Small and midsize businesses (SMBs) are spending billions on what they believe is cyber security but the systems are all too often not fit for purpose, and are using insurance in an effort to plug the gaps.
Research by the consultancy firm Analysys Mason found that SMBs are estimated to have spent $57 billion on cybersecurity in 2020 alone, a figure that is expected to hit $90 billion in 2025.
However, one in three companies in this range are using subpar cybersecurity tools or none at all. The study found indicates that one in five companies have no endpoint security at all, while 43% don’t have a cybersecurity defense strategy in place.
It comes following a survey carried out by insurer Hiscox which revealed that small businesses in the US had lost an average of $25,000 per cyber incident, with 23% of surveyed companies having suffered an attack in the last 12 months. The situation looks to be similar in the UK: a poll by Vodafone revealed that 1.3 million SMBs would collapse if successfully attacked.
To counter the threat, some businesses choose to opt for cyber insurance, which covers the expenses if a subject suffers a cyber attack. The numbers reflect that too – according to Global Data, the global market for the cyber insurance industry will more than double by 2025 to exceed $20 billion.
However, cyber liability insurance is not a replacement for having a comprehensive cybersecurity strategy in place, said Algirdas Sakys, Information Security Manager at NordVPN Teams: “For small businesses, preventive cybersecurity measures like making periodic backups, using a network-wide firewall, managing network access privileges, or simply providing basic cybersecurity training for personnel should be a no-brainer,” commented Mr. Sakys. “Regrettably, too many companies underestimate existing cyber threats and pay a steep price for it. Sure, cyber insurance might soften the blow but counting on that while putting their entire businesses in jeopardy is not a sustainable long-term strategy.”
Sakys warned many SMBs overestimate the money-saving benefits of cyber insurance. “Those wishing to save money by ignoring cybersecurity and opting in for an insurance policy will not get what they bargain for,” he added. “Don’t get me wrong – having a cyber insurance policy is better than not having it. But companies hoping to save by underinvesting in cybersecurity only to hedge it with insurance won’t get what they desire. In reality, the weaker the cybersecurity framework is, the costlier the insurance. There is no way around the fact that every company needs robust cybersecurity protocols in place.”
According to ENISA, the European Union Agency for Cybersecurity, the five most common cyber incidents suffered by SMBs are phishing, web-based attacks, general malware, malicious insiders, and denial of service.
Small businesses have become more vulnerable to the mentioned threats in the face of the pandemic-related remote work reality.
“The rush in which SMBs had to adapt to remote work certainly left many cybersecurity blindspots unchecked,” explained Sakys. “Now, we see a steady upsurge in small businesses investing in the protection of their digital assets, but too many organisations remain in the red zone when it comes to cybersecurity.”