Tens of thousands of UK SMEs could collapse following a serious cyber-incident which impacts their ability to trade, according to new research from Gallagher.
The insurance and risk management giant polled 1120 senior decision makers from UK firms with up to 250 employees, in order to better understand the cyber-threat.
It found that 1.4 million businesses were hit by major attacks last year, costing them a combined £8.8bn. Nearly a quarter (24%) of firms were affected by one of these “crisis” incidents — a 5% increase on the previous year.
Although the average cost of attacks to the affected business was around £6400, 17% of responding SMEs said they were forced to spend £10,000 or more, while nearly one in 10 (9%) paid out in excess of £20,000.
However, the impact of an attack could be far more serious than being forced to pay a few thousand pounds in related costs.
A quarter of SMEs (23%) told Gallagher they’d survive for less than a month if a crisis meant they were unable to trade. The insurer estimated that 57,000 UK SMEs could be at risk of collapse this year if hit by such an attack.
Paul Bassett, managing director of crisis management at Gallagher, argued that the heavily service-oriented UK economy, where 99% of private sector firms are SMEs, is dangerously exposed to cyber-attacks and data breaches.
“Alongside regularly reviewing their crisis preparedness, response plans and forms of protection, such as insurance, it is critical UK SMEs also assess their ability to survive in the event of a major crisis incident when the risk of serious disruption and protracted recovery process is very real,” he added.
“The cost of a crisis is by no means the only consideration. Duration is key — especially with a quarter of UK SMEs admitting they could survive for less than a month if unable to trade following an incident. For companies with tight margins and limited working capital, even a relatively short-term denial of access to premises or systems paralysis could be a crippling, possibly fatal, blow.”
Alongside thoroughly tested incident response plans, small businesses need access to emergency funds, 24/7 crisis response consultants, post-incident counselling and business recovery advice, Bassett claimed.
The most common type of “crisis” experienced by UK SMEs last year was cyber-attack, data breach or cyber-extortion incident, accounting for 15% of all events.
A report from insurer Hiscox earlier this year revealed a sharp increase in reported cyber-attacks year-on-year among small firms (from 33% to 47%) and medium-sized businesses (36% to 63%) across Europe and the US.