UK small and medium-sized enterprises (SMEs) lack best practice cybercrime protocols and are woefully unprepared to react to an incident, according to an insurer. Its survey suggested that hardly one in five (19 per cent) have a recommended cyber incident response plan (IRP) in place.
While AI continue to add to the complexity and spread of cyber attacks, the survey – commissioned by Cowbell, a provider of cyber insurance for SMEs and mid-market businesses – found that most, 77pc of UK SMEs do not have any in-house security; about one in three, 32pc of CEOs stated they were confident a cyber attack would not impact their ability to do business. One in ten (10pc) of those surveyed said they do not need to improve their position regarding cyber risk; and most, 87pc did not consider reputational damage as a significant risk to business. The insurance company points to the UK official National Cyber Security Centre (NCSC) warning that global ransomware threats are expected to rise with AI. However, the survey found complacency among SMEs; only minorities, 20pc of CHROs, 22pc of Director roles and 28pc of CEOs considered cyber threats to be their biggest risk. A risk of cyber threats almost fell off the CFOs’ radar, who ranked it second to last out of 14 possible threats, with only 8pc considering it their biggest risk.
The survey also found confusion around first responses in the event of a cyber breach; some 8pc of CEOs said that they would engage with the threat actor directly. When respondents were asked about the ‘first action they would take following a data breach’, answers showed a lack of unified response across the C-suite:
CEOs: 10pc said they would notify regulators, while a further 10pc said they’d contact the in-house tech team;
CFOs: 17pc would notify the in-house tech team, 10pc would inform clients/customers and a further 10pc would notify finance;
HR Directors: 24pc felt they should notify the in-house finance first;
Senior marketers: 31pc thought they should first inform their tech team, while 25pc said they’d notify their insurance provider.
Comment
VP and General Manager, Cowbell UK, Simon Hughes says: “Almost every day we see a new major cyber attack hit the headlines – and that’s just the ones big enough to warrant news coverage. Whether we put our heads in the sand or not, attacks are on the up. As developments in AI continue, we will almost certainly see an increase in the volume, complexity and impact of cyber attacks in the coming years. It’s not a case of if, but when. But now is not the time to scaremonger, it’s time for proactive planning.”
Broker specialist at Cowbell, Catherine Aleppo added: “Our research indicates some serious gaps in knowledge, leaving businesses highly exposed. The message is clear: resolving the confusion around first responses is a matter of urgency. More support and education on cyber risk and Incident Response Planning needs to happen if businesses are to navigate these incidents and recover quickly. There is work to be done, raising critical awareness of cyber vulnerabilities and safeguarding the UK’s SMEs who form the backbone of the UK economy.”
About the survey
The research was carried out by Research Without Barriers between September 1 and 15, 2023.
