A new poll of SMEs shows nearly half of practices in the engineering and manufacturing sectors are still confused by or even unaware of GDPR rules, and only around one in ten see cyber attacks as a leading risk to their business. The poll comes on the back of a survey earlier this year from the National Cyber Security Programme that revealed nearly half of UK businesses experienced at least one cyber security breach or attack in 2017, with 66% of SMEs and 45% of micro businesses shown to have been victims.
The threat of cyber attacks and fraud is one of the most prominent emerging risks in the engineering and manufacturing sector and there’s a lot of work being done to raise awareness, said Chris Mallett, Broking Manager for Aon which commissioned the latest poll.
Mallett points to increasing vulnerabilities associated with the growth of flexible working with staff accessing data on-the-go via their own personal computers, smartphones or tablets if data is not properly encrypted and controlled.
Yet the poll shows more than one in five SMEs in engineering and manufacturing allow the use of personal computers, tablets and phones for business purposes. In addition it reveals more than two in five are not aware that loss of personal information as a result of a cyber attack or fraud was a data breach.
The poll of 1000 SMEs carried out through OnePoll also indicates that too many companies in these sectors (more than one in five) are unaware of the need to notify authorities about a breach that has an impact on individuals and a third seem confused about the time limit for reporting, exposing their companies to the risk of huge fines.
It also reveals confusion among engineering firms over the cost to their business in the event of a data breach, with more than one in three saying they had no idea of the level of any likely financial impact.
“Although fines are expected to be issued as a last resort, they can be up to €20m or 4% of annual turnover,” explained Mallett. “This means the risk presented by non-compliance with GDPR has the potential to bring a small business to its knees.”
But Mallett stresses the lasting damage can go beyond a fine: “It has an impact on a company’s reputation if a data breach isn’t handled correctly and it can be hard to regain trust and recover from that.”
The EU rules known as GDPR, which came into force in the UK in May, drastically increased potential penalties on companies found to have misused or mismanaged clients' personal data. According to Dr Emma Philpott this has causedcompanies to focus on this issue but her concern is this was, for many, a short-lived effect.
Dr Philpott is managing director of the UK Cyber Security Forum and CEO of the IASME Consortium, an accreditation body for assessing and certifying against the Government's Cyber Essentials Scheme. “As soon as the deadline for GDPR passed too many thought that was job done and that's where their responsibility ended," she said.
Philpott believes the big data breaches in the Press help to raise awareness but they can also cause data breach fatigue; a sense that the time, cost and high-end security to tackle this is complicated and overwhelming for an SME. “When in fact the basics don't cost much,” she said. “Educating staff doesn't cost anything other than time.
"I don't think companies realise how awful the impact of a breach can be or the amount that actually has to be done, for example mandatory reporting and keeping affected customers or clients informed,” added Dr Philpott. “It can leave those clients fearful and cause reputational damage.”
While many companies have professional indemnity insurance (PII) in place, there are often significant costs that professional indemnity won’t pick up, added Mallett, who points to the poll results showing more than one in ten engineering and manufacturing SMEs believe they’re covered by their PII and more than one in five admit they don’t insure against cyber risks.
“This can leave a business liable for facing bills when they discover their PII doesn’t cover all costs,” said Mallett, who says companies are surprised by how affordable cyber insurance is. “Specialist policies not only cover for the cost of responding to a breach, but also the costs of damages you’re legally liable to pay in the event of a breach or security failure, as well as associated legal costs.”