Our new poll of SMEs and micro businesses shows over half are confused by or even unaware of the rules around GDPR, while more than eight out of ten don’t see cyber-attacks or data loss as a significant risk for their business.
The poll follows a survey earlier this year from the National Cyber Security Programme that revealed nearly half of UK businesses experienced at least one cyber security breach or attack in 2017, and 66 per cent of SMEs and 45 per cent of micro businesses were shown to have been victims.
The EU rules known as GDPR, which came into force in the UK in May, drastically increased potential penalties on companies found to have misused or mismanaged clients' personal data.
Yet the attitude of SMEs to cyber security is worrying, with one in five saying they have no plans to invest in it in the coming year, says Chris Mallett, Broking Manager for Aon, Commercial Risk Solutions.
According to Dr Emma Philpott from the UK Cyber Security Forum, GDPR has caused companies to focus on this issue but the concern is, she says, this was for too many a short-lived effect.
Dr Philpott is also CEO of the IASME Consortium, an accreditation body for assessing and certifying against the Government's Cyber Essentials Scheme. “As soon as the deadline for GDPR passed too many thought that was job done and that's where their responsibility ended," she says.
"The big data breaches in the Press help to raise awareness but they can also cause data breach fatigue; a sense that the time, cost and high-end security to tackle this is complicated and overwhelming,” says Dr Philpott. "There is a lot of misunderstanding of risks, and still a worry among SMEs that it must be complicated. It is not always about high end security. It's about having the basics in place to protect you from indiscriminate attacks. Educating staff takes time but doesn’t cost anything at all.”
Chris Mallett says there are particular vulnerabilities with the growth of flexible working with staff accessing data on-the-go. But the Bring Your Own Device culture, which sees business leaders and their teams using their personal computers, smart phones or tablets for work purposes, can expose companies to the increased risk of a cyber security breach if data is not properly encrypted and controlled, says Mallett.
The poll of 1000 SMEs carried out through OnePoll indicates around one in four of SMEs allow staff to use their own devices for work. “What’s more, it revealed one in three don’t see personal information stolen as a result of cyber-attack or fraud as a data breach, with the same number admitting they’re unaware of the time limit on reporting such a loss, exposing their companies to the risk of huge fines,” says Mallett.
"I don't think companies realise how awful the impact of a breach can be or the amount that actually has to be done” says Dr Philpott. “It involves everything from mandatory reporting to keeping affected customers or clients informed. It can leave those clients fearful and cause reputational damage. It's not just about replacing laptops or paying a fine.”
Don't bury your head in the sand
Peter Wright, author of the Law Society Cyber Security Toolkit and managing director of DigitalLawUK, says too many companies don't believe they'll be hacked because they are a small, independent practice.
“But a malware attack is totally indiscriminate. When the WannaCry malware attack took place, Renault-Nissan and the NHS weren't specifically targeted,” says Wright. "It was their operating systems being out of date and unsupported that compromised them, and the same can happen to any other organisation, including independent practices, however small, and however out of the way their location."
Some companies remain resistant to change in working practices to improve security, adds Peter Wright. “They worry their clients won’t like the changes, and we have to remind them they are less likely to want a data breach.”
There is also a misconception that the damage is confined to a fine if a company gets this wrong and Wright stresses that a fine, while it can be substantial, is the last thing companies should worry about.
“It’s the reputational damage that can be the hardest to recover from if a company isn't seen to be aware of the risk and ready to deal with any attack,” says Wright. “That can hit turnover and future clients and even partners who might decide to leave and join a different firm.”
"Financial institutions are a key target for cyber criminals for two reasons," agrees Mark Taylor, who is responsible for helping members understand the impact of technology at the ICAEW. "Firstly they hold a lot of personal information and also they are part of the supply chain for those wanting to target other companies."
Getting the right cover can be complicated
While many companies have professional indemnity insurance (PII) in place, there are often significant costs that professional indemnity won’t pick up, adds Aon’s Chris Mallett, who points to the poll results showing general confusion about the likely financial impact of a cyber attack (more than four out of ten admitted they had no idea).
“Around one in seven believe the costs are covered by their PII and more than three in ten choose not to insure against cyber attacks or fraud,” says Chris Mallett.
“Although fines are expected to be issued as a last resort, they can be up to €20 million or 4 per cent of annual turnover,” explains Mallett. “The risk presented by non-compliance with GDPR has the potential to bring a small business to its knees.”
Mallett says companies are surprised by how affordable cyber insurance is. “Specialist policies not only cover for the cost of responding to a breach, but also the costs of damages you’re legally liable to pay in the event of a breach or security failure, as well as associated legal costs.”
Five ways your business could be at risk of breaking GDPR rules
- Allowing staff to use their own computers, tablets or phones for work purposes and the use of paper diaries or calendars for work without proper encryption or controls.
- Storing files which potentially contain personal data outside of a defined structure/naming system.
- Holding unencrypted CCTV footage where individuals are recognisable.
- Using images which feature customers to promote your business
- Using visitor books where visitors can see other people's information when signing in - such as names, company they work for, their vehicle registration or telephone number.
See the full results of our Cyber Survey or visit our Cyber Hub for more risk management advice
Whilst care has been taken in the production of this article and the information contained within it has been obtained from sources that Aon UK Limited believes to be reliable, Aon UK Limited does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it. In any case any recipient shall be entirely responsible for the use to which it puts this article. This article has been compiled using information available to us up to 12/12/18.