The Rising Cyber Threats Facing SMEs in the UK
The rising risk of social engineering and ransomware threats to SMEs is a big topic in insurance following the release of a range of statistical reports in the UK.
There has often been a misinformed assumption amongst small business owners, CEOs and entrepreneurs that cyber criminals are more likely to target larger firms because of the greater potential for high rewards.
But the reality is very different because cyber criminals simply don’t care about the size of the business they target.
It doesn’t matter where you are based, not least because the cybercriminal is sitting at home. They don’t think about whether your business is based in a small town or even a village. All they look at is the data on offer.
In some cases, smaller businesses may be in greater danger.
Larger companies have more sophisticated defences in place to combat cyberattacks and train their staff to recognise cyber threats.
So, they may have to deal with a greater volume of cyber crime but the chances of it having a financial or organisational impact is less.
One of the most common cyber-attacks is an email asking for money to be transferred, and they are becoming increasingly sophisticated. They rely on human error, which means absolutely any business can be impacted.
How big a problem is it?
Social engineering sees cyber criminals manipulate people into sending money to bogus accounts or into divulging confidential information. Ransomware attacks involve criminals stealing or deleting data and demanding a ransom to return it. Both are now prevalent.
The Cyber Security Breaches Survey 2022, issued by the UK’s Department for Digital, Culture, Media and Sport, released some alarming figures, including:
48% of small firms and 59% of medium-sized firms suffered a cyber-attack in the last year.31% of businesses and charities said they were attacked at least once a week2021 was the most costly and dangerous year on record for ransomware attacks, with an estimated 714m attempts over the course of a year. This is a 134% surge compared to 2020.
When you consider there are an estimated 5.5m SMEs in the UK, accounting for three-fifths of employment and half of turnover in the UK private sector, this is a significant issue. [1]
Other reports this year have backed up the data.
The 2022 Cyberthreat Defense Report looked at cyber security in countries right across the world.[2]
It found that in the UK 81.4% of organisations had experienced at least one cyberattack in the previous year, compared to 71.1% in the previous 12 months.
Many countries fared even worse, including Colombia (93.9%), Turkey (93.7%), and Spain (91.8%).
The report suggested than 73% of UK organisations dealt with a ransomware attack in the last year.
Meanwhile, the DLA Piper Data Breach Report 2022 [3] revealed the UK has issued €45,350,000 worth of GDPR fines in the space of a year, with Ireland even higher at €226,046,500,
Which sectors are impacted most?
The most accurate answer is that all types of businesses are under threat, but that doesn’t mean that trends do not emerge.
A lot of manufacturers are being targeted, which is new. In the past there was a feeling that cyber criminals were only interested in the financial institutions. But that’s no longer the case.
Any business which stores data is at risk. Retail, online shopping, High Street shops, hairdressers, independent shops, for instance.
The same goes for charities. The percentage of charities which take out cyber insurance is lower than for regular businesses, and that’s a worry because cyber criminals don’t discriminate. They are happy to target anyone who holds data.
Why choose cyber insurance?
The statistics on insurance reported in the Cyber Security Breaches 2022 report are interesting because they suggest a shift in what businesses want and expect from insurance.
Around 43% of businesses in the UK are insured against cyber security risks, unchanged since 2021, and only 5% have specific cyber insurance.
But what they value most is not insurance against financial loss – only 3% of breaches resulted in money being stolen – but post-breach support.
This mirrors what we see at A-Plan. Having a help number that you can contact 24/7 and speak to someone about breach recovery is hugely helpful.
This is especially important after a ransom attack when a business has been told by a cybercriminal ‘we’re going to delete all your data unless you pay a ransom’
Often what happens is that if businesses do pay, they still don’t get their data back.
Other impacts can be a temporary loss of access to files, websites and third parties. There is also a threat of reputational damage – which is a huge issue for charities.
Cybersecurity strategies
Insurers are here to help but they increasingly require businesses to do more before they offer cover.
They are asking for multi-factor authentication to be in place, for instance. For bigger companies they want to see cyber breaches included in the company’s business continuity plan. They want all reasonable precautions taken in advance.
If you have car insurance, you cannot leave the keys in the car and expect to be automatically covered. It’s the same with cyber. So, businesses need to take the threat seriously – it’s an issue which can no longer be ignored. Insurance is not only about indemnifying losses but also incentivising better cyber hygiene and strengthening resilience.
Cyber breach figures in 2023 are almost certainly going to rise again.
[1] https://www.fsb.org.uk/uk-small-business-statistics.html
[2] https://www.isc2.org/-/media/ISC2/Research/Cyberthreat-Defense-Report/2021/CyberEdge-2021-CDR-Report-v10–ISC2-Edition.ashx
[3] https://www.dlapiper.com/es/spain/insights/publications/2022/1/dla-piper-gdpr-fines-and-data-breach-survey-2022/#:~:text=A%20report%20produced%20by%20DLA%20Piper’s%20cybersecurity%20and%20data%20protection%20team&text=Data%20protection%20supervisory%20authorities%20across,2%20%2F%20GBP0.