The threat level in the UK is severe - and arguably not just in relation to terrorism.
Recent incidents have shown that any organisation, regardless of its sector or size, could be adversely affected by a security attack.
Whether it is a malicious and indiscriminate ransomware campaign, similar to Petya or WannaCry, or getting caught up in an act of terrorism, businesses must be prepared to respond to today’s shifting security risks.
Recent research carried out by Arthur J Gallagher, in collaboration with YouGov, revealed that small businesses are significantly under-prepared to respond to a crisis scenario. Fewer than one in five (17 per cent) UK SME leaders surveyed had assessed their exposure to rising security threats, despite 44 per cent expecting to face some kind of threat in the next 12 to 18 months.
More alarmingly, nearly half respondents (43 per cent) admitted to having no contingency plans whatsoever in place to deal with a crisis or not knowing what those plans were. And yet nearly seven in 10, (68 per cent) claimed to be ‘resilient’ to crises. This reveals a clear disconnect between the current level of planning and how resilient firms believe themselves to be, creating a false sense of security.
When it came to terrorism risk specifically, a common response from the more than 1,000 SME leaders surveyed was that they are ‘too small to matter, or to be a target’. But today’s fast-evolving security threats are rarely targeted at any particular company or industry. Physical damage and loss of life are no longer the most likely risks organisations face.
In the aftermath of a terrorist attack, one of the biggest challenges for small companies will be denial of access to their premises and subsequent business interruption due to security cordons. London’s Borough Market and the impact on its traders and local businesses was a case in point. Cordons can remain in place for days and, unless specifically stated, standard business interruption insurance will not cover revenue lost through ‘non-damage’ business interruption following an act of terrorism.
Yet there are steps organisations can take to bolster their crisis resilience - to anticipate, prevent, respond to and recover from today’s rising security threats. But, to be effective, cross-functional collaboration is critical and the agreed strategy needs to be clear to everyone across the company.
Don’t just involve risk management specialists, but also those responsible for HR, security, IT, communications, finance, facilities and legal issues. Building a culture of crisis resilience requires much more than insurance; it takes time, effort and the right stakeholders, not big budgets.
After all, small businesses will always tend to be more vulnerable to such disruption. A week of business closure or a £50,000 cyber extortion demand is much more likely to threaten the survival of an SME than a large firm.