Three-quarters of UK small businesses have not set aside any budget to deal with the aftermath of a cyber attack and even those that have underestimate the potential costs.
A new report by PolicyBee, The Business of Cyber Recovery, reveals that most small businesses in the UK are not prepared for the financial costs of dealing with a cyber attack. The average cost, it says, is £26,000 per small business.
Of 500 small businesses polled, just 19% have put aside budget to deal with the repercussions of a cyber attack. Of those that have ring-fenced some funds, many are too IT-focused and have not considered the impact on other areas of their business, according to the report.
Businesses are aware that they may need to replace software and hardware after an attack; however there are a host of other potential costs that they are less aware of, including:
- Hiring a legal expert;
- The cost of being sued by a customer for loss of their data;
- Hiring a PR or social media expert to manage reputational damage;
- The cost of being fined by a regulator;
- The loss of earnings during the attack;
- The cost of extortion or being held to ransom.
Sarah Adams, cyber insurance expert, who commissioned the study for PolicyBee, said: "SMEs really need to get past this mental barrier that cyber attacks can be fixed in the server room - they can't. It takes a whole business to plan ahead, practise for and react to a cyber issue, if you want to come through it unscathed.
"Cyber attacks are not just an IT problem as they could impact sales, customer relations, reputation and a business's bottom line - especially if there are legal ramifications or regulator fines."
The survey also shows that in the event of a cyber attack, a third of SMEs believe they'll be able to pass the associated costs on to their third-party IT support provider.
"It is almost impossible to entirely defend a business against a tenacious cyber attack, and most IT experts will have wording to that effect built into their contracts," said Adams. "And in the event of an attack, most SMEs will be focused on getting their business back on its feet - their priority will certainly not be suing their IT firm."