Chubb: Clear Gap Between Perceived and Actual Preparedness in SME Cyber Security
By Dzof Azmi November 5, 2019
- 67% of respondents erroneously believe they are at less risk than larger counterparts
- M’sian, S’pore SMEs underestimate exposure to risk, overestimate ability to manage it
“There are those who have been breached, and those who don't know it yet,” is a truism about computer security that has been circulating for almost a decade. Unfortunately, Malaysia and Singapore are no exceptions, based on Chubb’s SME Cyber Preparedness Report 2019 for the two countries. 400 SMEs in each country of between 2 to 249 staff were interviewed. Manufacturing at 20% and professional services at 19% formed the two largest groups interviewed.
"There is a significant perception gap between the threats of cyber risk and the preparedness of the Malaysian SMEs to deal with them," said Steve Crouch, Chubb Insurance Malaysia Bhd Country President. Chubb is the world's largest publicly traded property and casualty insurance company. For Singapore, the report for that country similarly claims there is a “clear gap between perceived and actual preparedness”.
“We hope that this report will be a wake-up call for all SMEs,” asserted Crouch. “It's time to recognize when it comes to cybersecurity, ignorance is risk.”
SMEs are “low-hanging fruit” to attackers
The survey of 400 Malaysian SMEs and 400 Singaporean SMEs, whose respondents comprise board level executives and senior managers across various industries, makes for sober reading: Its results show that SMEs in the region underestimate their exposure to risk, while overestimating their ability to manage it.
For example, the majority SMEs surveyed believed that large corporations are more at risk of cyberattacks than small businesses (67% in Malaysia, 59% in Singapore). However, this is not true.
“Smaller companies face a larger degree of exposure because of their size and resources,” said Andrew Taylor, Chubb Cyber Underwriting Manager for Asia Pacific. “They don't have the scale to invest in adequate cyber risk management.” Indeed, criminals see SMEs as “low-hanging fruit”, while automated tools do not discriminate between the big and the small.
For example, 84% of Malaysian SMEs surveyed and 65% of Singaporean SMEs reported they were victims of cyber-incidents in the past year. But 59% of Singaporean SMEs agreed with the statement “I don’t think we are aware of all the cyber threats we face” (no number for this was made available in the Malaysian report).
Even the fact that 63% of Malaysian SMEs took action to increase security protection after a breach is a cause for concern. “We can turn that statistic around (and say) 37% didn't increase their security,” pointed out Taylor, while also referring to the incredulous fact that 16% reported that they took no actions beyond recovering files after a breach. “That is not a good thing.”
Over-representation of response plans and cyber insurance
What happens when things go wrong? According to the survey, 61% of Malaysian SMEs have a response plan. But Taylor is not so sure. “This conflicts with a lot of information we've collected over the last 10 years in a region.”
He’s talking about the difference between having a plan and making sure it covers a large scope of eventualities. “What we found from other surveys we've done is that response plan is dealing with tangible events, not intangible ones,” explained Taylor, referring to impacts of a non-technical nature, such as a loss of reputation.
Of course, at some point the conversation turned to insurance, given that it’s one of the products that Chubb offers to its customers. “Certainly, we are seeing a sharp take-up in people buying cyber insurance around the region,” continued Taylor. But the concern is that Malaysian SMEs are mistaken in believing they are covered by cyber insurance.
Specifically, 32% of Malaysian SMEs surveyed said they have purchased cyber insurance, but Chubb believes the true figure is closer to 1 percent, based on their experience insuring 20,000 SMEs in Malaysia. “There's a misunderstanding from SMEs about if they're buying cyber insurance or they believe that cover is embedded somewhere else.”
Taylor hopes that companies view buying insurance is another way to mitigate cyber security risk, apart from investing in IT security solutions. “No matter how much technology a business buys, it will not make them a hundred percent secure.”
Under the circumstances, expect many more SMEs in Malaysia and Singapore to feel the bite from being hit by a cyber security breach.