SMEs’ cyber risk awareness on the rise: Zurich study

Cyber risk awareness among small- and medium-sized enterprises (SMEs) is on the rise, according to Zurich Insurance Group’s fourth annual global SME survey.

The survey found that just 10% of SMEs said that they were too small to be at risk of falling victim to cyber crime, compared with 17% of those that though they were too insignificant to attract the attention of cyber criminals in 2015.

The survey was carried out by the global research company GfK, Zurich noted in a press release on Wednesday. The leaders of 2,600 SMEs (up to 250 full-time employees) around the world were asked questions on the cyber crime-related risks facing their businesses. A representative sample of 200 CEO/owners, general managers, chief financial officers/treasurers and chief operating officers/head of operations from each of the following 13 countries were included: Australia, Austria, Brazil, Germany, Hong Kong, Ireland, Italy, Mexico, Portugal, Spain, Switzerland, Turkey and the United States.

According to the survey, theft of customer data (27%) and reputational damage (20%) were seen as the most significant cyber crime risks for SMEs.

Other findings included:

• Only 5% of SMEs are confident they have sufficient and up-to-date IT measures in place to protect against cyber crime versus 8% in 2015;
• Additional risks such as theft of money/savings (15%), business disruption (15%) and malicious identity appropriation (12%) are seen as potentially being the most harmful consequences of cyber crime;
• The two fastest-growing cyber crime concerns were reputational damage and theft of money/savings. Both rose 4% each, to 20% and 15%, respectively, compared with the results of the 2015 survey;
• The percentage of SMEs that view their business as sufficiently protected by up-to-date software fell to less than 5% from 8% in the past survey.

“With the number of high profile cybersecurity breaches in the media over the last year, it is not surprising that the risk awareness amongst SMEs has grown significantly, yet alarming that the vast majority of SMEs do not have the appropriate cyber crime protection measures in place,” said Lori Bailey, global head of Special Lines at Zurich, in the release. “The dramatic technological transformations that are happening to enterprises, infrastructures and systems globally are resetting the traditional expectations of risk management and its approaches across companies of all sizes. To effectively tackle cyber crime and improve business resilience, further joint efforts will be needed between governments, service providers and businesses.”

The latest survey also revealed significant regional differences in attitudes to cyber crime risks and their impacts.

For example, cyber theft of information and earnings dominated U.S. SMEs’ concerns. Small companies in particular dread the theft of customer data (23%) and money/savings (21%). While concerns over reputation damage as a result of cyber crime increased from 10% to 15%, of the regions surveyed, SMEs in the U.S. still remain the least concerned about this issue. At the same time, worries over malicious use of identity dropped from 16% to 12% year-on-year, Zurich reported in the release.

In Latin America, concerns about reputational damage related to cyber crime were on the rise, up to 23% from 19% in 2015. Interestingly, the survey revealed that the fastest-growing concern in that region is related to the potential risk of third-party lawsuits related to cyber crime, which tripled year-on-year (6% in 2016 versus 2% in 2015). One reason for concern is that 6% of enterprises still believe they have fully-functioning cyber protection measures in place, but the percentage of those that think this way nearly halved compared with 2016, the release said. Still 10% of Latin American SMEs haven’t thought about cyber risk and currently have no opinion on it, according to the survey.

In Europe, the potential harm to reputation as a consequence of a cyberattack as the main worry has risen to third place on the list of concerns, up from sixth in 2015; 16% of European SMEs identified this as a concern. Leading concerns among European SMEs were theft of customer data and reputation damage (26% and 16% respectively), in line with the global trend. In addition, 17% of SMEs in Europe were also worried about business disruption that could result from a cyber attack.

SMEs in the Asia Pacific region (APAC) are the most worried about potential reputational damage – 32% named it as the main potential risk to their business related to cyber crime, according to the study. The same percentage of SMEs are worried about potential theft of their customers’ data. “It is remarkable to note that SMEs in APAC surveyed showed a more than doubling in 2016 from 2015 when it comes to concern about theft of money/savings, malicious use of identity and business disruption,” the release concluded. “In 2016, 10% of SMEs in the region believed they were too small to become a target of a hacker attack. But those SMEs thinking this way have more than halved compared to 23% in 2015.”