Cybersecurity best practices for SMEs
A relatively low level of cyber resilience can make your firm an attractive target for cyber criminals. Lockton recommends implementing robust cyber risk management measures, supplemented with cyber insurance, to help mitigate the risk of falling prey to a cyberattack
Small-to-medium sized businesses (SMEs) are an attractive target for cyber criminals seeking to exploit their relatively weak cybersecurity systems. Despite this, many SMEs are unaware of the scale of the threat, which can pose an existential challenge to business operations.
Fortunately, implementing robust cyber risk management measures, supplemented with cyber insurance, can help SMEs to mitigate risks and become more resilient.
Why cyber criminals target SMEs
Cyberattacks remain a common threat to businesses. According to the most recent Cyber Breaches Survey, half of all UK businesses experienced a cyberattack in 2024.
SMEs’ relatively low level of cyber resilience makes them an attractive target for cyber criminals. Unlike larger organisations, SMEs may deploy fewer resources to cyber security, and they may lack in-house cybersecurity expertise. Research from the Association for British Insurers (ABI) has also found that SMEs may be unfamiliar with the nature and complexity of cyber risks or fail to understand the associated jargon.
Many SMEs also play an important role in the wider supply chain — for instance, as a supplier to multiple larger and smaller organisations. Because their cybersecurity is likely to be weaker than the organisations to which they provide services, criminals proactively target SMEs with the intention to cause significant knock-on disruption and losses. This form of attack is becoming more common: an estimated 97% of FTSE 100 businesses suffered a third-party cyberattack in the last year, according to a report from Security Scorecard.
The impact of cyber crime
SMEs are exposed to a disproportionate risk from existential threats arising from a cyberattack: one relatively minor incident can put them out of business. According to Hiscox’s 2024 Cyber Readiness Report, 60% of small businesses suffering a breach or successful attack go out of business within six months.
Even where businesses remain operational after an attack, the impact of a cyber breach is likely to be severe. For their size, SMEs may also hold a relatively high volume of customer, employee and supplier data, as well as other forms of valuable or sensitive information. The financial and reputational cost of a breach is, therefore, likely to far outweigh the initial cost of investment to fortify digital parameters for SMEs.
SMEs also face a higher cost per employee when compared to attacks on larger organisations. This is due to their lack of specialist staff, prepared crisis plans, and access to dedicated breach technology.
How SMEs can build cyber resilience
Amid the growing cyber threat, robust cybersecurity investments are no longer a luxury for SMEs, but a strategic necessity. Building cyber resilience is essential to ensure business continuity and avoid financial and reputational damage, operational disruption, and harm to employees and customers.
The ABI report proposes nine key strategies to improve SME cyber hygiene:
1. Keep software and systems updated
2. Back up data on a regular basis
3. Educate staff on cybersecurity
4. Implement strong password policies (including multi-factor authentication)
5. Install and maintain properly configured firewalls and antivirus software
6. Actively manage user access and use encryption
7. Implement monitoring and controls on device storage, app downloads, public Wi-Fi and USBs
8. Plan for incidents and test plans
9. Manage supply chains with cyber security in mind
There is no one-size-fits-all when it comes to cyber security. However, the above controls provide a set of standards and are deemed good business practice to have in place.
The role of cyber insurance
While effective, no amount of preparedness cannot completely rule out a cyberattack. Cyber insurance provides a complement to risk mitigation, helping businesses to further prevent and alleviate the impact of a cyberattack.
A comprehensive cyber insurance policy typically includes two components:
- First-party coverage — to cover the costs of investigating and recovering from a cyber incident.
- Third-party coverage — to cover any claims made against the business by third parties, including costs and expenses (including legal fees).
That’s not all. Cyber insurance also includes access to a suite of services, which are available throughout the duration of the policy, including:
- Breach response to assist in the immediate aftermath of a cyber event. This can help to minimise the damage caused by a cyberattack and get back up and running as quickly as possible.
- PR support to manage reputational harm, minimise long-term damage, and preserve client relationships.
- Management guidance for investing in effective cybersecurity controls.
For more information about cyber resilience, and how cyber insurance can protect your business against cyberattacks, reach out to a member of our team.
