Most UK Small Businesses Remain in the Dark About Cyber Risks
A poll of small and medium-sized enterprises (SMEs) and micro businesses in the UK shows over half are confused by or even unaware of the rules around the EU’s General Data Protection Regulation (GDPR), while more than eight out of 10 don’t see cyber attacks or data loss as a significant risk for their business, according to a survey commissioned by Aon.
The Aon poll comes on the heels of a survey earlier this year from the National Cyber Security Programme, which revealed nearly half of UK businesses experienced at least one cyber security breach or attack in 2017, noted Aon in a statement.
The EU’s GDPR data rules, which came into force in the UK in May, drastically increased potential penalties on companies found to have misused or mismanaged clients’ personal data. However, the attitude of SMEs to cyber security is worrying, with one in five saying they have no plans to invest in it in the coming year, said Chris Mallett, broking manager for Aon.
GDPR caused companies to focus on this issue but Dr. Emma Philpott from the UK Cyber Security Forum expressed concern that the focus was short-lived effect for far too many businesses.
Philpott is also CEO of the IASME Consortium, an accreditation body for assessing and certifying against the UK government’s Cyber Essentials Scheme. “As soon as the deadline for GDPR passed, too many thought that was job done and that’s where their responsibility ended,” she said in comments included in the survey report.
“The big data breaches in the press help to raise awareness but they can also cause data breach fatigue; a sense that the time, cost and high-end security to tackle this is complicated and overwhelming,” said Philpott.
“There is a lot of misunderstanding of risks, and still a worry among SMEs that it must be complicated. It is not always about high end security. It’s about having the basics in place to protect you from indiscriminate attacks. Educating staff takes time but doesn’t cost anything at all,” she continued.
Mallett said there are particular vulnerabilities with the growth of flexible working with staff accessing data on-the-go.
But the bring-your-own-device culture, which sees business leaders and their teams using their personal computers, smart phones or tablets for work purposes, can expose companies to the increased risk of a cyber security breach if data is not properly encrypted and controlled, noted Mallett.
The poll of 1000 SMEs, which was carried out by OnePoll, indicates around one in four of SMEs allow staff to use their own devices for work.
“What’s more, it revealed one in three don’t see personal information stolen as a result of cyber attack or fraud as a data breach, with the same number admitting they’re unaware of the time limit on reporting such a loss, exposing their companies to the risk of huge fines,” said Mallett.
“I don’t think companies realize how awful the impact of a breach can be or the amount that actually has to be done,” said Philpott. “It involves everything from mandatory reporting to keeping affected customers or clients informed. It can leave those clients fearful and cause reputational damage. It’s not just about replacing laptops or paying a fine.”
While many companies have professional indemnity insurance (PII) in place, there are often significant costs that professional indemnity won’t pick up, added Mallett, who pointed to the poll results showing general confusion about the likely financial impact of a cyber attack (more than four out of 10 admitted they had no idea).
“Around one in seven believe the costs are covered by their PII and more than three in 10 choose not to insure against cyber attacks or fraud,” said Mallett.
“Although fines are expected to be issued as a last resort, they can be up to €20 million [$22.7 million] or 4 percent of annual turnover,” explained Mallett. “The risk presented by non-compliance with GDPR has the potential to bring a small business to its knees.”
Companies are surprised by how affordable cyber insurance is. “Specialist policies not only cover for the cost of responding to a breach, but also the costs of damages you’re legally liable to pay in the event of a breach or security failure, as well as associated legal costs,” Mallett said.