In a digital-first world where all our data, both personal and professional, is stored online, data protection is a crucial aspect that cannot be overlooked. Despite efforts to encourage businesses to prioritise data protection though cyber insurance, many small-to-medium-sized enterprises (SMEs) remain uninsured. Unfortunately, the common misconception that SMEs are not targeted and are safe from threats is far from the truth.
According to a survey by Markel, over half of SME respondents fell victim to a cybersecurity breach in late 2021. The rise in hybrid working, combined with limited in-house expertise, has made SMEs increasingly vulnerable to cyberattacks. In July 2022, a new type of ransomware attack called ‘BazarCall’ targeted SMEs and was reported by Managing General Agent, CFC Underwriting. These types of attacks accounted for 10 per cent of malware incidences in its portfolio over a three-month period.
Veeam’s 2023 Data Protection Report revealed that cyberattacks caused the most impactful outages for organisations in 2020, 2021 and 2022, and 85 per cent of organisations were attacked at least once in the past 12 months. This suggests that, despite advanced digitalisation, increased awareness, and preparedness, ransomware is still winning.
What makes SMEs vulnerable to cyberattacks?
Businesses of all sizes are vulnerable to cyberattacks, but SMEs are particularly vulnerable due to inadequate data security measures. More often than not, SMEs have limited budgets for cyber protection. A report by the CyberPeace Foundation found that the absence of hi-tech monitoring systems in SMEs essentially lures cyber criminals to force entry into their systems, since their actions can’t be detected. The report also mentioned how security gaps, such as not backing up important data and inadequate cybersecurity policies, can lead to cyberattacks.
Given the scale of the business, SMEs are often more focused on bolstering their business strategies to compete with the industry giants. SMEs may choose to forego investing in proper cybersecurity solutions, which can include data backup and insurance, because they believe only large-scale organisations are at a greater risk of cyberattack. As a result, cybersecurity planning often takes a back seat.
Another major reason SMEs don’t invest in cyber insurance is the lack of technical experts to integrate essential security measures and the rising costs of purchasing a policy. A Global Data survey conducted in 2021 suggests that approximately 29 per cent of SMEs cancelled their cyber insurance to curtail costs.
SMEs are encouraged to place emphasis on their cyber security budgets, because the more they depend on technology for work, the more vulnerable their businesses become to cyber threats. Deloitte’s Cyber Insurance Report found that 63% of mid-sized firms reported cyberattacks in 2019, compared to 36% in 2018. If insurance is out of the question due to a small budget, taking other precautions, such as buying cybersecurity solutions and backing up data, can help.
The way forward for SMEs
It is vital for organisations to maintain basic digital hygiene practices. All enterprises need a dedicated IT security lead with access to business leaders and the authority to direct the security initiative. Smaller businesses also need to allocate resources with designated responsibility for cybersecurity and specialising in data protection, whether that be in-house or outsourced. They should also implement other important cybersecurity measures, such as antivirus software, a strong firewall, and ensuring that employees are well-versed in identifying suspicious links to avoid clicking on ransomware emails.
Finally, there is one fundamental cyber security component that SMEs must take into consideration— data backup with air-gapped protection. Organisations must ensure full protection of their data systems with Backup and Data Recovery across all forms of storage. Veeam advocates the 3-2-1-1-0 backup rule. There should always be at least three copies of important data, on at least two different types of media, with at least one off-site and one offline, with zero unverified backups or backups with errors. According to the Veeam 2023 DPR report, the single most important aspect that organisations are looking for in a Modern Data Protection solution is the “integration of data protection within a cyber preparedness strategy”.
Even simple exercises like regular risk assessments and penetration testing to evaluate the system’s security can help prevent cyber perils. Hence, SMEs who cannot afford expensive cyber insurance can still implement these cost-effective practices to protect their organisation’s data. The more SMEs buy into the need for good digital hygiene, the more alert they become. Safeguarding data along with regulating your cyber policies should be made mandatory. Cyberattacks are real, and measures to prevent them should not be neglected, irrespective of the scale of your business.