The digital front door most SMEs are leaving wide open

Right now, most businesses are not asking any questions about the suitability of their cyber cover. These questions are quite rightly left with their insurance broker to answer.

But the more fundamental issue is that most SMEs don't buy cyber insurance at all.

This is despite our recent research finding: nearly a third of UK SMEs lack basic email security protections, while more than half are running outdated software – precisely the kind of weaknesses cyber criminals routinely exploit.

It's probably useful to think of cyber insurance in the context of a cover more widely purchased – let's go with home insurance. So whilst there are very few people who would think that not insuring their house was fine, cyber is viewed as something that's “out there”. People think:it won't happen to me.

In the context of home insurance (thankfully, most of us never have to make any large household insurance claims), we still buy the cover to protect that value that we've worked so hard to amass.

The question which businesses should be asking themselves is: does my IT add or hold any value worth protecting, and how would I cope without my IT and everything contained within it: customer records, payments, bookings, plans, inventory, IP, technical information, product plans and specifications, trade secrets, employee records, accounts, client data… the list goes on.

If a business can confidently say they would trade as normal without their IT, with zero loss of profit or productivity, I would agree that they don't need cyber insurance. But how many companies ever answered the question on a cyber insurance proposal in relation to backups with: “We don't need backups – we have everything recorded on paper”?

So back to the house again. Very few of us go out and leave our doors and windows open, which any local thief could take advantage of. Now think about the possibility of not just your local thieves, but any thief anywhere in the world, being able to see you've left your door open. If there are vulnerabilities within your IT infrastructure, that's exactly what is happening.

Our research found thousands of UK SMEs have exposed file-sharing services and remote access systems – effectively, digital doors being left open for opportunistic attackers.

As with all crime, some of it is undoubtedly targeted. The vast majority is not, though, so cyber criminals will see the open door and walk right through it. The cyber-criminal is looking for opportunities, not companies or individuals, and this is being carried out on a massive scale. The cyber-thief will go in and have a look around to work out if there is any money to be made.

So let's imagine that cyber-criminal is in your digital house, stealing your stuff, disrupting your systems, or just resorting to good old-fashioned blackmail. Who are you going to call?

As important as the financial backup of a cyber insurance policy is (and specialist cyber services don't come cheap), they come with a raft of experts ready and waiting to assist in the event of the worst happening. Just like at the outset of a home insurance policy, insurers ask what locks and alarms you have, cyber insurers are doing the same checks, digitally, to see if they would like to insure you and help protect these valuable assets.

Many companies use the services of one of the many MSPs out there, who are no doubt doing a great job, but who pays for specialist computer forensics, ongoing credit monitoring, and loss of profits due to a cyber-attack?

For many SMEs, cyber insurance still feels expensive, complicated or unnecessary, particularly when margins are tight and costs are rising – from diesel to increasing business rates – and attacks are seen as a problem for larger enterprises.

For all businesses, the question worth starting with is a simpler one: would my business survive a cyber-attack without insurance?

There are a couple of recent examples of small businesses from an insurer which illustrate the impact an attack could have. One was a bike shop that had their online store shut down for six hours by a DDoS attack (where attackers try to disrupt a website or network by overwhelming it with fake internet traffic). It doesn’t sound too bad at first glance, but the bill – across business interruption, IT recovery and PR – came to around £100,000. The other was an engineering firm hit by ransomware which saw production halted for five days, adding up to £350,000 in losses.

In both cases, the attack would have remained the same whether they were insured or not. All that would change is who paid the bill and the support that was available. Arguably these claims could have cost them a lot more if the right expertise was not deployed quickly.

When it comes to cyber insurance, ultimately, the basic principles which businesses need to consider remain: does it have value, and is it worth protecting?