Cyber risk: Why your Small Business should be worried


In this article, I'll explain why your small business should be worried by cyber risk. I'll explain what cyber risk is, the sources of cyber risk, and the findings of a 2022 report on business Cyber Readiness. The cyber threat to small businesses has never been greater than now and the financial livelihood of small business owners could be severely impacted by a cyber-attack.

Hi, it's John Byrne here, entrepreneur, insurance professional, online educator, and founder of Surviving Cyber, where I help small business owners get to grips with cyber risk. This short blog series about cyber risk and cyber insurance will help you prepare for an incident and keep your small business center people safe.

This article is article one of six in a short series about Cyber Risk and Cyber Insurance. It asks: "Why cyber risk should worry your small business". Later, I will share some startling findings from the Hiscox 2022 Cyber Readiness report that you'll want to know.

Here's what I will cover. I'll begin with an introduction to cyber risk. And I'll ask the question, "Does cyber risk really matter?" And why is this happening? Why are we seeing cyber risk increasing? Then we move on to the Hiscox 2022 report where there are some very interesting findings around cyber risk that you'll want to see. Finally, I have a look at the COVID-19 era and draw some conclusions about the position of small businesses for cyber risk today.

Does cyber risk really matter?

So, let's start with the obvious question: “Does cyber risk really matter?” Well, the World Economic Forum each year produces its top five risks globally and for the last number of years, cyber risk has been consistently listed in the top five. The UK representatives at the WTF always have rated cyber risk as number one. So clearly, for these companies, cyber risk is a major concern. In fact, global cybercrime is projected at $6 trillion in 2021, a truly staggering number. If global cybercrime was a country, it would be the 13th largest country in the world based on GDP. It has doubled since 2015 and is said to reach $10.5 trillion by 2025. So, by any standards, global cybercrime is a massive industry. In fact, it is the most profitable criminal activity in the world.

81% of C-level respondents have told the interviewers that they believe their company isn't adequately protected against cyber threats, and that comes from a Munich Re survey, from the large reinsurance company. Also, Allianz, another large insurer, has reported a more than 70% increase in the average cost of cybercrime to an organization between 2013 and 2019 to $13 million on average, and a 60% increase in the average number of security breaches. You have to bear in mind that this predates COVID-19 and, as we'll see in a moment, there has been a large spike in cyber activity in 2020 and 2021 which is sustained in 2022.

Why is this happening?

The next question will be "Why is this happening?" Why are we seeing this dramatic increase in cyber-attacks? Well, in a word or two, we're seeing it because of digital transformation. Our environment is constantly changing and because our business environment and our personal environment change, the risks that we're exposed to, and the loss scenarios are also changing.

You may remember back to 2017 when we had the global cyber-attacks of Not Petya and WannaCry. They were ransomware attacks. But there have also been mega data breaches in 2018. And as we've said, COVID-19 struck in early 2020. So, our environment has dramatically changed in recent years. In fact, digital transformation, and this hyper-connected world, have led to a situation where every business is connected to other businesses. The supply chain effect means that if any business is interrupted, it will lead to business interruptions in other businesses. It's often been said that “COVID-19 was the biggest digital transformation officer in the world” because people had to adjust, businesses had to adjust, and a lot of the intransigence and hurdles were simply swept away.

Our environment changes

Not only has our environment than changing, but the pace at which the change has been occurring has been quickening. We are all very familiar with having personal devices, such as our mobile phones,   connected to our networks. With cloud computing, we're no longer storing the data on-premises, but in fact, we're storing it in the cloud. We have the Internet of Things just beginning to take effect with billions of devices coming online in the next few years, most of which have not been designed with security in mind. All of this change has led to the concept of a secure perimeter, that is, an area within which your business could safely operate, disappearing now. We have, in fact, expanding digital estate, so that our businesses don't fit neatly into a “secure box” anymore.

We also have multiple attack vectors, the ways in which the "bad guys" can get access to our businesses. A vector there would be something such as an instant message on a social media platform, an attachment to an email, or a malicious website. Any of these vectors can lead our business to difficulty and as these vectors grow, the “risk surface” of our business grows exponentially. 

We also have a growing sophistication of attacks and a growing volume of advanced threats so it's no longer the simple threat of the past where malware was thrown into the wild and if it struck, that was just bad luck. This is very, very different. We now have ransomware, where entire systems and entire databases are being held to ransom. We have phishing attempts, where criminals are seeking out and targeting individuals within companies. We have business email compromise, such as CEO fraud, and we have data breach losses. And we even have nation-states sponsoring attacks by cyber criminals by sharing cyber tools with the cyber criminals.

 So sadly, the conclusion that one comes to is that the attackers are ahead of the defenders. Worryingly, the average time to detect a breach now is about 280 days, which is really over nine months. So, for over nine months, the attackers have been in your network, waiting for the opportune time to strike. And the average life cycle of a cyber-attack is 11 months, which means that your entire business is tied up for 11 months trying to deal with this problem.

The Hiscox 2022 Cyber Readiness Report 

The Hiscock cyber readiness report 2022 contains some very interesting findings. It's a survey of eight countries, the USA, the UK, the Netherlands, Germany, Belgium, France, Spain, and Ireland.

  • The first finding was that almost all the countries found cyber to be the number one threat to their financial health. The exception was Ireland, where the Irish companies found the pandemic to be the number one threat, but cyber was the number two threat.
  •  About half the companies reported a cyber-attack in the last 12 months. The median cost of these attacks had risen 29% in the 12 months to just under $17,000. However, median costs as a percentage of revenue of the company are two and a half times higher for cyber novices, that is, companies that are new to cybersecurity.
  • 19% of respondents reported a ransomware attack - a relatively small percentage - given the total publicity that ransomware has received. However, two-thirds of those companies paid the ransom.
  • And in case there's any comfort in a median loss of $17,000, it's very interesting to note that 20% of companies across all the countries said that a cyber-attack almost rendered them insolvent. Not surprisingly, 64% of companies in this survey now have cyber insurance in place.
  • Another interesting finding is the gulf in perception of the seriousness of cyber risk between those who have been attacked and those who have not been attacked. In essence, these experts have learned the hard way, through experience, that cyber risk needs to be taken very seriously.
  • The change in the environment is visible also in the Hiscox report, where 62% agreed that their business is now more vulnerable to a cyber-attack as a result of working from home. COVID-19 accelerated the cloud journey of companies and led to a big jump in attacks by cybercriminals against cloud servers. This is an interesting example of cyber criminals always adapting their tactics to the changing environment.
  •  Overall, respondents' mean cybersecurity spending was up 60% in the report in the past year. But, smaller companies were spending less and being targeted more by cybercriminals. This is a worrying trend for small companies because they are the most exposed and the least protected.

Some Surprising Findings

Earlier, I said that I was going to share some startling findings from the cyber readiness report that you'd want to know. So, finding number one is:

  •  Nearly twice as many experts as novices consider their exposure to cyber-attack to be high, or very high. That's 58% compared to 32% even though the experts have built better defenses. So, this shows that experience has taught the experts that no matter what they do with cyber defenses, the risk still remains and still remains high. 
  • The second finding is that nearly four out of five firms that do not have cyber insurance cover and don't plan to get it did not experience an attack in the past year. So, these companies must feel quite secure in the fact they've not been attacked and they've yet to undergo this perception shift that's common among cyber-attack victims. So essentially, those who've been attacked tend to know that cyber insurance represents a good idea.
  •  And thirdly, 72% of companies agree that they will damage their brand if they don't handle client and partner data securely. This is logical but it is nonetheless interesting to see the overwhelming weight of companies who agree that brand damage is a likely result of a cyber-attack.

The impact of COVID-19

There has been a dramatic restructuring of corporate activities in the last 24 months. Almost overnight, businesses were forced to change the way they operated to survive. And this has created huge opportunities for cybercriminals to gain access to systems and to data. As a result, and unsurprisingly, the frequency and severity of these attacks have increased. We've seen a significant increase in malware and ransomware incidences already being reported in 2020, and into 2021 and 2022. And small and medium-sized businesses were already being targeted in 2019 and 2020. This has continued into 2021 and 2022, largely because SMEs have fewer security capabilities and fewer resources. Sadly, the conclusion is that businesses are more vulnerable now than they were before.

 SMEs are highly exposed. For most small companies, an incident is inevitable. When this happens, it will put the business, the reputation, the customers, and the trading partners all at high risk. So, what is the conclusion, and what is the response to this threat? 

  • The main response is to consider your assets - what are the key information assets of the business? 
  • And then consider what are the threats to those assets. 
  • Having done that you consider the vulnerabilities that exist in your defenses. 
  • All of this translates into a measurement of risk. 
It's all about resilience through risk management. That's our objective because there is no such thing as 100% protection from cyber risk.

 Thanks so much for reading this article. I hope you now see why cyber risk should worry your small business. Now before you go, I want to give you access to my free cyber resilience video workshop, "How Small Business Owners can create their first Cyber Resilience Plan in less than 30 days". It's full of practical tips that you can implement. You should use the link to get access now.

 I hope to see you again soon for article two in the series where I explain the online risks that every small business must understand.