UK SMEs are under prepared to respond to a crisis scenario, despite their awareness that security threats are rising and 44% expecting to face some form of attack in the near future. This is the key finding of research commissioned by Arthur J. Gallagher that focused on evaluating business resilience.
Understanding security risks: how SMEs can build a culture of resilience revealed that 43% of respondents admitted to having no contingency plans for a crisis or not knowing what those plans were. Furthermore, only 30% have insurance in place that would respond to a security crisis - such as terrorism, cyber extortion, sabotage, product tamper or emergency repatriation - with a further 40% not knowing if they have insurance cover or not.
The research also highlighted a very clear gap in perception between the threats SMEs face and their level of preparedness. More than two thirds (68%) of SMEs questioned believe they are resilient and well-equipped to deal with a security crisis despite their planning and insurance protection levels showing otherwise.
There is, however, a widespread understanding that threat levels are growing, with one in five (19%) UK SMEs having faced an external security threat in the past two years while more than double that number (44%) believes they could face a threat in the coming 12 to 18 months. More than a quarter (27%) of those asked said they specifically expect to suffer cyber extortion in the near future.
When comparing responses between SME leaders and those of larger organizations, the research clearly showed that many SMEs feel they are too small to be targeted, with only 17% having tried to assess their exposure. But the nature and effect of today’s low frequency high impact security threats - such as terrorism and cyber extortion - is often non-targeted. Large security cordons, for example, prevent access to premises, while mass ransomware attacks mean smaller firms are often more vulnerable than large organizations.
Small businesses are not exempt from the disruptions that all organizations face, and the latest Horizon Scan Report published by the Business Continuity Institute highlights that organizations of all sizes generally share the same concerns.
Paul Bassett, Managing Director of Gallagher’s Crisis Management practice, said: “It is vital for SMEs to build a culture of crisis resilience. Their growing awareness of an overall increase in security threats needs to be matched by actions that will help them mitigate and manage their own vulnerability to those risks. Our research shows education is key; clearly, there is a disconnect between the current level of planning by SMEs and how resilient they believe themselves to be, creating a false sense of security.
“Many evidently feel they are too small to be targeted but today’s fast-evolving security threats are often not targeted at any particular company or industry. Exposure to the risk of non-damage business interruption - where no physical loss has been suffered but you aren’t able to trade - is a particular area of concern. That could be experienced because of proximity to a terrorist incident or an indiscriminate cyber extortion attack, for example.”