Cyber-attacks, data breaches and cyber extortions accounted for 15% of all ’crisis’ events 

UK SMEs paid out an average of £6,416.50 last year to deal with “crisis incidents,” with a combined business cost of £8.8bn in 2018 alone.

These “crisis incidents” include cyber-attacks, extortion, industrial espionage and terrorism.

This is according to research by Gallagher, whose poll of 1,120 UK SMEs revealed that nearly a quarter (24%) confirmed that they were affected by a crisis event last year. This equates to approximately 1.4m SMEs across the country.

Paul Bassett, managing director of crisis management at Gallagher, said: “Our research illustrates the scale of the challenge facing UK SMEs. When it comes to crises, cyber and IT security clearly represent a “soft underbelly” of businesses that together account for more than 99% of private sector firms.

“Given that the UK economy is heavily tilted towards services, cyber-attacks and data breaches evidently present a growing and grave threat to small and medium-sized businesses.”

But the most prevalent crisis incident experienced by UK SMEs last year was a cyber-attack, data breach or cyber extortion incident, which accounted for 15% of all events.

It follows the ABI calling for claims data from cyber breaches to be made publicly available as payouts reached 99%

Fatal blow

The poll found a quarter of SMEs (23%) said they would survive for less than a month if rendered unable to trade by a crisis incident.

Gallagher said that based on the findings it estimates that nearly 57,000 UK SMEs could be at risk of collapse this year if unable to trade in the aftermath of such an incident.

Bassett added that in this instance “duration is key”.

He explained: “Alongside regularly reviewing their crisis preparedness, response plans and forms of protection, such as insurance, it is critical UK SMEs also assess their ability to survive in the event of a major crisis incident when the risk of serious disruption and protracted recovery process is very real.”

Stressing that the cost of a crisis is by no means the only consideration, he said: “For companies with tight margins and limited working capital, even a relatively short-term denial of access to premises or systems paralysis could be a crippling, possibly fatal, blow.

“We urge all businesses to ensure they have the crisis cover and plans in place to strengthen their ability to anticipate, prevent, respond and recover from a major security incident —but also have access to emergency funds, 24/7 crisis response consultants, post-incident counselling and business recovery advice, in order to stay solvent and help them and their people recover quickly.”

Cyber-attacks on agenda

Cyber-attacks, data breaches and cyber extortion represent areas of greatest concern for companies in 2019.

The financial services sector sustained the highest number of attacks by a significant margin. More than a quarter (27%) of financial services SMEs surveys were hit by this form of crisis last year.

Half (50%) of UK SMEs are most concerned about a cyber crisis taking place this year. Denial of access and business interruption was the second most concerning area, with one in 10 (11%) citing this as a major risk.

Tom Draper, cyber practice leader at Gallagher, said: “The prevalence of cyber-attacks against UK SMEs has reached a tipping point – companies ignore these risks at their own peril. Ransomware has become relatively commonplace and pay outs to demands are often met simply in order to resume trading.

“Failure to comply can result in a crippling period of business interruption, which in many cases, leads to businesses collapsing.

“Data breaches leading to compromised customer data are also proving a major issue for small businesses.

“Such incidents are damaging in themselves, due to possible cyber fraud and the significant reputational fallout from having to inform customers of a data breach, but SMEs may also find themselves facing significant fines under GDPR.”

Draper concluded that the best way to survive is the aftermath of a cyber incident is to plan ahead.

The research was based on quantitative online surveys run by YouGov on behalf of Gallagher between 2 and 18 January 2019. It looked at the views of 1,120 senior decision makers from SMEs.