Small-to-medium sized businesses (SMEs) are an attractive target for cyber criminals seeking to exploit their relatively weak cybersecurity systems. Despite this, many SMEs are unaware of the scale of the threat, which can pose an existential challenge to business operations.
Fortunately, implementing robust cyber risk management measures, supplemented with cyber insurance, can help SMEs to mitigate risks and become more resilient.
Why cyber criminals target SMEs
Cyber-attacks remain a common threat to businesses. According to the most recent Cyber Breaches Survey (opens a new window), half of all UK businesses experienced a cyber-attack in 2024.
SMEs are a particularly attractive target for cyber criminals. Compared to larger organisations, SMEs are likely to have fewer overall resources to dedicate to cyber security, and they are typically less well-prepared to respond to cyber incidents when they occur.
Many SMEs also play an important role in the wider supply chain – for instance, as a supplier to multiple larger and smaller organisations. Cybercriminals will proactively target SMEs with the intention to cause significant knock-on disruption and losses. This form of attack is becoming more common: an estimated 97% of FTSE 100 businesses suffered a third-party cyber-attack in the last year, according to a report (opens a new window) from Security Scorecard.
The impact of cyber crime
Cyber-attacks can have a devastating impact on the organisations they target. According to Hiscox’s 2024 Cyber Readiness Report (opens a new window), 61% of business leaders believe the reputational damage from a cyber-attack would significantly damage their business. 64% risk losing business if they do not handle client and partner data securely.
SMEs are exposed to a disproportionate risk from existential threats arising from a cyber-attack. According to research from the Association for British Insurers (opens a new window) (ABI), an average SME breach is more costly, per employee, than a cyber-attack in a larger business. For their size, SMEs also hold a relatively high volume of customer, employee, and supplier data, as well as other forms of valuable or sensitive information. The financial and reputational cost of a breach is, therefore, likely to far outweigh the initial cost of investment to fortify digital parameters for SMEs.
The same report also notes that take up of Cyber Insurance among SMEs is relatively low, despite SMEs being among those likely to benefit most from its protection. SMEs may believe themselves too small to require insurance protection, or they may consider the onboarding process for insurance to be overly onerous. The report also found that SME’s may be unfamiliar with the nature and complexity of cyber risks, and they may fail to understand the associated jargon.
How SMEs can build cyber resilience
Amid the growing cyber threat, robust cybersecurity investments are no longer a luxury for SMEs, but a strategic necessity. Building cyber resilience is essential to ensure business continuity and avoid financial and reputational damage, operational disruption, and harm to employees and customers.
The ABI report proposes nine key strategies to improve SME cyber hygiene:
Keep software and systems updated
Back up data on a regular basis
Educate staff on cybersecurity
Implement strong password policies (including multi-factor authentication)
Install and maintain properly configured firewalls and antivirus software
Actively manage user access and use encryption
Implement monitoring and controls on device storage, app downloads, public Wi-Fi and USBs
Plan for incidents and test plans
Manage supply chains with cyber security in mind
There is no one-size-fits-all when it comes to cyber security. However, the above controls provide a set of standards and are deemed good business practice to have in place. Although the list may be daunting, it provides SMEs with a positive framework to assess their current level of security and establish room for improvement.
By demonstrating a proactive approach to cyber risk management, SMEs will improve their chances of securing Cyber Insurance and reducing their insurance premiums.
For more information about cyber resilience, and how Cyber Insurance can protect your business against cyber-attacks, reach out to a member of our team.
