Hiscox Small Business Cyber Risk Report™: Two-Thirds of Small Businesses Fail to Act Following a Cyber Security Incident

June 19, 2018

It’s normal to stop in your tracks when something alarming happens. But it’s what you do next that counts. The same is true when it comes to cyber attacks. Hiscox’s 2018 Small Business Cyber Risk Report found that two-thirds of small business do nothing after a cyber incident. That’s a major problem, given that the report also found that 47% of small business owners experienced a cyber attack in the previous year. 47% of those who were attacked experienced two, three, or four attacks.

Download the cyber readiness report

As a business owner, it's your responsibility to ensure that the personal and financial information your customers entrust to your care remains secure. However, like many other small business owners, you may have little expertise in the area of cyber security. If this sounds like you, you're not alone. In fact, only 16 percent of smaller companies strongly agree that they feel confident about their cyber security preparedness. What this sobering statistic says is that an overwhelming majority of small business owners could use a little help navigating this critical area of business operations.

Developing a clearly defined cyber strategy for your company may be a challenge, but it's one you can successfully meet by systematically focusing on the three most critical elements of cyber security: prevention, detection and mitigation. These three best practices form the backbone of every workable small business cyber security strategy. The efforts you devote to these three areas will be well worth the time, energy and dollars expended as they will help you become proactive in eliminating the threats that today's sophisticated technology brings.


Devising a plan that will successfully prevent cyber security incidents from happening in the first place should be your initial focus and your primary goal as you begin developing your cyber security strategy. Prevention involves three distinct areas of attention that, once implemented, will work together to protect your business from technological intrusion.

1. Involve and educate everyone at all levels of the organization.

By making cyber security an integral part of your company culture and educating all your employees to the risks that cyber attacks pose to your business, you can help prevent unintentional breaches in which employees unknowingly cooperate with attackers, providing the information or access they need to carry out their attacks. Raising awareness will also help you recruit your employees as co-soldiers in the battle to keep your business secure, letting each employee serve as another set of eyes that can watch for suspicious activity and alert you should they notice anything amiss.

2. Prepare a formal budget and make cyber issues a key category.

In addition to providing any funding you may need for battling cyber intrusion, making cyber issues a regular part of the budgeting process will highlight its importance and help ensure that this critical topic gets the attention it needs in all your company's decision-making.

3. Provide introductory training for new hires and ongoing training for all employees.

Providing new-employee training during onboarding will help new hires get on the same page with your company's cyber security policies and raise awareness of the need for caution. Continued training at regular intervals will help all employees remain vigilant.


Having the right protocols in place for detecting the incidents you're unable to prevent will help you move quickly to get them resolved.

1. Use both intrusion detection technology and human monitoring on all critical networks.

This one-two punch can combine the power of automation with the critical human backup you need to ensure detection and proper assessment of any incidents. This knowledge will better arm you to prevent future attacks, making the additional vigilance worthwhile.

2. Track both successful and unsuccessful attacks and use the data to generate alerts.

These alerts should involve automated monitoring and manual logging of all incidents. Intrusion-detection software often generates such alerts automatically, a feature that can prove highly valuable in preventing future intrusions. The human element is needed as well to determine why some intrusions were successful while others were thwarted. This data can prove crucial during future cyber attacks.

3. Document all incident response activities and related events.

These records will provide the critical details that will help you formulate your updated strategy, creating a more powerful arsenal for future incident detection and prevention. Reviewing these records periodically may help you detect patterns that could richly inform your future incident response protocols.


Mitigating the effects of intrusions and minimizing their impact will help your business stay strong after an attack and emerge better-protected against future threats.

1. Formulate a comprehensive plan for dealing with incidents.

Be sure your plan addresses the critical areas of threat detection, containment, notification and assessment. Each of these factors is critical to creating an effective response to current and future threats. Be sure to assign specific roles and define the responsibilities of each player who will be involved in your plan of attack.

2. Institute regular reviews to keep your response plan relevant.

Emerging threats will continuously challenge your current protocols, making it necessary to keep your strategy as flexible as possible. Your response plan should always include new, ever-evolving best practices as the nature of the threats facing your business changes.

3. Protect your business from financial risk with cyber insurance.

You risk financial loss by failing to insure your business against the possibility of cyber intrusion. In today's world, cyber threats are simply a fact of life. A stand-alone cyber policy or insurance policy endorsement will help you make certain your business is protected in the event that the unthinkable happens.

Don't Get Caught Unprepared

A comprehensive cyber security strategy can help your company avoid the lost business and damage to its reputation that often occur following a security breach. This strategy can also protect your company's vital operations while helping you minimize and possibly avoid the financial impact that cyber intrusion can exert on your business.

Learn more about how to prepare and protect your small business from cyber intrusions by downloading the informative cyber e-book from Hiscox. With all the technological tools at your disposal, there's no reason to remain helpless in the face of cyber security threats.