SMEs ambivalent about cyber risk

UK small businesses are underestimating the impact a cyber attack could have on their reputation and must take steps to protect it, a study suggests.

Despite the vast majority (93 per cent) of small businesses thinking about their company’s reputation frequently or all the time, they aren’t considering how a breach could affect it.

In fact, less than a third (29 per cent) of small companies surveyed that haven’t experienced a breach say the potential damage a cyber breach could cause is an ‘important’ consideration’, according to a report launched by the government’s Cyber Streetwise campaign and KPMG.

However, 83 per cent of consumers surveyed are now concerned about which businesses have access to their data and whether it’s safe, and more than half (58 per cent) say that a cyber breach would discourage them from using a business in the future.

This concern is even greater in the supply chain. Recently-published KPMG research finds that 86 per cent of procurement departments would consider removing a supplier from their roster due to a breach, highlighting that an attack can have serious short and long term implications.

Some 94 per cent of procurement managers say that cyber security standards are important when awarding a project to an SME supplier.

This is reflected by the fact that the majority (89 per cent) of small businesses that had experienced a breach feeling the attack impacted their reputation in some way, with 31 per cent of those having been breached reporting brand damage, 30 per cent reporting a loss of clients and a quarter receiving negative reviews on social media.

The impact has been long-lasting, with one in four (26 per cent) of those having experienced a breach being unable to grow in line with previous expectations, and almost a third (31 per cent) saying it took more than six months for the business to get back on track.

Quality of service is also a risk; those who experienced a cyber breach found it caused customer delays (26 per cent) and impacted the business’ ability to operate (93 per cent).

The lack of concern around potential reputation damage may be explained by the fact that many small businesses don’t realise the value of their data. The vast majority (95 per cent) of small companies surveyed hold data in the IT systems, yet more than a fifth of those surveyed (22 per cent) don’t consider it to be commercially sensitive.

Even though customer, financial and IP data can be shared with competitors if a company is attacked, just one in five (19 per cent) small businesses say they would be immediately concerned about competitors gaining advantage if they were breached.

The report also reveals that many small businesses (51 per cent) surveyed don’t think they will be a target for an attack, despite the majority of consumers worrying about the security of their data, especially in the hands of small businesses.

George Quigley, a partner in KPMG’s cyber security practice says, ‘Small businesses know that their reputation is critical to their success but it seems that many haven’t considered quite how many factors can affect it.

‘Every piece of data in a business can be of interest to a cyber criminal – even if the business itself may not realise it – and with small and medium sized businesses a key target for this very reason – it’s vital to take steps to protect your data, and with it the trust of your customers and ultimately your reputation.’

Further reading on cybercrime

Ben Lobel

Delphine Hintz

Ben Lobel was the editor of from 2010 to 2018. He specialises in writing for start-up and scale-up companies in the areas of finance, marketing and HR.

Related Topics

Cyber Security