While many UK small to medium sized businesses clearly recognise cyber security's value, the majority are still significantly unprepared to meet the EU General Data Protection Regulation (GDPR), according to the study of 607 UK business decision makers conducted by Barracuda Networks, Inc., the Cloud-enabled security and data protection solutions provider, in conjunction with Small Business Advice Week.
- Four in five (81%) of UK business decision makers view cyber security as a necessity, whereas 9% actively view cyber security as a hindrance.
- 64% of respondents have a cyber attack plan in place, with only 1 in 20 (5%) thinking they do not need a plan.
- If a cyber attack caused systems to go offline, almost a third (30%) of businesses would survive less than a day without their revenues being impacted. However, 1 in 5 (20%) of respondents did not believe it would affect their organisation at all.
- 30% of respondents aren't prepared to meet the GDPR and 33% aren't aware of the implications it will have on their organisation.
- Half (50%) of respondents either don't know or don't believe that the GDPR affects their business.
Lack of understanding leading to increased risks
The vast majority of respondents (80%) confessed the revenue and capability of their business would be impacted by a cyber attack which caused their systems to go offline. With over half (59%) saying this would happen within a week of their systems being offline, it's clear UK organisations recognise the potential effect an attack can have. This may be due to the increased reporting on cyber attacks, with 75% of respondents saying recent news articles have made them more wary.
Despite this, almost one third of respondents (30%) either don't have a cyber attack plan or don't know if they have one. A minority (5%) do not think they need to plan in the event of a cyber attack at all. It would appear that some organisations still have a long way to go in terms of cyber security education.
This may be due to non-technical staff often making important cyber security decisions in SMBs. In fact, only 35% of respondents said their organisation's IT manager or IT department makes security decisions. The remainder were made by its managing director (27%), board level decision maker (22%), or there is a lack of any clear IT decision maker (9%).
With the GDPR coming into effect in May 2018, it is concerning so few UK SMBs are prepared for its regulations. While a similar number both aren't fully aware of GDPR implications (33%), and feel unprepared to meet the GDPR (30%), what's most worrying is that a staggering 50% of respondents do not think the GDPR will affect them. As the regulation brings with it increased fines of up to €20 million or 4 per cent of turnover (whichever is greater), organisations will be punished greatly for noncompliance.
Chris Ross, Senior Sales VP, International, at Barracuda Networks commented: "SMBs often mistakenly believe they aren't the 'real' targets of cybercriminals, and that attackers would rather focus their efforts on enterprises. However, often criminals prey on small businesses, assuming they have less cyber security resource to leverage.
"From May 2018, not only will data breaches undermine your company's trust - and lots of smaller businesses out there depend heavily upon customer loyalty - but they can also very easily impact your bottom line. Increased fines or failing to comply with the GDPR may well leave a sizable dent in your organisation's. Managing the aftermath of a cyber attack has now in many cases become more expensive than proactively preventing it from happening in the first place."