UK SMEs ‘woefully unprepared’ for cyber threat
Cyber MGA advises proactive planning for escalating threat
New research commissioned by London-based cyber MGA Cowbell has found that UK SMEs are “woefully unprepared” to react to a cyber incident, with only one in five (19%) having a recommended cyber incident response plan (IRP) in place and 77% having no in-house security.
The research also revealed that 28% of SMEs are not insured against cybersecurity risks. Twenty percent do not know if they are or not and a further 10% said they do not think they need a standalone cyber insurance policy.
As Cowbell pointed out, the UK National Cyber Security Centre recently warned that AI will “almost certainly” increase the volume and impact of cyberattacks in the next two years, all while 59% of the UK’s medium businesses have already experienced breaches or attacks in the last 12 months.
The bottom line is that SMEs need to look closely at how they might react to an incident, in addition to ensuring they are protected, said Cowbell.
The survey also highlighted confusion around first responses in the event of a cyber breach, with no clear unified approach.
Catherine Aleppo, broker specialist at Cowbell UK, said the research indicates some “serious gaps” in knowledge that insurance brokers could help their clients fill, adding that there’s “work to be done”.
Cowbell also pointed out that data breaches cost UK businesses an average of £3.2m last year – with the UK being the sixth-most expensive country for data breaches in the world, according to research carried out by IBM.
One interesting finding of the Cowbell research was that rather than notifying the regulators or their insurance provider, over half of all respondents (52%) said their first course of action would be to notify the IT team should a breach occur.
When respondents were asked about the ‘first action they would take following a data breach’, a clear lack of unified response across the C-suite was evident:
- CEOs: 10% said they would notify regulators, while a further 10% said they’d contact the in-house tech team.
- CFOs: 17% would notify the in-house tech team, 10% would inform clients/customers and a further and 10% would notify the finance team.
- HR directors: 24% felt they should notify the in-house finance team first.
- Senior marketers: 31% thought they should first inform their tech team, while 25% said they would notify their insurance provider.
Cowbell UK VP and general manager Simon Hughes said that the UK’s SMEs are leaving themselves vulnerable and wide open to threat. “Almost every day we see a new major cyberattack hit the headlines – and that’s just the ones big enough to warrant news coverage. Whether we put our heads in the sand or not, attacks are on the up. As developments in AI continue, we will almost certainly see an increase in the volume, complexity and impact of cyberattacks in the coming years. It’s not a case of if but when. But now is not the time to scaremonger, it’s time for proactive planning.”
Aleppo added: “More support and education on cyber risk and Incident Response Planning needs to happen if businesses are to navigate these incidents and recover quickly. There is work to be done, raising critical awareness of cyber vulnerabilities and safeguarding the UK’s SMEs who form the backbone of the UK economy.”