UK SMEs are under prepared to respond to a crisis scenario, despite their awareness that security threats are rising and 44 per cent expecting to face some form of attack in the near future, research reveals.
Of the 1000+ SME business leaders surveyed, 43 per cent admitted to having no contingency plans for a crisis or not knowing what those plans were. Furthermore, only 30 per cent have insurance in place that would respond to a security crisis — such as terrorism, cyber extortion, sabotage, product tamper or emergency repatriation — with a further 40 per cent not knowing if they have insurance cover or not.
The research also highlighted a very clear gap in perception between the threats SMEs face and their level of preparedness. More than two thirds of SMEs questioned believe they are resilient and well-equipped to deal with a security crisis despite their planning and insurance protection levels showing otherwise.
There is, however, a widespread understanding that threat levels are growing, with one in five UK SMEs having faced an external security threat in the past two years while more than double that number believes they could face a threat in the coming 12 to 18 months. More than a quarter of those asked say they specifically expect to suffer cyber extortion in the near future.
When comparing responses between SME leaders and those of larger companies, the research clearly showed that many SMEs feel they are too small to be targeted, with only 17 per cent having tried to assess their exposure. But the nature and effect of today’s low frequency high impact security threats — such as terrorism and cyber extortion — is often non-targeted. Large security cordons, for example, prevent access to premises, while mass ransomware attacks mean smaller firms are often more vulnerable than large organisations.
Identifying this perception gap shows there is an important role for brokers to play in helping small and mid-sized firms better understand the nature of today’s security threats, their vulnerability to them and the steps that can be taken to mitigate those risks over and above the arrangement of insurance.
Paul Bassett, Managing Director of Gallagher’s Crisis Management practice, said: “It is vital for SMEs to build a culture of crisis resilience. Their growing awareness of an overall increase in security threats needs to be matched by actions that will help them mitigate and manage their own vulnerability to those risks. Our research shows education is key; clearly, there is a disconnect between the current level of planning by SMEs and how resilient they believe themselves to be, creating a false sense of security.
“Many evidently feel they are too small to be targeted but today’s fast-evolving security threats are often not targeted at any particular company or industry. Exposure to the risk of non-damage business interruption – where no physical loss has been suffered but you aren’t able to trade – is a particular area of concern. That could be experienced because of proximity to a terrorist incident or an indiscriminate cyber extortion attack, for example.”
Justin Priestley, Executive Director of Crisis Management at Gallagher, added: “It’s impossible to insure against every eventuality, but brokers have an opportunity to demonstrate their value by taking a consultative approach and working with SMEs on a more in-depth risk assessment and analysis. This will allow clients to make informed decisions about the steps they can and should take to become more crisis resilient.
“The provision of new solutions, that respond to a wide-range of security threats but at a cost-effective price point, will also help to ensure smaller businesses, in particular, are in a better position to anticipate, prevent, respond, and recover if hit by the unexpected. After all, a £50,000 cyber extortion demand or week of business closure is much more likely to threaten the survival of an SME than a large firm.”