London, 27 July 2017Survey reveals UK SMEs under prepared to respond to rising security threats
- Fewer than one in five (17%) SMEs surveyed has assessed their exposure to rising UK security threats, despite 44% expecting to face some kind of threat in next 12 to 18 months
- 68% of SME respondents claim to be resilient to security crises yet nearly half (43%) admit to having no business continuity, disaster recovery or crisis management plans in place
- SMEs warned about misconception that businesses need to be the target of an attack to be significantly and negatively affected by one
UK SMEs are under prepared to respond to a crisis scenario, despite their awareness that security threats are rising and 44% expecting to face some form of attack in the near future. This is the key finding of research commissioned by Arthur J. Gallagher, focused on evaluating business resilience, which identifies a perception gap between the level of preparedness of UK SMEs and the growth in security threats.
43% of the 1000+ SME business leaders surveyed by YouGov admitted to having no contingency plans for a crisis or not knowing what those plans were. Furthermore, only 30% have insurance in place that would respond to a security crisis — such as terrorism, cyber extortion, sabotage, product tamper or emergency repatriation — with a further 40% not knowing if they have insurance cover or not.
The research also highlighted a very clear gap in perception between the threats SMEs face and their level of preparedness. More than two thirds (68%) of SMEs questioned believe they are resilient and well-equipped to deal with a security crisis despite their planning and insurance protection levels showing otherwise.
There is, however, a widespread understanding that threat levels are growing, with one in five (19%) UK SMEs having faced an external security threat in the past two years while more than double that number (44%) believes they could face a threat in the coming 12 to 18 months. More than a quarter (27%) of those asked say they specifically expect to suffer cyber extortion in the near future*.
The Gallagher report, Understanding security risks: how SMEs can build a culture of resilience, released today and available here, looks at the understanding of UK SMEs about today’s fast-evolving security threats, their preparedness for the risks they face and the measures in place to help them anticipate, prevent, respond and recover in the event of a crisis. It is Gallagher’s second business resilience report, following the first — published last month — which focused on the preparedness of large UK companies to respond to security threats.
When comparing responses between SME leaders and those of larger companies, Gallagher’s research clearly showed that many SMEs feel they are too small to be targeted, with only 17% having tried to assess their exposure. But the nature and effect of today’s low frequency high impact security threats — such as terrorism and cyber extortion — is often non-targeted. Large security cordons, for example, prevent access to premises, while mass ransomware attacks mean smaller firms are often more vulnerable than large organisations.
Identifying this perception gap shows there is an important role for brokers to play in helping small and mid-sized firms better understand the nature of today’s security threats, their vulnerability to them and the steps that can be taken to mitigate those risks over and above the arrangement of insurance.
Paul Bassett, Managing Director of Gallagher’s Crisis Management practice, said: “It is vital for SMEs to build a culture of crisis resilience. Their growing awareness of an overall increase in security threats needs to be matched by actions that will help them mitigate and manage their own vulnerability to those risks. Our research shows education is key; clearly, there is a disconnect between the current level of planning by SMEs and how resilient they believe themselves to be, creating a false sense of security.
“Many evidently feel they are too small to be targeted but today’s fast-evolving security threats are often not targeted at any particular company or industry. Exposure to the risk of non-damage business interruption - where no physical loss has been suffered but you aren’t able to trade - is a particular area of concern. That could be experienced because of proximity to a terrorist incident or an indiscriminate cyber extortion attack, for example.”
Justin Priestley, Executive Director of Crisis Management at Gallagher, added: “It’s impossible to insure against every eventuality, but brokers have an opportunity to demonstrate their value by taking a consultative approach and working with SMEs on a more in-depth risk assessment and analysis. This will allow clients to make informed decisions about the steps they can and should take to become more crisis resilient.
“The provision of new solutions, that respond to a wide-range of security threats but at a cost-effective price point, will also help to ensure smaller businesses, in particular, are in a better position to anticipate, prevent, respond, and recover if hit by the unexpected. After all, a £50,000 cyber extortion demand or week of business closure is much more likely to threaten the survival of an SME than a large firm.”
* The survey was completed just prior to the ‘WannaCry’ ransomware incident and the Manchester and London terrorism events.