Cyber security: 30 per cent of SMEs still have no incident response plan


When I began my training in cyber security, one of the instructors told the class: “Security is one of those areas where the more you know, the more you realise you don’t know.” Perhaps that’s the reason why despite headline-grabbing attacks, public relations disasters and ever-increasing fines, businesses – and particularly SMEs – have been slow to react.

It is hard not to be aware of the risk cyber attacks pose, but security can be a confusing world of buzzwords and jargon and, in the middle of a global skills shortage, small businesses often lack the specialist expertise needed to protect themselves and their customers.

Recent research by Experian shows that 30% of small businesses still have no incident response plan. They also underestimate the cost of a breach, pinning the damage at about £180,000 while government statistics show the true figure to be around £310,000.

“Many firms are still struggling to put in place or identify exactly what their response to this ever-increasing threat should look like,” says Experian’s head of data breach services Jim Steven.

“They feel overwhelmed by the threat and, given the size of the problem, end up underplaying the value of the clear solution – a data breach plan. Although companies may understand why they are attractive to cyber criminals, it’s clear that a data breach plan can seem overwhelming to some.”

But of the businesses without response plans, 39% said they do not believe they are at risk. In reality, every business has something of value to cyber criminals, be it money or data.

“Despite increased media coverage of high-profile breaches, many top executives are still under the impression that their organisation has no valuable data and will not be targeted,” Steven says. “This false belief could have devastating consequences, as just simply being connected to the internet makes any company of interest to cyber criminals.

“To the crooks and fraudsters, any accessible company is a resource that could be exploited and discarded, simply because it is there. And once they are in, they will take whatever they can or hold the organisation to ransom in order to make a return on their time investment.”

If that wasn’t enough of an incentive to invest in security, a study by Juniper Research recently found that small businesses are particularly at risk of attacks because they often run old software.

It showed that recent high-profile attacks – like the WannaCrypt ransomware campaign, which infected the NHS and other organisations around the world – had failed to spur SMEs into action, with the average small business planning to spend just £3,130 on cyber defences this year.

“The attacks on hospital infrastructure show that inadequate cyber security can now cost lives as well as money,” said report author James Moar. “Businesses of all sizes need to find the time and budget to upgrade and secure their systems, or lose the ability to perform their jobs safely, or at all.”

With the threat growing and more attacks being launched every day, small businesses need to act now before they face the potentially crippling consequences of a cyber breach.

Matt Smith is a cyber security journalist and a SANS Cyber Retraining Academy graduate.
@MattCASmith |