Most small businesses fail to act after a cyber attack  

Nearly two-thirds (65%) of small businesses in the US fail to act following a cyber security incident, according to the 2018 Hiscox small business cyber risk report.

The report also reveals that 47% of more than 1,000 small businesses polled had suffered at least one cyber attack in the past year, and that 44% that reported a cyber attack in the past year experienced two, three or four attacks.

According to the report, seven in 10 businesses globally are unprepared for a cyber attack, but small businesses are disproportionately vulnerable because they are less likely to have strategies in place to ward off attacks, detect them early if they do occur, and reduce the damage.

Small businesses are also are less likely to be able to withstand the financial impact of a hack or breach, the report said.

Two-thirds of small businesses polled said cyber risk is a top concern for potential business impact on their organisation in the coming year, yet barely half (52%) reported having a clearly defined strategy around cyber security. Less than one-third (32%) said they have simulated phishing exercises to assess employee behaviour and readiness in the event of an attack.

At the same time, the survey shows that less than a quarter (21%) of small businesses have a standalone cyber insurance policy, compared with more than half (58%) of large companies.

Despite keeping cyber threats as a top concern, 50% of small businesses said they are challenged by a lack of budget. 

While budgeting for cyber-related resources is critical, people, processes and technology must also be incorporated to ensure cyber readiness, the report said.

It is also crucial to keep in mind that the cost of a cyber incident can be significant, and it increases as a company grows, the report said, adding that small businesses estimated their average cost for incidents in the past 12 months was $34,600.

Hiscox recommends small businesses take steps to prevent, detect and mitigate cyber attacks. “These steps are not overly complex or costly, and small businesses can significantly protect themselves by taking action,” the report said.

In terms of prevention, the report recommends that businesses involve and educate employees at all levels in the business.

“Have a formal budgeting process in place and ensure cyber security is considered and prioritised in decision making,” the report said.

To improve cyber attack detection capability, the report recommends that businesses include intrusion detection and ongoing monitoring on all critical networks.

“Track violations, including those that are successful and thwarted, and generate alerts using both automated monitoring and manual logging,” the report said.

As part of an effective mitigation strategy, the report recommends that businesses create a plan for all incidents, from detection and containment to notification and assessment, with specific roles and responsibilities clearly defined.

“Regularly review response plans to integrate emerging threats and new best practices. Insure against financial risks with a stand-alone cyber policy or endorsement,” the report said.