Cyber crisis: How small businesses are underestimating cyber crime

New poll reveals 80 per cent of SMEs and micro-businesses don’t see cyber-attacks and data loss as a significant threat to their business.


The headlines might be dominated by news of cyber-attacks against big name businesses, but it’s becoming increasingly clear that SMEs and micro-businesses are just as much at risk from hackers – even though many don’t recognise the threat.


cyber crisis


A new poll of 1,000 SMEs and micro-businesses – the SME Cyber Survey 2018 – carried out for Aon by OnePoll, showed that more than eight out of 10 don’t see cyber-attacks or data loss as a significant risk for their business. Over half are also confused by, or even unaware of, the General Data Protection Regulation (GDPR) introduced in 2018, which set out businesses’ responsibilities when it comes to confidential client data.


Two thirds of SMEs fall victim
The new findings follow a 2018 survey from the National Cyber Security Programme that revealed nearly half of UK businesses experienced at least one cyber security breach or attack in 2017.


At the same time, 66 per cent of SMEs and 45 per cent of micro-businesses were also shown to have been victims. But despite their vulnerability, only 15 per cent of micro-businesses and sole traders have undertaken cyber training, and 25 per cent admitted to not protecting electronically held customer data.

Aon’s broking manager Chris Mallett said: “One in three small and micro-businesses don’t see personal information stolen as a result of cyber-attack or fraud as a data breach.


“The same number admitted they’re unaware of the time limit on reporting losses, exposing their companies to the risk of huge fines under GDPR rules. Although fines are expected to be issued as a last resort, they can be up to €20 million or four per cent of annual turnover,” explained Mallett.


“The fallout from non-compliance with GDPR could bring a small business to its knees.”


Dr Emma Philpott from the UK Cyber Security Forum said: “I don’t think companies realise how awful the impact of a data breach can be or the amount that actually has to be done.


“It involves everything from mandatory reporting to keeping affected customers or clients informed. It can leave those clients fearful and cause reputational damage. It’s not just about replacing laptops or paying a fine.”


Tackling the insurance deficit
Many SMEs and micro-businesses also make the mistake of believing their existing business insurance will pick up the cost of a cyber-attack or data breach.

“Around one in seven believe the costs are covered by their professional indemnity insurance,” added Mallett.


Even though there are significant costs such as restoration of IT systems, notification of clients and legal costs that professional indemnity insurance won’t pick up, more than three in 10 choose not to insure against cyber-attacks or fraud – even though many SMEs and micro-businesses are surprised by how affordable cyber insurance can be.


“Specialist policies cover the cost not only of responding to a breach, but also of the damages you’re legally liable to pay in the event of a breach or security failure – plus associated legal costs,” said Mallett.


Five steps to protect your business against cyber-attack

Protecting against a cyber-attack can range from taking simple precautions, such as having robust password rules, through to buying cyber insurance. Here are five top recommendations to help protect your business from a cyber-attack.


  1. Install anti-virus software or check existing software is up to date on all employees’ computers and laptops (or any device they use for work).
  2. Check how suppliers handle data and that their processes comply with GDPR.
  3. Have simple, clear policies in place to create a cyber-conscious culture in the workplace (everything from password rules and backing up work to using WhatsApp groups and checking what data employees can keep on their computers).
  4. Be aware of your obligations if a data breach happens (and make employees aware too, to avoid a breach not being escalated correctly).
  5. Check what your professional indemnity or business insurance covers and consider cyber insurance. This can cover the cost of responding to a breach, as well as damages. It can also give you access to specialist support ensuring the breach will be dealt with in line with GDPR requirements. Make sure your cyber insurance comes with a pre-approved panel of providers, including legal and IT experts, who are immediately available to you in the event of a breach.

For further information on the issues covered by this article, please contact Aon on 0330 134 5710.


*Whilst care has been taken in the production of this article and the information contained within it has been obtained from sources that Aon UK Limited believes to be reliable, Aon UK Limited does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it. In any case any recipient shall be entirely responsible for the use to which it puts this article.
*This article has been compiled using information available to us up to 10 January 2019.

Meet the author

Aon- small logo.png
Aon plc is a global professional services firm headquartered in London that provides risk, retirement and health consulting.