Businesses at risk from SME partners with weaker cyber defences

According to February 2024 data from IT support provider AAG, around a third (32%) of UK businesses reported suffering a cyber attack or breach last year – this rose to 59% for medium-sized companies and 69% for large organisations.

Findings from Hiscox’s annual Cyber Readiness Report agreed with the attack uptick recorded by AAG. The insurer’s study revealed that cyber attacks on small businesses with less than 10 employees rose from 23% to 36% over the last three years.

SMEs, however, are seemingly unaware of the seriousness of the cyber criminal threat.

Separate research from cyber insurer Cowbell found that 32% of the 500 SME chief executives it surveyed were confident that a cyber attack would not impact their ability to conduct business.

Additionally, 10% of business leader respondents said they saw no need to enhance their cyber risk defenses.

What does it mean for risk managers?

The fact that SMEs appear to be putting their heads in the sand when it comes to understanding and mitigating cyber risks could subsequently pose a danger to larger corporates that these SMEs partner with, thanks to greater ”interconnectedness”.

Claud Bilbao, UK underwriting director at Cowbell, told sister publication Insurance Times: “As businesses embrace technological advancements to enhance efficiency and foster growth, they are becoming increasingly interconnected, linking numerous endpoints across their operations.

“But this interconnectedness, while offering unprecedented opportunities, also exposes businesses to significant and elevated cyber risks – with more endpoints come heightened vulnerabilities as each device represents a potential entry point for malicious actors.”

SMEs, therefore, can pose a cyber security risk for any larger businesses that they partner with – especially as Cowbell’s research noted that 77% of SMEs do not maintain any in-house cyber security.

Matthew Norris, territory manager at Beazley Digital, explained that SMEs “often have weaker security systems and they are viewed as soft targets by cybercriminals”.

He added: “Large companies can grant privileged access to SMEs [in order] to provide services, which opens a vast opportunity for hackers to infiltrate the larger business.

“Often, large companies focus on their front door – like a website – rather than the back door, like their vendor access.”

This could then lead to a third-party cyber attack, where a cybercriminal targets a vendor, supplier, or contractor in order to gain sensitive information about the company’s partners or customers.

As an example, Norris referenced a high-profile data breach that occurred in 2013, where a third-party heating and ventilation contractor for American retailer Target, Fazio Mechanical Services, fell victim to a phishing attack.

Norris continued: “The attackers were granted access to Target’s network through the third party and malware started stealing customer information.

“As an integral part of many supply chains, SMEs with weak security systems can act as a gateway in a hack to larger funds. One weak contractor may have several large clients [that] could be targeted as a result.”

Bilbao agreed that the increased complexity of business systems can create potential security gaps that cybercriminals can exploit – for example, the networks, software or hardware provided and maintained by thirdparty IT suppliers.

These suppliers often have privileged access to their clients’ IT infrastructure, including sensitive data and critical systems.

Therefore, when hackers successfully compromise an IT supplier, they can exploit this access to potentially infiltrate multiple larger corporations that rely on the same supplier’s services.

Being proactive

For Norris, “the scale of the threat” posed by cybercriminals “is not recognised by many SMEs”. In turn, this affects the penetration of cyber insurance across this demographic, as well as hampers their ability to tap into the preventative measures many insurers offer.

Confirming Norris’ stance, The Cyber Security Breaches Survey 2023, published by the Department for Science, Innovation and Technology in April 2023, found that only 6% of micro businesses and 11% of small businesses had cyber cover.

This report also showed that 29% of micro businesses and 33% of small businesses believed they already had cyber cover as part of a wider policy, despite blanket exclusions now being standard in many commercial policies.

Speaking to Insurance Times back in January 2024, cyber underwriter CFC estimated that the overall penetration for SME businesses buying cyber insurance was only 15% in the UK.

Although these statistics suggest a low uptake of cyber cover among SMEs, Norris explained that “the insurance sector has traditionally played a crucial role in managing cyber risks for SMEs by providing cyber insurance policies that cover the costs associated with cyber incidents”.

He continued: “This role is evolving as cyber attacks become more frequent and cyber crime groups become more specialised and diversified.

“To support SMEs, we find it is much easier for our SME clients to engage with the reality of cyber risk if we not only alert them to issues, but also provide solutions to help them address the risks.

“This is why we are always looking at ways to enhance our services to include proactive measures, such as threat intelligence sharing, risk assessment tools and cyber incident response services.

“These offerings are all designed to mitigate the financial impact of cyber attacks and prevent them by improving SMEs’ cyber resilience.”

Richard Hodson, founder of R C Hodson Insurance Services, agreed that a proactive cyber policy can be beneficial for SMEs’ risk management, in turn better protecting larger partner businesses.

He added: “Most cyber policies now are generally offering a vulnerability scan straight up. So, you get to see what ports are open. The critical factor will always be the human elements.”

The research from Cowbell also emphasised the need for better education within SMEs about how to deal with a cyber attack – something cyber-focused insurers and brokers can assist with.

Catherine Aleppo, UK sales director at Cowbell, said: ”Business owners must give their staff tools and education [to] ensure they’re continually aware of how to protect devices and digital assets more robustly.

”By making training readily available, we as an industry are making an important first step to encourage businesses to adopt a cyber smart culture – but the research shows there’s still more work to be done.”

This article was also published in our sister publication - Insurance Times