Three quarters of SMEs have not set aside any budget to deal with the aftermath of a cyber-attack and of those SMEs who have ring-fenced some funds, many are too IT focused and have not considered the impact on other business areas, according to a new report.
UK SMEs were asked about their preparedness for cyber-attacks & cyber breaches and their aftermath and only 19 per cent have put aside a war-chest to deal with the repercussions. Equally worrying is SMEs’ lack of understanding about how a cyber issue could impact their business as a whole.
Sarah Adams, cyber insurance expert, who commissioned the study for PolicyBee, said: “Cyber-attacks are not just an IT problem as they could impact sales, customer relations, reputation and a business’s bottom line – especially if there are legal ramifications or regulator fines.
“SMEs really need to get past this mental barrier that cyber-attacks can be fixed in the server room – they can’t. It takes a whole business to plan ahead, practise for and react to a cyber issue, if you want to come through it unscathed.”
IT items most budgeted for by SMEs for after an attack are: new software, new hardware and hiring an IT expert.
Other items that were much further down the budgeting list included: hiring a legal expert, cost of being sued by a customer for loss of their data, hiring a public relations or social media expert to manage reputational damage, cost of being fined by a regulator, setting up or hiring call centre staff to deal with customer calls, loss of earnings during the attack and cost of extortion or being held to ransom.
The research also showed that in the event of a cyber-attack, a third of SMEs believe they’ll be able to pass the associated costs onto their third-party IT support/expert.
Adams continued: “This raises several very interesting points: it is almost impossible to entirely defend a business against a tenacious cyber-attack, and most IT experts will have wording to that effect built into their contracts. And in the event of an attack, most SMEs will be focussed on getting their business back on its feet – their priority will certainly not be suing their IT firm.”
However, despite thirty per cent of businesses believing they will pass on cyber-attack costs to their IT firm, more positively, over half actually have ‘complete confidence’ in their IT support.
Adams concluded: “Cyber-attacks and breaches are pretty costly – the average amount being an eye-watering twenty-six thousand pounds per small business. SMEs really need to step up their preparedness for an attack and have proper systems and importantly budget set aside which will stretch further than just resolving IT problems and help fix the business in its entirety.”