At a glance
- While data breaches are a risk for every business, SMEs are often more vulnerable because they typically lack the resources to invest heavily in cyber defences
- The introduction of GDPR in May 2018 will mean that businesses will have to report a data breach to the Information Commissioner's Office and could face a fine
- We take a look at some of the data breach scenarios SMEs may face
Almost every type and size of business today is reliant on data.
While all businesses will understand that some of the data they hold – such as employee payroll details, or customer addresses and passwords – could be susceptible to attack by cyber criminals, there can be a perception that SMEs are less vulnerable than larger firms.
The reality is that small businesses’ data are being targeted – it’s just that these attacks are not as widely reported.
The introduction of GDPR in May 2018 will mean that businesses will have to report a data breach to the Information Commissioner’s Office within 72 hours after detection and could possibly face a fine.
Fines for non-compliance with the GDPR can be as high as 4% of a business’ global turnover, up to a maximum of approximately £18m. Yet only just over a quarter (28%) of SME owners can currently guarantee that they could continue operating following a fine of this magnitude, according to Zurich Risk Index survey.
This highlights just how important it will be for SME’s to protect their data.
How common are cyber attacks on SMEs?
A recent Zurich SME Risk Index found that one in six SMEs had suffered a cyber attack during the previous 12 months.
In some ways, smaller businesses are more vulnerable to cyber crime, because unlike bigger firms, they are less likely to have teams of IT specialists in place to prevent or respond to a data breach, or the resources to invest heavily in cyber security.
The Zurich SME Risk Index identified that fewer than half (49%) of SMEs plan to spend more than £1,000 on cyber defences over the next year. Research also suggests smaller businesses fall victim to certain types of cyber attack more often than larger companies. For example, one study found that while 35% of larger businesses have suffered spear phishing attacks, the figure for SMEs was 75%.
What kind of data breaches should SMEs be aware of?
In order to help businesses understand how well prepared they would be for a potential data breach, consider the following scenarios:
1. A business owner switches on their computer and finds all their data has been erased as a result of a system failure or malicious attack
Their first response would likely be ‘when and where did I last back up this data?’ In an ideal scenario, they would be able to recover it quickly and easily. However, what if the person responsible for creating back-ups had failed to do so, or worse still, what if these back-ups had been stolen or corrupted?
Would they have the in-house IT expertise to locate and recover the lost data? How much time would it take staff to try to trace and recover this data, and what impact could this have on their operations?
2. A cyber-attack compromises their IT systems.
How easy would it be to detect the source of the attack, and identify what data had been compromised? How easy would it be to prevent the breach spreading? How much time would it take to alert all those whose data had been breached? How would it impact the business’ reputation?
3. A business suspects an employee of stealing confidential information.
How would a business repond if they had reasonable grounds to believe that someone within their organisation was involved in criminal activity by either stealing or leaking confidential information, such as customer details, plans, specifications, drawings or accounts?
In any of the scenarios, would the business know how to obtain and preserve the evidence required to initiate disciplinary proceedings, or potentially to support a criminal prosecution, in a way that would be legally admissible?
For more information, please speak with your local Zurich contact.