SMEs cyber security exposed

06 June 2017

Despite the rise in both awareness and incidents, many small-to-medium sized enterprises (SMEs) are still not addressing cyber in their risk management strategy.

A survey published in April from the UK Department for Culture, Media & Sport has shown that many SMEs are still not taking basic steps to deal with the threat of a cyber attack, despite an increasing reliance on the digital economy.

The Cyber Security Breaches Survey 2017 of over 1,500 companies, almost all of which were SME firms, found that all are exposed to cyber security risks in some way. It also found that these exposures are rising, with a growing reliance on cloud services and an increase in firms holding personal data electronically.

SME’s can suffer significant financial loss from a cyber attack that impacts a critical operating system or that results in the loss of sensitive information. An insurer partner of JLT has handled many cyber claims from SMEs, ranging from a UK retailer that incurred costs of almost GBP 500,000 following a payment card data breach, to a small hotel that spent GBP 15,000 dealing with a ransomware attack. 

Despite this growing reliance on digital services, the survey found that a sizable proportion of businesses still do not have basic cyber protections or have not formalised their approaches to cyber security.

For example, only a third have a formal policy that covers cyber security risks, or document these risks in business continuity plans, internal audits or risk registers. Only one in ten have a cyber security incident management plan in place.

Slow progress

The survey findings suggest that UK business has yet to make significant progress on improving cyber security, and many lack the resources to protect their business or respond to a cyber attack.

Although 74% of UK businesses say that cyber security is a high priority for their senior management, just 43% have yet to even attempt to identify cyber security risks to their organisation. Only 58% have sought information, advice or guidance on cyber security while only half of the firms surveyed comply with the government’s Cyber Essentials scheme.

This is despite the fact that almost half of those surveyed had experienced at least one cyber security breach or attack in the past year. The most common types of breaches were related to staff receiving fraudulent emails (in 72% of cases), followed by viruses, spyware and malware (33% of cases), people impersonating the organisation in emails or online (27% of cases) and ransomware (17% of cases).

Cyber insurance

The report found that 38% of respondents purchased cyber insurance, although uptake was more prevalent among mid-sized firms. However, the real proportion is probably much lower because many businesses wrongly assume they are covered for breaches under their traditional insurance policies.

The survey also shows there are very disparate levels of awareness around cyber insurance, while smaller businesses tend not to be aware of it at all, the report found.

Smaller companies are more likely to benefit from standalone cyber insurance, as they have limited resource and expertise when it comes to cyber security. Standalone cyber insurance puts SMEs on the front foot, providing automatic outsourcing of incident response, while the process of purchasing cyber insurance gives a sense check of cyber preparedness.

We have put together a cyber insurance facility tailored to the needs of SMEs. Backed by leading insurers, the facility offers broad cover to address key risks faced by SMEs at competitive premiums.

In addition to covering the costs of a breach response, the cover also gives SMEs access to an established panel of cyber security, legal and crisis management consultants.

Download Cyber Decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on



Find out more

Read our Cyber Risks & Insurance Insights

Read more

Receive our monthly cyber risk newsletter