What should SMEs do as they become ‘cyber uninsurable?

According to a survey by Markel, over half of SME respondents fell victim to a cybersecurity breach in late 2021.

Data protection is a crucial aspect that must be considered in a digital-first world where all our personal and professional data is stored online. Despite efforts to encourage businesses to prioritize data protection through cyber insurance, many small-to-medium-sized enterprises (SMEs) still need to be insured. Unfortunately, the common misconception that SMEs are not targeted and are safe from threats is far from the truth.  

The rise in hybrid working and limited in-house expertise has made SMEs increasingly vulnerable to cyberattacks.

In July 2022, a new type of ransomware attack called ‘BazarCall’ targeted SMEs and was reported by  Managing General Agent, CFC Underwriting. Over three months, these attacks accounted for 10 percent of malware  incidences in its portfolio. 

Veeam’s 2023 Data Protection Report revealed that cyberattacks caused the most impactful outages for organizations in 2020, 2021, and 2022, and 85 percent of organizations were attacked at least once in the past 12  months. This suggests that ransomware still wins despite advanced digitalization, increased awareness, and preparedness.  

What makes SMEs vulnerable to cyberattacks? 

Businesses of all sizes are vulnerable to cyberattacks, but SMEs are particularly vulnerable due to inadequate data security measures. More often than not, SMEs have limited budgets for cyber protection. A report by the CyberPeace  Foundation found that the absence of hi-tech monitoring systems in SMEs essentially lures cyber criminals to force entry into their systems since their actions can’t be detected. The report also mentioned how security gaps, such as not backing up important data and inadequate cybersecurity policies, can lead to cyberattacks.  

Given the business scale, SMEs are often more focused on bolstering their business strategies to compete with the industry giants. SMEs may forego investing in proper cybersecurity solutions, including data backup and insurance, because they believe only large-scale organizations are at a greater risk of cyberattack.  As a result, cybersecurity planning often takes a back seat. 

Another primary reason SMEs don’t invest in cyber insurance is the lack of technical experts to integrate essential security measures and the rising costs of purchasing a policy. A Global Data survey conducted in 2021 suggests that approximately 29 percent of SMEs canceled their cyber insurance to curtail costs.  

SMEs are encouraged to emphasize their cyber security budgets because the more they depend on technology for work, the more vulnerable their businesses become to cyber threats. Deloitte’s Cyber Insurance  Report found that 63% of mid-sized firms reported cyberattacks in 2019, compared to 36% in 2018. If insurance is out of the question due to a small budget, taking other precautions, such as buying cybersecurity solutions and backing up data, can help. 

The way forward for SMEs  

Organizations need to maintain basic digital hygiene practices. All enterprises need a dedicated IT security lead with access to business leaders and authority to direct the security initiative. Smaller businesses need to allocate resources with responsibility for cybersecurity and specialize in data protection, whether in-house or outsourced. They should also implement antivirus software, a strong firewall and ensure employees are well-versed in identifying suspicious links to avoid clicking ransomware.  

Finally, SMEs must consider one fundamental cyber security component— data backup with air-gapped protection. Organizations must ensure complete protection of their data systems with Backup and Data  Recovery across all forms of storage. Veeam advocates the 3-2-1-1-0 backup rule. There should always be at least three copies of important data, on at least two different types of media, with at least one off-site and one offline, with zero unverified backups or backups with errors. According to the Veeam 2023 DPR report, the most crucial aspect organizations are looking for in a Modern Data Protection solution is the “integration of data protection within a cyber preparedness strategy.” 

Even simple exercises like regular risk assessments and penetration testing to evaluate the system’s security can help prevent cyber perils. Hence, SMEs who cannot afford expensive cyber insurance can still implement these cost-effective practices to protect their organization’s data. The more SMEs buy into the need for good digital hygiene, the more alert they become. Safeguarding data along with regulating your cyber policies should be made mandatory.  Cyberattacks are real, and measures to prevent them should not be neglected, irrespective of the scale of your business.  

The authors are Dave Russell, Vice President of Enterprise Strategy, Veeam, and Rick Vanover, Senior Director of Product Strategy, Veeam. 

Image Source: Freepik


Add new comment