The majority of small businesses fail to respond to cyber-attacks

A report compiled by the insurance provider Hiscox has revealed that whilst almost half of small businesses in the US have been struck by a cyber-attack in the last year; only 35% responded in some way. 1,000 US companies were questioned, and the results proved troubling.


The report found that just over half of small businesses, 52% to be exact, had a clearly defined cyber-attack response strategy in place, with the remaining 48% claiming to have none. Only 32% had carried out phishing exercises to assess risk and employee response. Despite this unpreparedness, two-thirds of the companies surveyed ranked the risk of cyber-attacks among their top concerns.


Small businesses particularly at risk


Compared to their larger counterparts, it appears that small businesses are far more vulnerable to both cyber incidents themselves and the effects they can have. Hiscox found that only 21% of small businesses have a dedicated cyber insurance policy in place, whereas 58% of large firms do. Only 16% of the small businesses surveyed said they felt ‘very confident’ in their readiness to deal with cybersecurity threats.


Since 65% of these small businesses made no changes following an attack, repeated incidents emerged as an issue. Of the 47% of small businesses which have fallen victim to a cyber-attack in the last year, 44% have undergone two, three, or four.


The Cost of a Cyber-Attack


Cyber-attacks can be a stressful and nerve-wracking experience for employers and employees alike, but the financial cost can be just as great as the emotional one. The average cybersecurity incident will cost a small to medium-sized business $34,604. For larger organisations, the cost is significantly higher – $1.05 million per attack. Alongside these initial costs, hacking incidents can damage a brand’s reputation, causing them to lose valuable customers and revenue. These attacks can be even harder for smaller businesses to recover from, since they generally have smaller budgets and client bases.


Hiscox found that many firms struggle to implement strong cyber-attack policies because of budget limitations. Because these attacks can have such a devastating effect on business, though, they recommended that more organisations make protection a budget priority.




After compiling this data, Hiscox recommends that small businesses implement a specific strategy to protect against cyber-attacks. For organisations of this size, the process will likely involve outsourcing to a specialist consultant. Hiscox advises that this is a cost-effective way for smaller businesses to access the resources and knowledge they need to stay safe.


Hiscox also suggests that employees of all levels are made aware of their company’s cyber-attack strategies: how to best prevent these crimes, and how the effects can be mitigated if one should happen. This should involve training for all staff, with a particular focus on how to protect sensitive data. Finally, Hiscox recommended that businesses put one person in charge of cybersecurity overall, to ensure that employees know who to voice their concerns to and receive all relevant information.