At a glance
- While data breaches are a risk for every business, SMEs are often more vulnerable because they typically lack the resources to invest heavily in cyber defences
- The introduction of GDPR in May 2018 will mean that businesses will have to report a data breach to the Information Commissioner's Office and could face a fine
- We take a look at some of the data breach scenarios SMEs may face
Almost every type and size of business today is reliant on data.
While all businesses will understand that some of the data they hold – such as employee payroll details, or customer addresses and passwords – could be susceptible to attack by cyber criminals, there can be a perception that SMEs are less vulnerable than larger firms.
The reality is that small businesses’ data are being targeted – it’s just that these attacks are not as widely reported.
The introduction of GDPR in May 2018 meant that businesses now have to report a data breach to the Information Commissioner’s Office within 72 hours after detection and could possibly face a fine.
Fines for non-compliance with the GDPR can be as high as 4% of a business’ global turnover, up to a maximum of approximately £18m. In the 12 months following the implementation of the laws, fines totalling €56 million (£50m) from over 200,000 cases have been issued across Europe.
This highlights just how important it is for SME’s to protect their data.
How common are cyber attacks on SMEs?
In some ways, smaller businesses are more vulnerable to cybercrime, because unlike bigger firms, they are less likely to have teams of IT specialists in place to prevent or respond to a data breach, or the resources to invest heavily in cyber security.
According to research, over one million UK businesses were hit by cyber-attacks in 2018, with an average cost of £6,400, putting many small businesses at risk of closing should the same happen to them.
What kind of data breaches should SMEs be aware of?
In order to help businesses understand how well prepared they would be for a potential data breach, consider the following scenarios:
- A business owner switches on their computer and finds all their data has been erased as a result of a system failure or malicious attack
Their first response would likely be ‘when and where did I last back up this data?’ In an ideal scenario, they would be able to recover it quickly and easily. However, what if the person responsible for creating back-ups had failed to do so, or worse still, what if these back-ups had been stolen or corrupted?
Would they have the in-house IT expertise to locate and recover the lost data? How much time would it take staff to try to trace and recover this data, and what impact could this have on their operations?
- A cyber-attack compromises their IT systems.
How easy would it be to detect the source of the attack, and identify what data had been compromised? How easy would it be to prevent the breach spreading? How much time would it take to alert all those whose data had been breached? How would it impact the business’ reputation?
- A business suspects an employee of stealing confidential information.
How would a business respond if they had reasonable grounds to believe that someone within their organisation was involved in criminal activity by either stealing or leaking confidential information, such as customer details, plans, specifications, drawings or accounts?
In any of the scenarios, would the business know how to obtain and preserve the evidence required to initiate disciplinary proceedings, or potentially to support a criminal prosecution, in a way that would be legally admissible?
For more information, please speak with your local Zurich contact.
This article counts towards accumulating your annual CII CPD structured learning hours for Cyber & Data Security.
By reading this article, and correctly answering the three questions underneath, you will have achieved the following learning outcome: Explain the potential regulatory consequences for businesses of failing to take appropriate measures to prevent, or respond to, a data breach.
Visit the CPD Hub to log in and begin accumulating CPD hours.