Fewer than one in five (17%) UK SMEs have actively explored their exposure to a broad range of security threats, including online and offline extortion, according to new research.
The majority of SMEs see the risks as either irrelevant, or too small to justify the time and expense it would take to assess them.
At the same time, however, 44% of them expect to face some type of threat in the next 12 to 18 months – and levels of preparedness are low.
The findings have emerged from a YouGov poll of 1,000 companies on behalf of brokerage and risk management firm Arthur J Gallagher.
According to the survey, SMEs have weathered a wide variety of threats over the past two years – but the nature of those threats is beginning to align with those faced by larger firms.
Extortion was the primary challenge in that two-year period, with 17% of respondents experiencing it in some form.
Only 7% say they have faced cyberextortion – four times fewer than large companies – but there are signs that over the next 12 to 18 months, SMEs could catch up: 27% expect that they will encounter cyberextortion, and 39% think that they will suffer extortion by other means.
Despite that, though, almost half (43%) of respondents admit that they currently have no business continuity, disaster recovery or crisis management procedures in place to address threats of any kind.
That total lack of contingencies affects just 3% of large firms.
In one of the poll’s most concerning findings, many SMEs think they are too small to be targeted by ransomware.
However, attacks of that type are occurring at a predominantly untargeted level – as demonstrated by the damaging WannaCry strike that swept UK IT infrastructures in May this year.
While media coverage of the incident focused upon the software’s effect on the NHS, Prime Minister Theresa May explained, “This is not targeted at the NHS – it’s an international attack and a number of countries and organisations have been affected.”
Arthur J Gallagher crisis management director Paul Bassett said: “It is vital for SMEs to build a culture of crisis resilience.
“Their growing awareness of an overall increase in security threats needs to be matched by actions that will help them mitigate and manage their own vulnerability to those risks.”
Bassett noted: “Our research shows that education is key. Clearly, there is a disconnect between the current level of planning by SMEs and how resilient they believe themselves to be, creating a false sense of security.”
He added: “Exposure to the risk of non-damage business interruption – where no physical loss has been suffered, but you aren’t able to trade – is a particular area of concern.
“That could be experienced because of proximity to a terrorist incident or an indiscriminate cyberextortion attack, for example.”