SMEs are doubly at risk of losing to cyber crime

Trust and customer engagement go hand in hand

When it comes to cyber crime, small and medium-sized enterprises (SMEs) are doubly susceptible to be victimised. That’s because, in addition to the potential cost of being hit by hackers and other cyber criminals, they also risk losing the confidence of consumers, with 58% saying they would be less likely to use a company’s services if an incident happened, according to the Small Business Reputation and the Cyber Risk report.

Trust plays a major role at every step of the path to customer engagement, according to cxLoyalty’s report, The Connected Customer. Without it, there is less of a chance that a customer will consider a company favourably and make it further along the path to loyalty.

If this isn’t enough to convince SMEs they must invest in cyber security, they should consider the potential fines attached to the General Data Protection Regulation (GDPR), which becomes effective in May 2018, for those who don’t take steps to protect customer data.

Companies large and small are affected by growing cyber crime

In today’s connected world, no one is out of reach of hackers and other cyber criminals. Just last month, the WannaCry ransomware attack crippled the computers of 200,000 people in 150 countries. The effects disrupted the operations of thousands of large companies, banks, hospitals, universities, and many other organisations.

SMEs particularly vulnerable to cyber crime

While large organisations often make the headlines when it comes to cyber crime, SMEs are even more vulnerable according to many experts. In 2015, Symantec found that 75% of SMEs, compared to 35% of large companies, were the victims of SPEAR phishing attacks, which open the gate to ransomware in 97% of cases, according to another study.

The National Cyber Security Strategy for 2016-2021 estimates the average cost of breaches for small companies in 2016 was £3,100. The most serious attacks can cost as much as £310,800, a significant increase on the 2014 price tag of £115,000, according to the results of the Information Security Breaches Survey.

“SMEs are being viewed as a softer target by criminals, and are often a route to a ‘bigger prize’ if they are contracting with larger organisations, who may be harder to penetrate directly,” argues Stephen Ridley, acting head of technology, cyber and data for insurance company Hiscox.

In part, the problem is that many “small companies are not in a position to have a dedicated IT department, and many either outsource IT functions or assign duties to an employee with other responsibilities − often the owner him/herself,” explains Todd McCracken, President of the American National Small Business Association.

“Head in the sand” attitude could be deadly for SMEs

The fact that many SME owners have neither the knowledge nor the resources to ensure their company’s cyber security and that of their customers is worrying, but perhaps even more alarming is the fact that many others assume cyber crime is something that only affects larger businesses.

“Burying your head in the sand may save money in the short term, but the cost of hacking could range from minor inconvenience, reputation damage, loss of customer data, fines and ultimately company closure,” says Salford University digital business expert and lecturer, Alex Fenton.

The evidence presented in the Small Business Reputation and the Cyber Risk report clearly supports this and shows the potential ramifications of a cyber breach can be “huge and long-lasting” with 89% of victim SMEs reporting:

  • a 31% hit to their brand,
  • a 30% loss of clients, and
  • a reduction of 29% in their ability to win new business

SMEs are the backbone of the economy

SMEs are a major component of the EU28 economy, according to the 2016 Annual Report on European SMEs. In 2015:

  • There were almost 23 million SMEs in the EU’s 28 member states.
  • They generated €3.9 trillion in value added, which represents just under three-fifths of all EU28 value added outside of the financial business sector.
  • They employed 90 million people or two-thirds of all employment in the EU28.

The sheer number of SMEs and their impact on economies of the world, over coupled with the fact that they are increasingly embracing interconnected IT systems, makes their cyber vulnerability that much more of a global issue.

Loss of trust could spell trouble for SMEs

When a customer evaluates a provider, they “need to be satisfied by both the company and their relationship with it” in order to feel some engagement toward it, says The Connected Customer report. “They need to have full confidence in the company and believe that it is trustworthy.” In fact, the report shows that trust plays a major role at almost every step of a customer’s journey toward engagement and loyalty.

Being vulnerable to cyber attacks puts customer satisfaction and trust at risk since victims of cybercrime are much more likely to develop negative feelings toward a company that was unable to protect itself and its customers, according to research conducted by Opinium.

When consumers were asked to comment on recent high-profile cyber attacks,

  • 71% said they believed these events were damaging to the organisation’s reputation,
  • 65% argued it decreased their trust in the brand, and
  • 53% thought it would damper people’s engagement with the brand in the future.

This is echoed by the findings of Gemalto’s Data Breaches and Customer Loyalty Report, which shows that three-quarters of consumers believe “companies do not take the protection and security of their data very seriously” and 69% think it’s the company’s responsibility to protect it.

Being prepared

“Just like a fire drill, having a plan of action for responding to a cyber incident is crucial,” says ConnectOne Bank CEO, Frank Sorrentino. “Even more important, it should be practiced so that all your employees know exactly what to do in the event of a breach.”

Those who can afford to hire professionals should do so as they can help SMEs protect their data and online reputation. Protection suites can help SMEs’ concerns about cyber threats and offer solutions in the event of a breach, as well as help manage the fallout in a constructive manner, that minimises the loss of consumer trust.

Taking steps to prepare for potential cyber threats is a smart move for SMEs

For those who can’t afford the expense, there are a number of resources available.

The UK Government’s Cyber Essentials website includes a self-assessment questionnaire as well as documents that are free to download. SMEs can also apply to get accredited and receive a badge they can display to reassure customers and partners they take cyber security seriously.

At a minimum, SMEs should follow the three simple steps outlined by Cyber Streetwise:

  • Create a strong password by using three random words.
  • Make sure all their devices are protected by security software.
  • Always keep the software up-to-date.

Hefty fines for those who don’t take data protection seriously

On May 25, 2018 the General Data Protection Regulation (GDPR) will become effective. The GDPR is meant to harmonise data protection standards across the EU and for those who don’t heed the warning, penalties could be crippling according to the Payment Card Industry Security Standards Council (PCI SSC).

This means companies of all sizes “need to act now and start putting in place robust standards and procedures to counter the cybersecurity threat, or face the prospect of paying astronomical costs in regulatory fines and reputational harm to their brand,” says Jeremy King, international director at the PCI SSC.

In order to prepare for the GDPR, SMEs should:

  • Appoint a Data Processing Officer to ensure compliance.
  • Document their data processing procedure.
  • Examine their risk level and take appropriate measures to prevent data breaches.
  • Keep their customers in the loop by making them aware of the way their data is protected.

As SMEs’ activities are more and more intertwined with the online world, their risk of being attacked by cyber criminals also increases. Because they often lack the resources and knowledge to defend themselves, SMEs are particularly vulnerable to these types of attacks.

As a result, they run the risk of exposing their customers’ personal information leading to a loss of trust and reputation. In today’s world, being prepared against cyber crime is no longer an option. The consequences of ignoring the risk of cyber attacks are too great both in potential financial cost and loss of custom