SMEs unprepared to recover from an ‘inevitable’ cyber-attack


While the threat of cybercrime is at the forefront of SME owners’ minds, ‘cyber recovery’ is not, according to a new study.

UK SMEs were asked about their preparedness for cybercrime and its aftermath: one in three believe that a cyber-attack on their business is a matter of ‘when’ not ‘if’, and quarter believe an attack is ‘likely’.

However, 74 per cent have not put any budget aside to deal with the aftermath and 43 per cent will react if and when a cyber-attack happens and have absolutely no plans in place. Just 14 per cent of all SMEs have a detailed plan which covers all bases and crucially have tested that plan.

Sarah Adams, cyber insurance expert, who commissioned the study for PolicyBee, said: “Large corporates will all have a ‘what if’ plan in place that has been stress tested via a crisis simulation or role play exercise. They will know exactly what to do in the event of a cyber-attack. However, small businesses seem to be chancing their luck and despite expecting to be hacked, aren’t preparing to be prepared.

“The difference between a large and small company is that at least in the short term, no single individual will lose their income in a big business – but in a small business, their day to day livelihood could be altered dramatically within a scarily short space of time.”

Businesses in denial

Younger respondents seem more aware of potential cyber risks – as business owners get older they think a cyber-attack is less likely: 22 per cent of 18-34 year olds think a cyber-attack is unlikely; 41 per cent of 35-54 year olds and 56 per cent of 55+ year olds.

Business in the South West and East of England are most in denial of a cyber-attack – those in London and the NE are the most switched on.

Similarly sole traders believe they are least at risk from a cyber-attack: 71 per cent say it is unlikely; 32 per cent of businesses with 10-49 employees and one in five of businesses with 50-249 employees.

Adams continued: “More mature sole traders in the South West and East Anglia seem to be in the most potentially vulnerable group. If you are one of these people, it would be well worth looking at your business’s potential to become the next cyber victim, and how you’d continue to operate afterwards.”

IT and management consultant firms more switched on to cyber recovery

Interestingly, SMEs operating in the IT and management consultancy sectors had a much more realistic attitude to cyber-attacks with only 24 per cent of IT businesses say an attack is unlikely whilst 16 per cent of Management Consultants say an attack in unlikely.

According to PolicyBee, who provides cyber insurance and other business insurance to freelancers and small businesses, the study highlights the fact that SMEs are simply too busy running their day-to-day operations.

Adams concluded: “It’s not the usual case that all SME owner-managers are burying their heads in the sand, as the study shows some awareness of the possibility of an attack amongst some groups. It’s more that these busy owner-managers haven’t prioritised any time to deal with the aftermath of an attack. We’re all familiar with the terms cybercrime; cyber-attack; and hackers; but we need to make ‘cyber recovery’ part of the general discussion now too.”