SMEs Unprepared to Recover From an ‘Inevitable’ Cyber-Attack
While the threat of cybercrime is at the forefront of SME owners’ minds, ‘cyber recovery’ is not, according to a new study, The Business of Cyber Recovery, by PolicyBee. Five hundred UK SMEs were asked about their preparedness for cybercrime and its aftermath: one in three believe that a cyber-attack on their business is a matter of ‘when’ not ‘if’, and quarter believe an attack is ‘likely’.
- 74% have not put any budget aside to deal with the aftermath.
- 43% will react if and when a cyber-attack happens and have absolutely no plans in place.
- Just 14% of all SMEs have a detailed plan which covers all bases and crucially have tested that plan.
Sarah Adams, cyber insurance expert, who commissioned the study for PolicyBee, said: “Large corporates will all have a ‘what if’ plan in place that has been stress tested via a crisis simulation or role play exercise. They will know exactly what to do in the event of a cyber-attack. However, small businesses seem to be chancing their luck and despite expecting to be hacked, aren’t preparing to be prepared.
“The difference between a large and small company is that at least in the short term, no single individual will lose their income in a big business - but in a small business, their day to day livelihood could be altered dramatically within a scarily short space of time.”
Businesses in denial
Younger respondents seem more aware of potential cyber risks - as business owners get older they think a cyber-attack is less likely: 22% of 18-34 year olds think a cyber-attack is unlikely; 41% of 35-54 year olds and 56% of 55+ year olds.
Business in the South West and East of England are most in denial of a cyber-attack - those in London and the NE are the most switched on.
Similarly, sole traders believe they are least at risk from a cyber-attack: 71% say it is unlikely; 32% of businesses with 10-49 employees and one in five of businesses with 50-249 employees.
Adams continued: “More mature sole traders in the South West and East Anglia seem to be in the most potentially vulnerable group. If you are one of these people, it would be well worth looking at your business’s potential to become the next cyber victim, and how you’d continue to operate afterwards.”
IT and management consultant firms more switched on to cyber recovery
Interestingly, SMEs operating in the IT and management consultancy sectors had a much more realistic attitude to cyber-attacks:
- only 24% of IT businesses say an attack is unlikely (48% say likely)
- 16% of Management Consultants say an attack in unlikely (51% say likely)
SMEs not ostriches
According to PolicyBee, who provides cyber insurance and other business insurance to freelancers and small businesses, the study highlights the fact that SMEs are simply too busy running their day-to-day operations.
Adams concluded: “It’s not the usual case that all SME owner-managers are burying their heads in the sand, as the study shows some awareness of the possibility of an attack amongst some groups. It’s more that these busy owner-managers haven’t prioritised any time to deal with the aftermath of an attack. We’re all familiar with the terms cybercrime; cyber-attack; and hackers; but we need to make ‘cyber recovery’ part of the general discussion now too.”