UK SMEs (small and medium enterprises) are under-prepared to respond to a crisis scenario, according to research commissioned by insurance company Arthur J. Gallagher.
The survey of more than 1,000 SME business leaders for Understanding security risks: how SMEs can build a culture of resilience found that 19% of UK SMEs have faced an external security threat in the past two years, while 44% believe they could face a threat in the coming 12 to 18 months.
However, only a third (30%) said they have insurance in place that would cover a security crisis such as terrorism, cyber extortion, sabotage, product tampering or emergency repatriation. A further 40% did not know if they have insurance at all.
Paul Bassett, managing director of Gallagher’s crisis management practice, said HR has a key role to play in defending against such threats. “We work with a range of clients, some with small and some with large HR teams, but there are things HR departments of any size can do,” he said. “Training, for example, is often HR-led. HR professionals could find advice online about protecting their firm from an attack, and spread that information as far as they need to.”
Bassett suggested HR could help to develop a strong plan for when the worst happens. “One of our clients had people in Paris during the attacks in 2015. Because they had a strong incident plan in place they were quickly able to contact all but eight of their staff and verify they were safe, and reach the other eight as soon as possible.
“It brings a great deal of comfort when you know where you staff are and that they are safe,” he said. “Employees may not like the idea of tracking software on their phones, for example, but in a terrorist incident it can be very helpful.”
Many SMEs feel they are too small to be targeted, with only 17% having tried to assess their exposure. However, the report warns that the nature and effect of today’s low frequency, high impact security threats – such as terrorism and cyber extortion – are often non-targeted. Mass ransomware attacks mean smaller firms are often more vulnerable than large organisations with more IT resources, for example.
Bassett warned that no matter what their size firms need to take care. “Many evidently feel they are too small to be targeted but today’s fast-evolving security threats are often not targeted at any particular company or industry,” he said. “Exposure to the risk of non-damage business interruption – where no physical loss has been suffered but you aren’t able to trade – is a particular area of concern.
“That could be experienced because of proximity to a terrorist incident or an indiscriminate cyber extortion attack, for example.”