Hong Kong-based small and medium enterprises (SMEs) have a low level of confidence in their employees’ ability to manage cyber risk, a survey by Chubb has revealed.
According to the second annual Chubb SME Cyber Preparedness Report, titled ‘Ignorance is Risk’, more than three-quarters (76%) of SMEs surveyed have experienced a cyber incident in the past 12 months.
Despite the high number of cyber incidents, half (50%) of Hong Kong SME leaders believe that their employees are unaware of all the cyber threats they face.
Meanwhile, 41% of SME leaders said there is no consistent understanding across their organisation of what cyber risk means. Additionally, 38% of SME leaders were not confident that all their employees who have access to sensitive data are fully aware of their data privacy responsibilities.
“Building awareness among employees is more important than ever,” said Andrew Taylor, cyber underwriting manager, Chubb Asia-Pacific. “Employees are both the biggest risk and greatest opportunity for SMEs looking to improve their cyber defences. Being the organisation’s first line of defence, they can play a critical role in detecting and preventing breaches. Not investing in upskilling employees on cyber risk is a missed opportunity.”
While the majority (51%) of SMEs were most concerned about the effects on their relationships with customers in the aftermath of a major cyber incident, this figure was less than the 64% recorded in 2018.
Revenue and sales (49%), company profits (46%) and market reputation (46%) were other concerns mentioned by SMEs.
Despite these concerns, after a cyber incident, more than a third (34%) of SMEs reviewed their security protection but took no future action, with only 11% making any attempt to recover breached data files, the report added.
“This apparent lack of concern is puzzling,” Taylor said. “It points to the over-confidence we found among SMEs in overcoming cyberattacks. However, this leaves the door wide open for malicious attacks, future breaches and inadequate incident response.”
On a brighter note, the report found that Hong Kong SMEs were quicker in responding to cyber incidents compared to last year. Over seven in 10 (71%) businesses resumed operations within 12 hours following a cyber incident, up from 62% in 2018. Meanwhile, more than two-thirds (69%) of SMEs had reached out to affected stakeholders within 72 hours, compared to 62% in 2018.
While awareness of cyber risk is increasing, Chubb noted that there is still a cyber insurance protection gap. Almost a third (32%) of Hong Kong SMEs did not purchase cyber risk insurance before or after experiencing a cyber breach, while close to half (45%) do not fully understand the insurance solutions available to them.
“With SMEs making up 98% of all businesses in Hong Kong, the number of businesses covered by cyber insurance is worryingly low,” said Stanley Wong, president of Chubb for Hong Kong, Taiwan, and Macau.
“There is a misconception that smaller businesses face less cyber risk than larger companies, when in fact the opposite is true. A large cyber incident could spell the end of a small business and leave them open to significant third-party liabilities. With three quarters of SMEs experiencing a cyber incident in the past 12 months, there is an urgent need for all businesses to protect themselves.”