organisations with smaller balance sheets do to become less attractive targets? There are a few simple, cost-effective steps businesses can take.
Teach your staff what to do
First, staff training is imperative. According to IBM, 95 per cent of successful cyberattacks and incidents are the result of human error. This could include things like leaving a laptop on a train, an employee clicking on a malicious link or making a wire transfer without the proper checks. Training staff on how to spot phishing emails or requiring employees to place a follow up phone call in response to wire transfer requests are cheap and easy preventative measures to implement and are a great starting point in establishing good security.
Have an incident response plan
Second, if disaster does strike, it’s important that businesses of all sizes develop an incident response plan outlining the roles and responsibilities of stakeholders within the business so that the incident can be handled quickly and effectively. This is even more important after the implementation of the GDPR, where companies can face hefty fines should they fail to notify authorities and customers of significant data breaches within the prescribed timeframe.
Make sure you’re covered
Good incident response will likely require input from IT experts, forensic specialists, PR firms, lawyers, and more. While it’s not practical for SMEs to have all of these capabilities in-house, one place to get access to these resources is through a good cyber insurance policy, which can work hand-in-hand with an incident response plan.
Just because cyberattacks at large companies are the ones reported in the news, cyber criminals don’t discriminate. In fact, research shows that the frequency and severity of cyberattacks on smaller businesses is on the rise and is leaving these organisations open to a complex laundry list of financial and reputational exposures.
SMEs need to think carefully about their cyber defence strategy or risk being vulnerable should a cyber incident occur.
Lindsey Nelson is international cyber team Leader at insurer CFC Underwriting