Cybersecurity and cyber insurance guide for SMEs

Across the world, small and medium-sized enterprises (SMEs) account for a significant portion of the business population and play a vital role in the global economy.

• Asia-Pacific (APAC), there are estimated to be around 150 million SMEs¹,
• 23 million² in Europe,
• 17 million in Latin America (LATAM)³.
   

In APAC, Europe and LATAM, SMEs account for between 98% and 99% of the business population⁴. Given the high number, it is surprising to learn from a recent study by Jason Adriko and Rodney Nurse that only 10-15% of SMEs have purchased cyber insurance policies⁵.

Protecting your business from cyber threats is crucial in today's digital age, as cyber threats pose a significant risk to businesses of all sizes. Though it may be assumed that SMEs are at a lower risk of cyber threats than large businesses, statistics show this is not the case. They are increasingly targeted by cyber criminals due to their potential vulnerabilities.

According to the global cybersecurity firm Sophos, 75% of cyber attacks flagged by their customers were targeting SMEs⁶. In October 2023, it was reported that cyber attacks on European SMEs had risen by 57%⁷.

There are many kinds of cyber attacks employed by hostile agents. Attacks have become more sophisticated and frequent, with a wide range of techniques used. Examples of common threats include:

• Phishing. Tricking individuals into clicking on malicious links or opening attachments.
• Malware. Installing malicious software to steal data, disrupt operations, or hold systems hostage.
• Ransomware. Encrypting data and demanding a ransom for its release.
• Denial-of-Service (DoS) attacks. Overwhelming a network or server to make it inaccessible.
• Supply Chain Attacks. Targeting third-party vendors to gain access to a business's systems.
   

These attacks can have devastating consequences for SMEs, including data theft or manipulation, financial losses, reputational damage, operational disruptions and legal liabilities.

In protecting businesses against cyber threats, cybersecurity is essential and should encompass the following:

• Employee education and awareness. Teaching employees about the importance of cybersecurity and the potential risks and consequences of cyber threats by raising awareness about common threats.
  
• Password management. Highlight the significance of using strong, unique passwords for each account and adopt multi-factor authentication to enhance security.
  
• Network security vigilance. Training on how to identify the common signs of suspicious emails, especially phishing attempts and avoid downloading files or clicking on fraudulent links.
  
• Incident response planning. Instruct employees on how to report security incidents promptly with clear steps to follow in the event of a breach to minimise impact and facilitate a timely response.
• Regular software updates and patches. Regular patching updates with prioritisation of critical patches, testing updates prior to general release and utilisation of automated tools to receive updates from software providers.
• Data encryption and back up. Back up critical systems and data to enable an organisation to revert to a previous, stable state in the event of a compromise.
• Firewall and antivirus protection. Create essential layers of defence against cyber threats by blocking unauthorised access to networks and detecting or removing malicious software.
• Secure remote access. Vital for enabling employees to work remotely while ensuring that sensitive data and systems remain protected from unauthorised access and cyber threats.

SMEs may not be aware of the advantages of having cyber insurance. Benefits include:

• Financial protection. This can cover costs associated with data breaches, legal fees, regulatory fines, crisis management expenses, and business interruption losses.
• Reputability. By obtaining a cyber insurance policy, a company can demonstrate its proactive approach to cybersecurity, reducing the potential harm to their brand caused by data breaches.
• Expert support. Insurers may provide access to incidents responders, lawyers, PR professionals and other cyber experts to mitigate damages.
• Risk mitigation. Insurers’ cyber risk engineers can encourage SMEs to adopt better security practices, reducing their vulnerability to attacks.
• Regulatory compliance. In some cases, cyber insurance may be a requirement for meeting regulatory standards.

Despite the benefits, as Adriko and Nurse’s research⁵ shows, many SMEs remain hesitant to invest in cyber insurance. Reasons for this may include:

• Lack of awareness. SMEs may not fully understand their cyber vulnerability, the risks associated with cyber attacks or the potential consequences of a breach.
• Cost concerns. The cost of cyber insurance can be a barrier for smaller businesses with limited budgets, sometimes causing them to choose between implementing cybersecurity measures or taking out a cyber insurance policy.
• Complexity. Insurance policies can be complex, and it may be difficult to understand the claims process. This can make it challenging for SMEs to assess their coverage needs.

To start considering cyber hygiene and implementing measures to address the risk, SMEs may wish to consider the following:

• Risk assessment. Conduct a thorough cyber risk assessment to identify vulnerabilities and prioritise security measures.
• Government initiatives. Take advantage of government programmes and incentives that may support cyber insurance or security measures.
• Policy review. Carefully review insurance policies to ensure they provide adequate coverage for their specific needs.

Cyber insurance is no longer a luxury for SMEs; it has become a necessity in today's digital landscape. By understanding the risks, addressing the challenges, and implementing appropriate strategies, SMEs can better protect themselves from cyber threats and ensure their business continuity. When considering who to partner with an SME should prioritise an insurer who can provide leading risk management support, strong claims handling support not just financial protection to help them navigate this constantly evolving threat landscape.