What Small Businesses Really Think about Cyber risk

Introduction

This article is part of a series of articles called “The Small Business Owner’s Introduction to Cyber Risk”. Each article is dedicated to an important topic that the owners of small businesses should understand as they get started on their journey towards peace of mind from cyber risk.

There is a companion video series available on the Surviving Cyber YouTube Channel and an eBook available for download at: https://pages.survivingcyber.com/ebook

The cyber threat to small businesses has never been at a higher level than it is right now in the post-COVID era. Small business owners are in a uniquely exposed situation because of the close link between their financial livelihood and the fortunes of their businesses. Both could be severely impacted by a cyber-attack.

As the owner or manager of a small business, you may be confused by cyber risk right now, and if you are, you’re not alone. Most people who own or manage small businesses are concerned about the cyber exposures of their businesses. A lot of people are confused by the complexity of the topic and the large number of solutions promoted by the cybersecurity industry.

As the owner of a small business, I understand the small company perspective. Lack of time, money and expertise are real problems for small businesses, but these should not prevent small business leaders from taking reasonable steps to improve business resilience. In these short articles, I hope to show you how.

What's in this Blog Post?

I'll begin with a quick introduction to the survey explaining why it was done, who was involved, how the survey was conducted, where and when. Next, I'll move on to some of the highlights of the survey and some of the findings you might find interesting, and we make some conclusions at the end. 

 Details of the Survey 

This article is based on the results of a survey carried out in the UK by Cyber Plus Solutions, the InsurTech business, in the fourth quarter of 2018. Although the survey is somewhat dated now, the results nonetheless remain interesting and valid. The survey, remember, predates COVID-19, the full pandemic, and the clarity that it brought to the lack of preparedness of small businesses for cyber attacks.

 To get a comprehensive grasp of the small business perspective, the founders of Cyber Plus Solutions, which includes me, undertook research with over 30 firms to find out what they really thought about cybersecurity and cyber risk. It wasn't surprising to see that few owners CEOs or board members knew all aspects of their company's approach to cyber risk. Some chose to delegate the survey to the IT manager, and in such cases, the strategic questions that we had in the survey lacked a detailed response.

85% of respondent businesses had a turnover of under £10 million, 53% were medium-sized businesses (between 50 and 250 employees), and 53% of the respondents were board directors or executive management personnel. No one source of risk was dominant in their responses. They had concerns that were widely spread.

 All the respondents were given access to the questions ahead of the interviews, which led them time to consider the questions and obtain any missing data. And all the responses were aggregated and anonymized. The most comprehensive interviews that we had occurred when the Head of Ops or Head of IT accompanied the owner, the CEO or the board member in the interview.

 From previous reviews and surveys, we believed that small businesses needed more help to understand cyber risk and that cyber insurance offerings fell short of what the market really needed. 

The full survey results are available for download on the Learning Center page of the Surviving Cyber website.

Some highlights of the Survey Findings

  • Eight out of 10 SMBs said that taking steps to improve cyber risk makes good business sense. Over a third confirmed that they had experienced a cyber incident in the last year.
  •  37% of SMBs have already bought cyber insurance, and a further 14% claimed they would look into it in the next year.
  • Half of those asked had not heard of cyber insurance or had a weak or very basic understanding of it.
  • 95% of respondents agreed that cyber risk is a business risk and not just an IT issue.
  • Nearly 60% felt that the board of directors and executive management of their companies had an adequate understanding of their exposure to cybercrime.
  • 43% stated no plans to increase their cybersecurity spending and 39% planned less than a 10% increase in cybersecurity spending.

Further Survey Findings 

  • 22% confirmed having a cyber incident response plan, but on inquiry, most agreed that it was in fact a disaster recovery plan that they had. 
  • 62% had faith in the organization's cyber risk management procedures and their ability to prevent and respond to a cyber incident.
  • Interestingly, 78% of respondents were part of the supply chain of larger organizations, and so they would have felt the influence of those larger organizations and their requirements for cyber risk.
  • 57% indicated that either the owner the CEO or the board was ultimately responsible for cybersecurity in the organization.
  • 84% would be willing to support a company-wide staff training and awareness program for cyber risk.
  • 21% of respondents believed that their outsource or their managed IT service provider was in fact responsible for their data.
  • 59% of respondents were spending less than 5% of the IT budget on cybersecurity.

I hope you agree with me that those findings are very interesting. Given that they predated the COVID-19 pandemic, they predate that massive increase in risk. There was indeed a degree of overconfidence in our group.

Survey Findings related to cyber insurance

 So, further survey findings related to cyber insurance you might find interesting are

  • 85% agreed that they'd like to see cyber insurers offer a broad range of pre-loss services in conjunction with specialist third parties to help them reduce cyber risk.
  • 40% stated that the breadth of cover of the insurance policy was their priority when they considered cyber insurance.
  • 41% would want to buy cyber insurance through a broker if they were buying insurance.
  • 81% would be willing to use IT tools designed to help SMEs assess their cyber risk level if the tools were to be offered by insurers. 
  • 75% will be willing to share with insurers the data produced from those tools designed to assess their cyber risk level.
  • 78% agreed that they would need the help of a trusted IT service provider to address a "to do" list of weaknesses in their company's information security posture.

 Conclusions

So, what conclusions can we draw from the survey?

 Well, although our survey is now almost four years old, it does give an interesting picture of the mindset of small business owners and leaders before the COVID-19 pandemic arose. The overconfidence displayed in this survey by most small business owners around their understanding of cyber risk and the faith that they showed in their ability to prevent and respond to a cyber incident was most likely misplaced.

Some of the findings should also have been of concern to the management teams of small businesses. For example, the survey showed:

  • Inadequate plans to invest in cybersecurity, 
  • A lack of cyber incident response planning, 
  • A mistaken belief that the outsource IT provider was responsible for their data and their systems, 
  • A relatively low level of knowledge around cyber insurance and taker of cyber insurance.

 Finally, I would argue that many of the problems revealed by this survey still remain today. The need for small business owners and leaders to address this ever-growing cyber challenge has never been greater.

Peace of mind from cyber risk

Small businesses are "big business" for Cybercriminals. If you lead a small business, you may struggle to make sense of this complex environment. You could be concerned that you may not be doing enough to prepare your business and your people for a Cyber incident.

If this is your situation, I hope that this article has been useful in introducing you to the topic of cyber risk for small businesses. I also hope it has convinced you that cyber risk is a business-critical risk that can be, and needs to be, managed like any other business risk.

In the next article in this short series, I will provide "10 Tips for improving Small Business Cyber Resilience".

Don’t forget to have a look at the series videos on the on the Surviving Cyber YouTube Channel and download the eBook that accompanies the video series at: https://pages.survivingcyber.com/ebook