Never too small to lose big: SMEs and the cyber threat
Cyber incidents at major corporations make headlines, leaving many to think that cyberattack is just something for the big end of town to worry about. As a result, some SMEs work under the misapprehension that they are too small to be of interest to cyber criminals. The reality couldn’t be further from the truth.
Cyber Wardens report that 43% of cyber criminals target small businesses and 81% of small business owners/CEOs and employees have experienced a cyber threat.
There are numerous reasons why cyber criminals target SMEs. Even though the rewards may be less (though that is not always the case), cybercriminals see smaller businesses as easier targets. A few of the reasons for this include:
- SMEs are less likely to employ robust cybersecurity measures than larger businesses. Few have sufficient security budgets.
- Many SMEs don’t train their staff on cybersecurity risks.
- SMEs can hold valuable data (customer information, financial records, proprietary information, or even sensitive employee data can be very lucrative for hackers).
- Small businesses can provide access/gateways into larger businesses.
- Many SMEs feel obligated to pay ransoms.
- Small business owners often lack the time and expertise to focus on compliance.
- SMEs are more vulnerable to social engineering attacks as they often have less basic security in place, they may not know the risk or train employees, they often work with a variety of third-party partners to run their business (a leading cause of data breaches), and they frequently make and receive payments using bank transfers.
Cyber criminals opportunistically target SMEs because they are weaker links.
Data from the Australian Signals Directorate (ASD) showed 62% of SMEs have experienced a cyber security incident. Despite the number of incidents, SMEs spend little on cyber security. Research from trust management firm Vanta found that while 58% of Australian businesses rate cybersecurity threats as their main concern, only 44% of businesses with less than 50 employees have a dedicated security budget even though 43% of businesses face cyber threats on a more-than-weekly basis. ASD figures reveal 48% of businesses spend less than $500 per year on cybersecurity. Yet, on average, the cost of a cybercrime to a small business is $49,600 and $62,800 for a medium-sized business.
And some businesses never recover. A global survey by Futurum Research found 54% of organisations had suffered a cyberattack in the last 12 to 18 months, with one-fifth unable to recover its stolen, encrypted or lost data. For those that do recover, it can take longer than anticipated. A study from cloud computing service provider Fastly Inc found ANZ businesses take an average of seven months to recover from cyber breaches – exceeding their projected times by 19%. The delays are even more pronounced for businesses that reduce their cybersecurity budgets – extending recovery times over five months longer.
The Actuaries Institute also notes that many SMEs handle sensitive information, from customer data to health records, and a cyberattack could have substantial impacts beyond the immediate business.
In addition, SMEs often only think about cyber risk and exposure after an incident happens. However, the cost of a cyberattack goes far beyond the initial incident. Costs can include ransom payments, legal fees, reputation management, compensation payments, fines, system repairs and business interruption.
Industry figures reveal that 60% of SMEs without a cyber policy shut down their business within six months of suffering an incident.
SMEs ignore cyber threats and insurance.
While a series of cyberattacks over the past two years was a “stark wake-up call” for corporate Australia to strengthen cybersecurity, most of the nation’s three million SMEs have not followed suit, according to an Actuaries Institute report.
“Given SMEs are the lifeblood of our economy, employing up to a third of our workforce and cyber risks are always changing, they shouldn’t be dependent on luck to protect them from a cyberattack – they need to depend on knowledge, good cyber hygiene and robust cyber defences,” the report said.
One important line of defence is cyber insurance.
More ANZ businesses than ever are taking out cyber insurance, with about 43% holding a policy and 57% considering one, according to a survey by IT security specialist Arctic Wolf.
But SMEs are falling behind – with many ignoring the risks and failing to safeguard their livelihoods and reputations with cyber insurance.
Despite the threat, the Actuaries Institute report says cyber insurance is still relatively uncommon among SMEs, with estimates for coverage ranging from 10% to 25%.
The Actuaries Institute puts this down, in part, to the cost and complexity of cyber insurance being a significant barrier for many SMEs.
“SMEs often haven’t had the bandwidth or opportunity to really understand and tackle the risks. They’re daunted by the technical jargon and don’t know where to start with implementing cybersecurity measures. They don’t realise a serious cyber incident could cause their business to collapse.”
The low up-take of cyber insurance can be attributed to several factors, according to the report. These include:
- Cyber insurance is still a relatively new product.
The cyber market is growing but still only comprises a very small proportion of the Australian insurance industry. The market’s annual gross written premium is estimated at about $600 million, compared with $16 billion for home cover.
- SMEs are not necessarily aware of what cyber insurance covers.
Cyber coverage is not standard, and there can be confusion about what is or is not covered under a cyber insurance policy. - SMEs may not be aware of what cover cyber insurance can provide.
Many SMEs are unaware of the benefits available to them including access to incident response teams, cybersecurity training and vulnerability assessments (which may be policy add-ons). - Cost can be a barrier.
While SMEs can get policies easier than a couple of years ago, for many, price is still a significant barrier. Cyber insurance policy pricing starts at about $700 a year for a sole trader and can exceed $50,000 for a medium-size business.
More than 10 insurers and underwriting agencies, several backed by Lloyd’s, offer cyber insurance to Australian SMEs.
Partner with an experienced cyber insurance broker.
Having appropriate cyber insurance could be the difference between a SME staying afloat or going out of business following a cyberattack. But knowing what is best for the business in terms of cyber cover can be daunting.
The survey by Artic Wolf found about 38% of ANZ businesses have trouble figuring out their cyber insurance needs.
This is where working with an insurance broker who specialises in cyber cover can prove invaluable. At EBM Insurance & Risk we have Account Managers who are experts in cyber insurance.
Our brokers will help you to take a holistic view of your cybersecurity exposures and mitigations. We will work with you to:
- Assess cyber risks.
- Review cybersecurity measures and practices (a prerequisite for cover).
- Develop a risk profile to present to insurers.
- Analyse insurance policies for coverage (beyond cyber products).
- Study the cyber insurance products available in the marketplace (including new and emerging offerings such as low-cost SME policies).
- Ensure understanding of policy features, benefits, limitations and exclusions.
- Source cost-effective cyber solutions to meet your business needs.
- Keep you abreast of any changes to policy wordings or coverage.
- Assist you in the event you need to make a claim on your policy.
Talk to your EBM Account Manager about the right cyber insurance for your business.
