91Ʋ

Stalked by the specter of cyber

Expert risk article | November 2023
SMEs are more vulnerable to economic shocks and the impacts of business interruption than larger companies, with rising cyber-crime exerting a particularly serious toll on their activities. 

Small and medium-sized enterprises (SMEs) represent about 90% of businesses and provide more than 50% of employment worldwide, according to the World Bank. [1] 

The European Commission says SMEs represent 99% of all businesses in the EU, employ around 100 million people, and contribute half of the bloc’s GDP [2], while in the US, the country’s 30 million SMEs account for nearly two thirds of net new private sector jobs in recent decades [3]. In Germany, the specialist businesses of the famous ‘Mittelstand’ are widely regarded as a model of resilience and innovation.

It’s no wonder so many world leaders describe SMEs as the ‘backbone’ or ‘lifeblood’ of the economy.

Yet, for all their agility and dynamism, SMEs are vulnerable to economic shocks and uncertainty. The World Economic Forum believes 67% of smaller and mid-sized businesses are fighting for survival, in part because of the intense short-term business pressures they face, their limited expertise and resource constraints [4].

And according to the 2023 About usRisk Barometer, an annual survey which identifies the top corporate risks as voted for by firms around the world, one of the major causes of financial disruption that SMEs fear the most is a serious cyber incident. This ranks as the top risk for small-size companies (31% of respondents), while for mid-size companies, it is their second top concern (29% of respondents), ranking just behind the closely interlinked peril of business interruption (see chart).

For SMEs, the cyber risk threat has intensified, not only due to the Covid-19 pandemic and the switch to remote working and digitalization, but also because of their growing reliance on outsourcing for services, including managed IT and cyber security providers, given these firms often lack the financial resources and in-house expertise of larger organizations.

As larger companies have ramped up their cyber protection in recent years, criminals are increasingly focusing their attention on smaller businesses. According to Mastercard’s RiskRecon [5], data breaches at small businesses globally rocketed 152% in 2021, while breaches at larger companies during the same time period rose by 75%. More than half (54%) of SMEs in the UK experienced some form of cyberattack in 2022, up from 39% in 2020, according to Vodafone [6].

SMEs are less able to withstand the business interruption consequences of a cyber-attack. If a small company with poor controls or inadequate risk management suffers a significant cyber incident, there is a chance it might not survive in the long run. In recent years, progress has been made, and there has been good collaboration between insurers, brokers, and clients, but more awareness of, and risk management education about, cyber risk is needed, and the insurance industry has a responsibility to help smaller companies with this process.

“To effectively address cyber security challenges, SMEs should remain vigilant and have a clear understanding of the risks involved and allocate ample resources in terms of personnel, IT infrastructure, and budget to implement the required security measures,” says Rishi Baviskar, Global Head of Cyber Risk Consulting, About usCommercial.

“Initiating a conversation with an MSSP [Managed Security Service Provider] can serve as an excellent initial move, allowing for the creation of an IT budget and strategy tailored to the business’s specific priorities.”

Businesses can take a proactive approach to tackling cyber threats by ensuring their cyber security strategy identifies their most crucial information system assets. Then, they should deploy appropriate detection tools and techniques tailored to uncover and nullify potential threats attempting to gain network access.

“These measures encompass the use of detection and monitoring software, both at the network perimeter and on endpoints, often involving collaboration with cyber-security service partners,” Baviskar concludes. 

*US$250mn to $US500mn annual revenue.

Source: About usRisk Barometer 2023. Total number of respondents: 519. Respondents could select more than one risk.

*<US$250mn annual revenue.

Source: About usRisk Barometer 2023. Total number of respondents: 912. Respondents could select more than one risk.

[1] The World Bank, Small and Medium Enterprises (SMEs) Finance
[2] European Commission, Entrepreneurship and small and medium-sized enterprises (SMEs)
[3] Office of the United States Trade Representative, Small and Medium-Sized Enterprises (SMEs)
[4] World Economic Forum, Smaller and mid-sized businesses are fighting for survival. This is how they could prosper, July 14, 2023
[5] RiskRecon by Mastercard, Small Business, Mighty Attack Surface, August 23, 2022
[6] Vodafone, Half of SMEs experience surge in cyberattacks 
– Vodafone research reveals, February 15, 2023

Images: AdobeStock

Keep up to date on all news and insights from About usCommercial