July 2017
When it comes to cyber crime, small and medium-sized enterprises (SMEs) are doubly susceptible to be victimised. That’s because, in addition to the potential cost of being hit by hackers and other cyber criminals, they also risk losing the confidence of consumers, with 58% saying they would be less likely to use a company’s services if an incident happened, according to the Small Business Reputation and the Cyber Risk report.
Trust plays a major role at every step of the path to customer engagement, according to cxLoyalty’s report, The Connected Customer. Without it, there is less of a chance that a customer will consider a company favourably and make it further along the path to loyalty.
If this isn’t enough to convince SMEs they must invest in cyber security, they should consider the potential fines attached to the General Data Protection Regulation (GDPR), which becomes effective in May 2018, for those who don’t take steps to protect customer data.
In today’s connected world, no one is out of reach of hackers and other cyber criminals. Just last month, the WannaCry ransomware attack crippled the computers of 200,000 people in 150 countries. The effects disrupted the operations of thousands of large companies, banks, hospitals, universities, and many other organisations.
While large organisations often make the headlines when it comes to cyber crime, SMEs are even more vulnerable according to many experts. In 2015, Symantec found that 75% of SMEs, compared to 35% of large companies, were the victims of SPEAR phishing attacks, which open the gate to ransomware in 97% of cases, according to another study.
The National Cyber Security Strategy for 2016-2021 estimates the average cost of breaches for small companies in 2016 was £3,100. The most serious attacks can cost as much as £310,800, a significant increase on the 2014 price tag of £115,000, according to the results of the Information Security Breaches Survey.
“SMEs are being viewed as a softer target by criminals, and are often a route to a ‘bigger prize’ if they are contracting with larger organisations, who may be harder to penetrate directly,” argues Stephen Ridley, acting head of technology, cyber and data for insurance company Hiscox.
In part, the problem is that many “small companies are not in a position to have a dedicated IT department, and many either outsource IT functions or assign duties to an employee with other responsibilities − often the owner him/herself,” explains Todd McCracken, President of the American National Small Business Association.
The fact that many SME owners have neither the knowledge nor the resources to ensure their company’s cyber security and that of their customers is worrying, but perhaps even more alarming is the fact that many others assume cyber crime is something that only affects larger businesses.
“Burying your head in the sand may save money in the short term, but the cost of hacking could range from minor inconvenience, reputation damage, loss of customer data, fines and ultimately company closure,” says Salford University digital business expert and lecturer, Alex Fenton.
The evidence presented in the Small Business Reputation and the Cyber Risk report clearly supports this and shows the potential ramifications of a cyber breach can be “huge and long-lasting” with 89% of victim SMEs reporting:
SMEs are a major component of the EU28 economy, according to the 2016 Annual Report on European SMEs. In 2015:
The sheer number of SMEs and their impact on economies of the world, over coupled with the fact that they are increasingly embracing interconnected IT systems, makes their cyber vulnerability that much more of a global issue.
When a customer evaluates a provider, they “need to be satisfied by both the company and their relationship with it” in order to feel some engagement toward it, says The Connected Customer report. “They need to have full confidence in the company and believe that it is trustworthy.” In fact, the report shows that trust plays a major role at almost every step of a customer’s journey toward engagement and loyalty.
Being vulnerable to cyber attacks puts customer satisfaction and trust at risk since victims of cybercrime are much more likely to develop negative feelings toward a company that was unable to protect itself and its customers, according to research conducted by Opinium.
When consumers were asked to comment on recent high-profile cyber attacks,
This is echoed by the findings of Gemalto’s Data Breaches and Customer Loyalty Report, which shows that three-quarters of consumers believe “companies do not take the protection and security of their data very seriously” and 69% think it’s the company’s responsibility to protect it.
“Just like a fire drill, having a plan of action for responding to a cyber incident is crucial,” says ConnectOne Bank CEO, Frank Sorrentino. “Even more important, it should be practiced so that all your employees know exactly what to do in the event of a breach.”
Those who can afford to hire professionals should do so as they can help SMEs protect their data and online reputation. Protection suites can help SMEs’ concerns about cyber threats and offer solutions in the event of a breach, as well as help manage the fallout in a constructive manner, that minimises the loss of consumer trust.
For those who can’t afford the expense, there are a number of resources available.
The UK Government’s Cyber Essentials website includes a self-assessment questionnaire as well as documents that are free to download. SMEs can also apply to get accredited and receive a badge they can display to reassure customers and partners they take cyber security seriously.
At a minimum, SMEs should follow the three simple steps outlined by Cyber Streetwise:
On May 25, 2018 the General Data Protection Regulation (GDPR) will become effective. The GDPR is meant to harmonise data protection standards across the EU and for those who don’t heed the warning, penalties could be crippling according to the Payment Card Industry Security Standards Council (PCI SSC).
This means companies of all sizes “need to act now and start putting in place robust standards and procedures to counter the cybersecurity threat, or face the prospect of paying astronomical costs in regulatory fines and reputational harm to their brand,” says Jeremy King, international director at the PCI SSC.
In order to prepare for the GDPR, SMEs should:
As SMEs’ activities are more and more intertwined with the online world, their risk of being attacked by cyber criminals also increases. Because they often lack the resources and knowledge to defend themselves, SMEs are particularly vulnerable to these types of attacks.
As a result, they run the risk of exposing their customers’ personal information leading to a loss of trust and reputation. In today’s world, being prepared against cyber crime is no longer an option. The consequences of ignoring the risk of cyber attacks are too great both in potential financial cost and loss of custom