SMEs in the cross-hairs

Far too many business owners of Small And Medium-Sized Enterprises (SMEs) believe they are not a target for cyber crime which could have an unexpected negative impact on their businesses in the long-term.

Cyber crime is one of the hottest topics in the insurance industry, particularly as the Protection of Personal Information (POPI) Act heads towards full implementation.

Far from the truth

Of concern is that many SMEs believe that they are unlikely to attract the attention of cyber criminals.

In fact, SMEs are increasingly being targeted by these criminals — and are also vulnerable to these cyber crime actions by their own employees.

The risk exists for all companies, not just large corporates. Figures from the United Kingdom’s Federation of Small Businesses showed that 41% of British SMEs suffered from cyber crime in 2014. No figures exist for South Africa, but they could be similar
.
Business parameters tested

One reason for cyber criminals’ increasing focus on SMEs is the fact that they may have less protection than the big corporates, who have the resources to hire security specialists and use state-of-the-art security software. As the bigger companies become more difficult to breach, SMEs seem doubly attractive.

Also, as the lines between work and play blur increasingly more and more, people are using their personal devices for work. In general smartphone and tablet users simply do not take the same security precautions that they do on their PCs.

Often users do not utilise basic precautions such as passwords or regular file backups, and critically, few people use mobile security software or even know that it exists.

This means that company business is being done outside of the corporate systems on personal devices with limited security.

Another important fact to note is that cyber attacks do not only come from outside the company. Disgruntled employees can cause untold damage by stealing data, or making use of their intimate knowledge of system passwords and architecture.

It is not uncommon for an employee’s security practices to put the company’s data at risk. Simply sending an email to the wrong person could compromise client information, and many people use the same password for everything, or leave records of their passwords on slips of paper in desk drawers, or in unencrypted digital files.

Managing the crisis

For a company, having a security policy does not go nearly far enough - often employees have not properly read them or fully understood them. It is important for every company to take proactive steps like automatic encryption of sensitive information so that even if there is a breach, the data is protected.

It is important to remember that if cyber crime occurs, compliance with POPI will save a company from some of the liability, but there are many other costs that will be incurred. These, for example, include the cost of notifying stakeholders, recovering lost data and limiting reputational damage - not to forget the civil suits initiated by those affected.

Though the intention is to avoid a breach, having the right insurance policy will ensure clients have much needed expertise to manage the crisis just when it is needed. No business, large or small, can afford to take the threat of cyber-crime lightly, and SMEs are as likely to be targeted as the bigger corporates they work next to.