While cyberattacks on major corporation and public services hit the headlines with alarming regularity the threat to small medium enterprises (SMEs) cannot be ignored given the impact they can have on the ability of a business to survive.

It is estimated that 46% of all cyber breaches impact businesses with fewer than 1,000 employees. Indeed in 2021 61% of SMEs say they had suffered a cyberattack. In that year 82% of ransomware attacks were against companies with fewer than 1,000 employees.

Small businesses are also the recipients of the highest number of targeted malicious emails.

Figures show employees of small businesses experience more social engineering attacks than those at larger enterprises and with social engineering now a huge part of a new breed of cyberattack the threat is rapidly increasing.

SMEs have smaller budgets which mean that the costs of cybersecurity can weigh heavily on the balance sheet. It is estimated that over a quarter of SMEs that handle customers’ credit cards do not have any cybersecurity protection whatsoever.

With the complexity of supply chains there is now a real need for larger companies to look at their suppliers and SMEs may be a weak link in their cyber defences.

Ian Summers, Global Business Development Leader, AdvantageGo

Ian Fantozzi CEO of Beazley Digital says the insurer has seen a rise in the threats that businesses face from cybercrime.

“I think we are in an era of accelerated risks,” he explains. “When you look at the cyber threat landscape the risks are continually evolving but the pace of change has been accelerating.”

“The number of threat vectors faced by SMEs are increasing. If you go back five to ten years ago the main threats were more often denial of service (DoS) attacks. The threats evolved and we saw a rise in phishing attacks and ransomware attacks. What we see now are spear phishing attacks which see a far more focused context and targeting of those attacks. We are also seeing criminals looking at targeting ports which allow them to access networks. These attacks are becoming more sophisticated.”

Fantozzi adds the use of artificial intelligence (AI) has added to the capabilities of the cyber criminals.

“AI is allowing the criminals to apply attacks on a far larger scale,” he says. “The development of generative AI is creating greater context for the attacks. If you are a SME in recent years, you will have likely developed a higher dependence on the use of technology and systems and may well have AI as part of your business.”

Fantozzi adds: “We have seen cases where deep fakes have been created purporting to be a senior member of a company which is demanding a bill be paid quickly, and in the US, we have seen AI used to look to identify holes in a company’s AI which can be exploited. For example, if a company uses AI in chatbots the AI will ask the questions that will highlight any gaps.”

However, Fantozzi adds that while technology comes with risks it can also deliver huge benefits.

“It creates real opportunities for SMEs. I was at an event recently where the question was asked ‘when will we see the first $1 billion company with only one person in the company’. AI can deliver significant scale for companies that are effectively SMEs.”

Fantozzi explains SMEs unlike their larger peers can find investment in cyber security a challenge and while larger companies may have a chief information security officer or risk officer, for SMEs if there is such a role it is often part of a broader set of responsibilities for the employee.

“However this is where, as insurers, we can deliver value to our SME clients and our brokers,” he adds. “We will work with brokers to offer training to SME clients to raise awareness of the threats and to provide advice around increased cyber security and risk management.”

“We will carry out simulated phishing attacks and scan clients’ networks to identify vulnerabilities.”

Fantozzi adds the development of technology is also creating regulatory risks for businesses.

“The regulatory environment is changing rapidly,” he says . “A large number of countries are currently looking at how they can regulate AI and AI risks. Those efforts need to be monitored as new regulations may lead to claims.”

One area of concern for SMEs is their place in the ever more complex supply chain which is making them a target for cyber criminals who see the SME as a way to access larger and therefore more valuable businesses.

“There is a challenge in terms of SMEs not realising they are an attractive target for cyber criminals,” says Fantozzi. “They will think they are too small to be a target but it is only when they look around, they can see they are working with companies which are an attractive target for cyberattacks.”

However, the awareness of SMEs to the threat they face is increasing. Fantozzi adds in a recent edition of the insurer’s regular reports on various risk classes, 25% of the SMEs they surveyed said they feel unprepared to deal with cyber risk, a 6% increase to the result when the same question was asked 12 months previously.

Demand for cyber cover from SMEs in the US has been rising rapidly and while European SMEs have not been as quick to increase demand the situation is changing significantly.

He adds that SMEs are struggling to cope with the implications of the cyber crime landscape and the burden of ESG is also causing many to question what is required of them.

Beazley has responded with the launch this year of its Better Business Hub.

“The hub is in response to the concerns of SMEs and allows them to access a range of helpful resources,” he adds. “They are invited to compete a questionnaire which will identify areas where improvement is needed to help them on their ESG journey.”

“SMEs are a significant part of the economy and there needs to be a partnership between the policyholder, their broker and their insurer to support efforts to increase resilience,” he concludes.

The Big Question: Are SMEs now at the forefront of cyber risks?