More than 80% of SMEs don’t see cyber attacks or data loss as a significant risk to their business

A new poll on SMEs and micro businesses has come up with some very worrying stats when it comes to cyber insurance.

Over half of the 1000+ companies polled by Aon said they are confused by or are unaware of the rules of GDPR, while more than 80% don’t see cyber attacks or data loss as a significant risk to their business.

These results come after research from Hiscox says that UK SMEs are subject to 65,000 cyber attack attempts daily, and a National Cyber Security Programme survey showed that nearly half of UK businesses experienced at least one cyber security breach or attack in 2017.

Of these, 66% of SMEs and 45% of micro businesses were shown to be victims.

Chris Mallett, Broking Manager for Aon who commissioned the recent poll, said the attitude of these businesses is “worrying” as he said that one in five ”have no plans to invest in it (cyber insurance) in the coming year.”


However, Dr Emma Philpott from the UK Cyber Security Forum, said GDPR has caused companies to focus on this issue. But the concern is this was for too many a short-lived effect.

She said: “As soon as the deadline for GDPR passed too many thought that was job done and that’s where their responsibility ended.” 

“The big data breaches in the press help to raise awareness but they can also cause data breach fatigue; a sense that the time, cost and high-end security to tackle this is complicated and overwhelming.”

She added: “There is a lot of misunderstanding of risks, and still a worry among SMEs that it must be complicated. It is not always about high end security. It’s about having the basics in place to protect you from indiscriminate attacks. Educating staff takes time but doesn’t cost anything at all.”


Mallett says the ’bring your own device’ culture where employees are encourage to use their own device for work purposes ”can expose companies to the increased risk of a cyber security breach if data is not properly encrypted and controlled.”

The poll revealed that a quarter of SMEs encourage this culture.

“What’s more, it revealed one in three don’t see personal information stolen as a result of cyber attack or fraud as a data breach, with the same number admitting they’re unaware of the time limit on reporting such a loss, exposing their companies to the risk of huge fines,” says Mallett. 

Philpott says awareness is the biggest issue with facing this potential problem.

She said:“I don’t think companies realise how awful the impact of a breach can be or the amount that actually has to be done” says Dr Philpott. “It involves everything from mandatory reporting to keeping affected customers or clients informed. It can leave those clients fearful and cause reputational damage. It’s not just about replacing laptops or paying a fine.”

Easy ways to take action

Mallett outlined easy ways to ensure you are as secure as you possibly can.

They are:

  • Install anti-virus software or check existing software is up to date on all employees’ computers and laptops (or any device they use for work). It is one of the simplest ways to prevent employees downloading potentially harmful malware that could lead to a data breach. And ask your IT team to check firewall settings.
  • Check how suppliers handle data and that their processes comply with GDPR. It’s essential to identify and address risks in your supply chain. Document process and results.
  • Have simple, clear policies in place to create a cyber-conscious culture in the workplace (everything from password rules and backing up work to use of WhatsApp groups and what data employees can keep on their computers).
  • Be aware what your obligations are if a breach happens (and make employees aware too, to avoid a breach not being escalated correctly).
  • Check on what your PII or business insurance covers and consider cyber insurance. This can cover the cost of responding to a breach, as well as damages, and also give you access to specialist support ensuring the breach will be dealt with in line with GDPR requirements. Make sure any cyber insurance comes with a pre-approved panel of providers who are immediately available in the event of a breach.