SMEs: Emerging risks - Cybersecurity for smaller businesses
In 2018, household names such as British Airways, Marriott Hotels and Facebook faced the potentially devastating consequences of large-scale data breaches. However, the threat may be bigger for small and medium enterprises (SMEs), as smaller businesses lack the same resources to protect themselves against a cybersecurity attack.
If a company has a limited resource pool to draw from, it can be tempting to solely concentrate on protecting against the more traditional and visible risks to the business. It is often only when a cyber incident occurs that a business realises its insurance cover, if any, is inadequate. It is worth highlighting that the General Data Protection Regulation imposes the same responsibility on all businesses that handle personal data, irrespective of size. Because of this, cyber insurance is expected to become a standard part of all business expense in the next five years.
Being a small business does not automatically mean handling small amounts of personal data, therefore an SME may find itself dealing with a data breach with huge financial consequences. The UK’s data protection regulator, the Information Commissioner’s Office will not look favourably on any company that has failed to implement adequate security measures and being an SME is no excuse.
Cyber attacks do not have to be sophisticated to be effective. The most prevalent type of attack in 2018 was by way of business email compromise, often conducted by a phishing attack. Criminals tend to target the mailboxes of senior members of a company, which often contain sensitive information. Many businesses are unaware of a breach until a financial fraud occurs, although the criminals may have had access to the mailbox, and the data held within it, for a significant amount of time.
There remains a widely held misconception that only exfiltration - the unauthorised copying, transferring or retrieval of data - constitutes a breach. However, if the integrity of an IT system has been compromised, resulting in criminals having access to the personal data, this may still constitute a data breach and require notification to the ICO and potentially the affected data subjects.
Any notification to the ICO carries the risk of significant regulatory penalties. The French regulator recently fined Google €50m (£43.4m) and while the ICO is yet to issue a significant post-GDPR fine, some high profile decisions are expected in 2019, the rationale behind which will undoubtedly influence the SME sector.
Regulatory fines grab headlines, but the hidden costs of dealing with a cyber incident may be the most onerous for SMEs. It is not just the immediate consequences of financial fraud and business interruption costs that should be considered, but also the fees for third-party advisors, such as lawyers, IT forensics and press officers. Insurers often have special arrangements with these providers, which means policyholders can access a ‘toolbox’ in the midst of a crisis.
Also of concern are longer term financial and reputational costs, such as the loss of customers or contracts, or the impact of third-party claims made by affected customers.
While a larger business may be able to absorb these additional costs, they could easily overwhelm a smaller company.
A hairdressing salon recently felt the unexpected impact of data breach resulting from a ransomware attack. As a small business with only 15 employees, it did not consider itself at risk of a cyber attack. However, and even though it paid the ransom demand, it did not get its data back and was not able to trade or contact its clients and had no contingency plan in place.
SMEs should, therefore, urgently consider whether their current cybersecurity arrangements are sufficient and formulate a breach response plan for when the inevitable occurs.
This article was originally published on Insurance POST