Small Businesses That Ignore Lessons from Cyber Attack Likely to Suffer Another: Hiscox

June 20, 2018

While 47 percent of small businesses suffered at least one cyber attack in the past year, only 35 percent of them took action following a cyber security incident to mitigate against another. Forty-four percent of small businesses that reported a cyber attack in the past year experienced two, three or four attacks.

The 2018 Hiscox Small Business Cyber Risk Report also found that barely half (52 percent) of small businesses have a clear strategy around cyber security. That’s despite the fact that two-thirds of small businesses surveyed reported cyber risk as a top concern for potential business impact on their organization in the coming year.

Less than a quarter (21 percent) of small businesses have a standalone cyber insurance policy, compared to 58 percent of large companies.

About half of small firms blame a lack of finances for their failure to address cyber.

Less than one-third (32 percent) of small businesses have simulated phishing experiments to assess employee behavior and readiness in the event of an attack.

While budgeting for cyber-related resources is critical, people, processes and technology must also be incorporated to ensure cyber readiness, according to the report from the specialty insurer.

“Small businesses are less likely to have strategies in place to ward off attacks, detect them early if they do occur, and reduce the damage. And, they are less likely to be able to withstand the financial impact of a hack or beach,” the report says.

The report acknowledges that all businesses face trade‑offs when allocating limited resources, but warns that the cost of a cyber incident can be significant and it increases as a company grows. Small businesses estimated their average cost for incidents in the last 12 months to be $34,604. Among large companies (more than 1,000 employees), the annual average cost of cyber crime was $1.05 million, according to the report.

When it comes to cyber security, Hiscox says there are steps that are not complex or costly that businesses can take. The insurer recommends small businesses consider the following steps as best practices:

  • Prevent: Involve and educate employees at all levels within the business. Have a formal budgeting process in place and ensure cyber security is considered and prioritized in decision-making.
  • Detect: Include intrusion detection and ongoing monitoring on all critical networks. Track violations (including those that are successful and thwarted), and generate alerts using both automated monitoring and manual logging.
  • Mitigate: Create a plan for all incidents, from detection and containment to notification and assessment, with specific roles and responsibilities clearly defined. Regularly review response plans to integrate emerging threats and new best practices. Insure against financial risks with a stand-alone cyber policy or endorsement.

For the survey, Hiscox commissioned Forrester Consulting to assess organizations’ cyber readiness. In total, 4,103 professionals responsible for their organization’s cyber security were contacted (1,000 plus each from the UK, U.S., and Germany, and 500 each from Spain and the Netherlands). Respondents completed the online survey between October 12, 2017, and November 10, 2017.

Related: