This document is based on the results of a survey/interview carried out by Cyber Plus Solutions in the UK in quarter 4, 2018. The full survey results are available for download on the Learning Centre page of our website http://www.survivingcyber.com/learning-centre
Eight out of ten SMBs said that taking steps to improve cyber risk makes good business sense, with over a third confirming that they have experienced a cyber incident in the last year.
The survey has interesting findings on cyber insurance. 37% of SMBs have already bought cyber insurance with a further 14% claiming they will look into it in the next year. Worryingly, half of those asked had not heard of cyber insurance or had a weak or basic understanding of it. Clearly, the insurance industry has a lot more work to do on the education side.
The survey also revealed that 95% of respondents agreed that cyber risk is a business risk, and not just an IT issue. Nearly 60% felt that the Board of Directors and Executive management of their companies had an adequate understanding of the exposure to cyber-crime.
When asked about the needs of the SMB sector, one respondent said: "I really see the value of linking staff education, risk reduction with management dashboards and insurance – a 'one-stop-shop' is exactly what's needed." Another respondent indicated "All of our clients/members would be interested in demystifying of a complex subject".
Some of the findings of our survey, that should be of concern to SMB management teams include the following:
- 21% of respondents believed that their outsourced managed service provider (MSP) was responsible for their data.
- Only 22% confirmed having a Cyber Incident response plan but, on inquiry, many agreed that it was, in fact, a disaster recovery plan
- Nearly 60% of respondents spent less than 5% of their IT budget on cybersecurity and over 40% stated no plans to increase cybersecurity spending
WHY THIS SURVEY WAS NEEDED
To get a comprehensive grasp of the SMB perspective, the founders of Cyber Plus Solutions undertook this research with over 30 firms to find out what they really thought about cyber-security and cyber-risk.
They had carried out extensive research on the market previously and had an understanding of the landscape from their own experience; however, they wanted an up to date accurate representation of the views of SMBs in today’s market.
From previous investigations, the founders believed that SMBs need more help to understand cyber risk and that the current cyber insurance offerings fell short of the SMB market's needs for understandability and credibility.
SMBs need cyber-security because of the frequency with which cyber-attacks develop into major incidents for SMBs and the severe impact they can have. Because SMBs have limited resources to respond and recover, a cyber incident can easily lead to a crisis. Target respondents for the survey/interviews were not' cold leads' but a combination of the founders' connections and those of partner organisations.
This resulted in a unique interview survey process where a discussion was largely held on a 'Principal to Principal' basis, which provided a valuable dialogue and arguably a higher level of confidence in the results.
All respondents were given access to the questions ahead of the interview which provided time for them to consider the questions and obtain any missing data. All responses have been aggregated and anonymized.
22% - confirmed having a Cyber Incident Response Plan, but on inquiry, many agreed that it was, in fact, a Disaster Recovery plan
40% - stated that the breadth of the cover was the priority when considering insurance
78% - of respondents were part of the supply chain of large organisations
62% - had faith in the organisation's Cyber Risk Management procedures, cyber-security readiness and the ability to prevent and respond to a cyber incident
57% - indicated that either the owner, the CEO or the Board is ultimately responsible for cyber-security in their organisation
85% - agreed that they would like to see cyber insurers offer a broad range of pre-loss services, in conjunction with specialist third parties, to help SMEs reduce cyber risk
59% - of respondents spend less than 5%of the IT budget on cybersecurity
21% - of respondents believed that their outsourced Managed Service Provider was responsible for their data
FURTHER REPORT FINDINGS
- 85% of the respondent businesses had a turnover of under £10m
- 53% of the respondents were medium-sized companies (50-250 employees)
- 53% of respondents were Board Directors or Executive Management
- No one source of cyber threat dominated the responses. Concerns were widely spread
- 93% felt their company was well prepared for GDPR with many adding “as far as we know.”
- 43% stated no plans to increase cybersecurity spending. 39% planned less than a 10% increase.
- 40% stated that the breadth of the cover was the priority when considering insurance
- 84% would be willing to support a companywide staff Training & Awareness Programme for cyber Risk
- 41% would want to buy cyber insurance through an Insurance broker if buying insurance
- 81% would be willing to use IT tools, designed to help SME’s assess their cyber risk level if these tools were to be offered by Insurers
- 75% would be willing to share with Insurers the data produced by applying IT tools, designed to help SME’s assess their cyber risk level
- 78% agreed that they would need the help of a trusted IT service provider to address a “to do” list of weaknesses in the organisation’s Information Security posture
Few owners/CEOs/Board members know all aspects of their company’s approach to cyber risk. Some chose to delegate the survey/interview to their IT manager, and in such cases, some of the strategic questions lack detailed responses.
most comprehensive interviews occurred when the Head of Ops/IT accompanied
the owner/CEO/Board member in the interview.
The majority of respondents volunteered how useful and refreshing they found the discussion that ensued during the survey/interview, based around the survey questions. Almost all respondents requested a copy of the results.
For your copy of the full report "Cyber risk - The SME Perspective" visit the Learning Centre page of our website http://www.survivingcyber.com/learning-centre.If you are a small business owner and interested to learn how you can create your pathway to peace of mind from cyber risk, check out our pilot educational course, Surviving Cyber – the small business owner’s Pathway to Peace of Mind from cyber risk.
You can register for the course here. If seats on the pilot course are not available at that time, you can join the Surviving Cyber email list to receive ongoing communication from me. I look forward to getting to know you.