An expandingnetwork of riskand opportunity:How UK SMEs areunder-estimating thegrowing complexityof technologyWritten by
2An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyAbout t...
3An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyForewor...
4An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyExecuti...
5An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyHow are...
6An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyTechnol...
7An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyTechnol...
8An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyTechnol...
9An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologySMEs se...
10An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyOpport...
11An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyMr Mil...
12An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyProtec...
13An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyData p...
14An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyData p...
15An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologySMEs a...
16An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyEmerge...
17An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologySMEs a...
18An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technology
19An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technology
Zurich Insurance plc is authorised by the Central Bank of Ireland and subject to limited regulationby the Financial Conduc...
Upcoming SlideShare
Loading in …5
×

Connecting the Dots: An expanding network of risk and opportunity

327 views

Published on

How UK SMEs are under-estimating the growing complexity of technology

In November 2012, the Economist Intelligence Unit, on behalf of Zurich, surveyed 549 small business ownersand directors in the UK to explore what SMEs think about the current economic landscape and how they areadapting in order to survive and succeed.

In addition, in-depth interviews were conducted with two SME experts. Our thanks are due to the followingfor their time and insight:

Jay Epton, Director of SMB for Symantec

Cliff Mills, Director of Research for the National Computing Centre

Simon Porter, Vice-President of Mid-Market Europe for IBM

The report was written by Melissa Carson and edited by Monica Woodley of the Economist Intelligence Unit.

  • Be the first to comment

  • Be the first to like this

Connecting the Dots: An expanding network of risk and opportunity

  1. 1. An expandingnetwork of riskand opportunity:How UK SMEs areunder-estimating thegrowing complexityof technologyWritten by
  2. 2. 2An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyAbout this reportIn November 2012, the Economist Intelligence Unit, on behalf of Zurich, surveyed 549 small business ownersand directors in the UK to explore what SMEs think about the current economic landscape and how they areadapting in order to survive and succeed.In addition, in-depth interviews were conducted with two SME experts. Our thanks are due to the followingfor their time and insight:Jay Epton, Director of SMB for SymantecCliff Mills, Director of Research for the National Computing CentreSimon Porter, Vice-President of Mid-Market Europe for IBMThe report was written by Melissa Carson and edited by Monica Woodley of the Economist Intelligence Unit.ContentsForeword 3Executive summary 4Technology: a requirement for SME business performance 6Opportunity versus threat: the perception gap 9Data protection risks: complex and interconnected 12Emergent technology risks 15Connecting the dots on technology risks 17
  3. 3. 3An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyForewordUK SMEs have always been innovators and ‘technology adopters’, in both good timesand, perhaps even more so, during more challenging times. This certainly rings truetoday. Indeed, the SME sector may be at a ‘technological inflection point’, a significantpoint of change for how small businesses manage and conduct business.Rates of mobile web usage and tablet adoption are defying historical precedent.‘E-tailing’ is bringing structural change to high-streets and ‘Cloud’ (Internet-based)computing is changing the operational footprint of many small firms. A new hybrid‘sharing economy’ of sole-traders, or ‘renters’, is also now emerging.The business benefits for SMEs are significant. Mobile working and Cloud computingcan unleash new efficiencies and levels of productivity for the small business. E-tailing,online distribution and social media offer enhanced scalability, allowing SMEs to reach,sell and service new markets and customers.But these vast new opportunities also present a growing area of complexity in regardsto risk – especially, for the small business. This report, ‘An expanding network of risk andopportunity: how UK SMEs are under-estimating the growing complexity of technology’,developed in association with the Economist Intelligence Unit (EIU), focuses on thisvery dynamic.Over the past decade the realm of cyber risk has expanded and become increasinglycomplex. More long-standing challenges, such as data confidentiality and protection,are now subject to increasing oversight from the Information Commissioner’s Office(ICO), as well as new EU Data Protection legislation.New emerging threats – such as cyber attack and social media reputational damage –are not only new challenges in their own right, but bring additional complexity to thelong-standing risks, due to interconnectivity. The World Economic Forum (WEF) refersinterconnectivity. The World Economic Forum (WEF) refersinterconnectivityto this as the ‘dark side of connectivity’1, a digital landscape where the likelihood andimpact of cyber threats are amplified by hyper-connectivity.The current ‘transformation of the high-street’ – and its genesis in the rapid growthof e-tailing – exemplifies this challenging dynamic between opportunity and risk. SMEsmust approach technology and the future with an appetite for both – but also an equallybalanced awareness, appreciation and understanding for risk in this unchartered territory.Moore’s law tells us that the power of computing power doubles every two years. Thepace of technology development is only increasing. Over the next decade, the insuranceindustry can play a critical role within the greater business community in helping SMEsunderstand, monitor and protect against the new risks emerging in the cyber landscape.Richard ColemanDirector, SMEUK General InsuranceZurich Insurance plc1Global Risks 2012, World Economic Forum
  4. 4. 4An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyExecutive summaryThere is no doubt that technology is dramatically shifting and rapidly expanding thelandscape of opportunity for small and medium-sized enterprises (SMEs) in the UK.For example, 53% of SMEs in Europe have now adopted some kind of cloud computingservice, an increase of 8 percentage points on the year before2, and experts believegetting firmly on the technology bandwagon is becoming increasingly important forSME success and competitiveness with every passing year.However, one-quarter of UK SMEs remain in the dark, not actively monitoring technologiesand the impact they could have for their businesses. They also happen to be less confidentin their business outlook and less opportunistic overall. For these non-adopters, technologyinefficiency may add to other business challenges to create a strong headwind to long-termcompetitiveness and sustainability.In order to investigate in detail how SMEs have adapted to the new technologyrisk landscape, the Economist Intelligence Unit, on behalf of Zurich, surveyed over500 UK SMEs.The majority are keen to capture the benefits to both serve their business needs andobtain a competitive advantage, but SMEs also need to manage an increasinglycomplex and swiftly evolving set of associated risks.SMEs are undervaluing the level of threat and the growing complexity of manytechnology risks – particularly those associated with emergent trends such as web-basedservices (cloud), mobile and social media. They are underestimating their vulnerabilityto cyber criminals, even as attacks targeting SMEs are on the rise. And they are notsufficiently connecting the dots regarding the interconnectivity of technology risks ingeneral, which threatens to exponentially increase potential levels of exposure.For some industries in particular, awareness of technology risks is worryingly low. Retailand distribution – a sector in potential transformation – stands out as surprisingly behindthe curve on technology.While key steps are being taken by many, the biggest oversight among SMEs is thehuman factor. Few are focussing on training and updating their security policies, whichneed to be driven all the way through the organisation to manage the expanding rangeof vulnerable points.2According to a report published by Spiceworks (a social business network for IT professionals) in November 2012.
  5. 5. 5An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyHow are UK SMEs adapting to the growing complexity of technology?Increased use ofmobile technology5% negative impact, 55% positive impactIT exposure associated withteleworking/mobile workforces40% not a threatSocial mediareputationaldisaster40% not a threatGrowth ofsocial media6% negative impact34% positive impactThe technology landscape is changing quicklyAs businesses change the way theycommunicate and share data,they are increasing their exposure toexternal threats such asdata loss and cyber attackHuman error is probably thelargest risk, however only46% of SMEs havetrained their staff46% trained their staff46%28%have reviewedsecurity policiesSMEs are underestimatingthe interconnectivityof the risks and thepace of changeDeleteDeleteDeletee-markets onlineconsumerreviewsfacebook linkedIn@@Source: Economist Intelligence Unit
  6. 6. 6An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyTechnology: a requirement forSME business performanceOver two-thirds of UK SMEs say that they assess the impact of technological trends ontheir businesses. According to experts this group is much more likely to survive and thrivein the future. Being able to link technology directly to overall business performance isthe “holy grail for technology experts; but it is very difficult to measure”, says Cliff Mills,Director of Research for the National Computing Centre (NCC).But the consensus is clear among experts, who believe technology is increasingly a basicrequirement for SME performance, more so than five years ago even. Mr Mills says:“If you are not actively on the web, and not getting the technology expertise to helprun your business, you will certainly be left behind.”Technology, confidence and risk appetiteInterestingly, in line with expert opinion, the ‘tech aware’ SMEs – the two-thirds whoactively assess the impact or possible impact of technology on their business – aremore confident about the outlook for their businesses in the coming one to two years.They also have a more opportunistic overall attitude towards risk than their ‘not techaware’ counterparts.Table 1:How do you feel about the outlook for your business over the following time periods?Confident/Very Confident Tech Aware* Not Tech Aware> Next 12 months 67% 55%> Next 1-2 years 73% 63%* Those SMEs that assess the impact of technological trends on their business (67% of respondents).Source: The Economist Intelligence Unit.Table 2:How would you describe your company’s ‘risk appetite’ compared with other SMEs inyour industry?Opportunistic/Highly Opportunistic Tech Aware Not Tech Aware> 2 years ago 25% 14%> Today 26% 12%> 2 years from now 38% 24%Source: The Economist Intelligence Unit.Simon Porter, Vice-President of Mid-Market Europe for IBM, a technology firm, warnsthat “by not leveraging new technologies, which many of the innovative competitors aredoing, UK SMEs will lose competitiveness. Many foreign firms are now competing moreaggressively with SMEs, leveraging the Internet and cloud, so unless the SMEs in the UKrespond, they will not succeed”. And it is not just foreign firms that UK SMEs need to beconscious of. Increasingly, the new generation of directors running SMEs grew up withtechnology, and they will have a big advantage over others.Cliff Mills is the Director of Researchfor the National Computing Centre(NCC), an independent membershiporganisation for IT professionals. TheNCC is the single largest corporatemembership body in the UK IT sector.Simon Porter is Vice-President ofSimon Porter is Vice-President ofSimon PorterMid-Market Europe for IBM, theworld’s largest IT and consultingservices company. IBM is a globalbusiness and technology leader,innovating in research anddevelopment to shape the future ofsociety at large.
  7. 7. 7An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyTechnology:a requirementfor SME businessperformanceUnleashing competitiveness for micro firms andsmall businessesLarger companies are now only slightly ahead of their smaller SME counterparts in stayingabreast of technology trends and their business impacts. Some 80% of medium-sizedenterprises are assessing technology, compared with 73% and 70% of small andmicro-enterprises, respectively.With the advent of cloud services, and the evolution of mobile devices and technologicalsophistication, smaller SMEs are less hindered by the cost barriers that used to define thedivide between medium and small/micro-enterprises. Indeed, our survey demonstratesthat they are getting much closer to the norms among medium-sized businesses.Sole traders, on the other hand, are at a disadvantage owing to their lack of resources.Only one-half (52%) are thinking about the impact of technology on their business.Jay Epton, Director of SMB for Symantec, a computer security firm, reminds us thatas sole traders and in micro-enterprises, “you are often MD (managing director), ITmanager, marketing director and operations director at once, so it’s difficult to prioritise”.In some sectors, new technologies may have a low level of practical benefit andapplication for the sole trader. However, for some, emerging areas such as social mediacan offer increased marketing and customer service opportunities, as well as reducedadministrative overheads.Table 3:Do you assess the impact that technological change is or might be having on yourbusiness? (Size)Yes No/Don’t KnowSole trader 52% 48%Micro-enterprise (1-9 employees) 70% 30%Small enterprise (10-49 employees) 73% 27%Medium-sized enterprise (50-249 employees) 80% 20%Total 69% 31%*Those SMEs that assess the impact of technological trends on their business (67% of respondents).Source: The Economist Intelligence Unit.Jay Epton is Director of SMBat Symantec, a global leader inproviding security, storage andsystems management solutions tohelp small businesses secure andmanage their information.
  8. 8. 8An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyTechnology:a requirementfor SME businessperformanceRetail industry stands out as behind the technology curveIndustry sector influences the relative importance of technology. Most strikingis how few SMEs in the retail and distribution industry are assessing technologyimpact, particularly in light of the cannibalisation of high street shops by onlineretailers in recent years. Not only is the growth in retail overall expected to be flatin 2013-14, according to the Centre for Retail Research (CRR), but 2012 proved tobe the worst year for bankruptcies since the start of the recession in 2008. Yet formany retailers ‘online seems to be an afterthought’.Table 4:Do you assess the impact that technological change is or might be having onyour business? (Industry)Industry Yes No/Don’t knowIT services 88% 12%Manufacturing 74% 26%Media, marketing or entertainment 73% 27%Professional or financial services 73% 27%Building & construction services 63% 37%Other consumer or business services 62% 38%Retailing and distribution 55% 45%Property management & rental 46% 54%Other 55% 45%Source: The Economist Intelligence Unit.Retailers also appear to underappreciate the potential scale of threat thatthe emerging technology landscape poses for their day-to-day and businessperformance. For instance, only 17% view data loss as a ‘major threat’ and, evenlower, 10% see social media reputational disaster as such. Given the increasingreliance of retailers on ‘online reputation’ – for instance, online customer reviews– to help generate future demand and business earnings, the latter reflects asignificant new area of vulnerability.
  9. 9. 9An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologySMEs seem to fully embrace the upside of technology for their businesses, but arethey taking the right precautions when they adopt new technologies? Many areunderappreciating the potential business impact that many technologies may pose.Technology only has an upside in the eyes of SMEsEmerging technologies are evolving rapidly, creating huge opportunities for SMEsthat are both accessible and, as we saw in part one, necessary to remain competitiveaccording to experts. The broad perception among SMEs is that technology brings almostexclusively positive opportunities to their businesses. At most, just 6% of respondents seetechnology trends having a negative impact.Online shopping is the one exception, and the retail industry is struggling with thetechnological challenge it faces (see box).Table 5:What impact do you think the following technological trends are having on your business?  SignificantnegativeimpactSomenegativeimpactNoimpactNotapplicableSomepositiveimpactSignificantpositiveimpactIncreased use of mobiletechnology0.4 % 4.7 % 29.7 % 10.0 % 40.8 % 14.4 %Increased use ofpersonal devices0.5 % 3.8 % 31.7 % 11.7 % 39.3 % 12.9 %Growth of web-basedsoftware or IT services0.4 % 4.4 % 39.3 % 10.9 % 31.0 % 14.0 %Increased analysis/use ofcustomer data1.5 % 3.6 % 39.7 % 17.7 % 30.1 % 7.5 %Growth of social media 0.7 % 5.5 % 47.5 % 12.6 % 25.3 % 8.4 %Growth of onlineshopping/consumption3.5 % 10.4 % 39.0 % 22.0 % 17.9 % 7.3 %Advances inmanufacturing technology0.7 % 2.6 % 54.3 % 20.0 % 16.4 % 6.0 %Source: The Economist Intelligence Unit.Still surprising is the proportion of SMEs who view these technology-related trends –such as mobile technology, personal devices and web-based software services – asirrelevant to their businesses. But the numbers are also slightly skewed by thesignificantly different perspectives among the ‘tech aware’ and ‘not tech aware’.Opportunity in technology (positive impact) lies in the eyes of the ‘tech aware’.Opportunity versus threat: the perception gap
  10. 10. 10An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyOpportunityversus threat:the perception gapTable 6:What impact do you think the following technological trends are having on your business?No Impact/Not Applicable(Some/Significant)Positive ImpactTech Aware Not Tech Aware Tech Aware Not Tech AwareIncreased use of mobile technology 29% 62% 66% 34%Increased use of personal devices 33% 63% 62% 33%Growth of web-based software or IT services 40% 72% 55% 24%Increased analysis/use of customer data 49% 76% 46% 19%Growth of social media 53% 75% 41% 19%Growth of online shopping/consumption 58% 68% 29% 17%Advances in manufacturing technology 69% 85% 29% 10%Source: The Economist Intelligence Unit.Threat – a mix of healthy fear and underestimation?Technology-related risks are seen on an entirely different scale. Over three-quartersof UK SMEs, a huge number in comparison to those that see opportunities, seelong-standing risks associated with data loss, cyber attack and electronic theft orfraud as threats. This implies that SMEs hold a healthy – if not overly fearful – view ofthe potential threats that these long-standing technology-related risks pose. The risksassociated with emergent trends, however – such as cloud computing, Internet-basedservices, social media and mobile workforces – are not seen to be as significant. Whileover one-half of UK SMEs see these trends as some level of threat, worryingly less than20% perceive them as a ‘major threat’. In the case of reputational disaster from socialmedia, only 13% of SMEs view this as a major risk. These statistics may indicate a lackof understanding of the complexity and the potential scale of impact associated withthese emergent trends.
  11. 11. 11An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyMr Mills of the NCC also raises an interesting point about the distinction between theserisks. “Data protection is not just about IT. It’s been around for a long time, so yes thereis a lot of awareness, but its also looked at as a business-level risk, as well as at an ITlevel; whereas mobile, cloud [and risks associated with other emergent trends] are stilloften looked at only as technology risks [not business risks]”. Therefore, they do notalways hit the radar for SMEs at a strategic or business-wide level.Table 7:How would you rate the following types of technology-related risk in terms of the threat to your business?Major threat Some threat No threat Don’t knowData loss (1) 34% 50% 15% 1%Cyber attack (eg, virus or hacking) (2) 29% 52% 18% 2%Electronic theft or fraud (6) 21% 54% 23% 3%Failure of Internet-based service (such ascloud computing) (4)17% 40% 40% 4%Social media reputational disaster (3) 13% 42% 40% 5%Breach of regulations while trading/sellingonline (eg, non-compliant distribution toforeign countries via the web) (5)10% 31% 51% 7%IT exposure associated with teleworking/mobile workforces (7)8% 44% 40% 9%Source: The Economist Intelligence Unit.Opportunityversus threat:the perception gap
  12. 12. 12An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyProtecting data in a world where systems are changing rapidly and information flowsfreely introduces a whole set of complex challenges that SMEs are not fully grasping.Data protection is a critical challenge for SMEsSMEs seem to have a high degree of awareness of the data protection risks. Data loss,cyber attacks and related electronic theft/fraud are the top three technology-relatedrisks for UK SMEs, and they are all contributors to the data protection risk.However, there are still a huge number of UK SMEs that are not sufficiently aware ofthe importance of data protection, despite the now inescapable interconnectivity oftechnologies and technology risks. The survey found that between 16% and 25% ofrespondents do not recognise data loss, cyber attack and electronic theft or fraud aseither a major or some threat to their business – equating to between 760,000 and1.2m of the almost 4.8m SMEs in the UK. Some stark statistics should help to promptgreater interest.For example, Symantec has found an increasing level of cyber attacks directed at SMEs,with the number of attacks doubling in less than a year. They estimate that 36% of allattacks are targeted at SMEs. But according to Mr Epton, SMEs often do not considerthemselves to be of sufficient interest to cyber criminals, and because of this lack ofawareness they are even more vulnerable.Unlike big enterprises, SMEs do not have the resources to recover from loss of customerdata records, such as credit card information, financial or personal information, Mr Eptonpoints out. And for SMEs, the Information Commissioner’s Office (ICO) cap of £500,000for fines related to serious breaches of the Data Protection Act represents a crippling sum.Interconnectivity in data protectionAs businesses radically reform the way they communicate and share data – using cloudcomputing, linking an exploding number of personal devices to business systems andleveraging social media – they are exponentially increasing their exposure to externalthreats (both viral and cyber attack). Emergent trends could significantly compound thevulnerability points around data loss and cyber attack.The vulnerability of SMEs also creates risks for their customers. SMEs often have lowerbarriers to attack than large enterprises but, in many cases, they are connected to largeorganisations as suppliers and service providers – potentially putting all businesses inthe chain, as well as their end-customers, at risk.A multitude of major and very public PR (public relations) disasters linked to these risks havebrought home the catastrophic impact they can have. It would therefore be expectedthat data protection risk awareness would be high among SMEs of all sectors, given thattheir very survival is on the line. However, we see quite a range of views across sectors.Data protection risks:complex and interconnected
  13. 13. 13An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyData protectionrisks: complex andinterconnectedTable 8:How would you rate the following types of technology-related risks in terms of the threat to your business?Major threatsITservicesMedia,marketingorentertainmentProfessionalorfinancialservicesManufacturingBuilding&constructionservicesPropertymanagement&rentalOtherconsumerorbusinessservicesHotels,restaurants,cafes&pubsRetailinganddistributionMotortradesandtransportationData loss (1) 47% 44% 43% 36% 32% 32% 29% 27% 17% 9%Cyber attack(eg, virus or hacking) (2)49% 28% 31% 32% 25% 24% 28% 27% 17% 17%Electronic theft or fraud (6) 33% 9% 22% 24% 25% 28% 22% 23% 10% 13%Failure of Internet-basedservice (such as cloudcomputing) (4)30% 26% 18% 16% 18% 20% 18% 0% 8% 0%Social media reputationaldisaster (3)5% 13% 13% 10% 11% 16% 26% 9% 10% 9%IT exposure associatedwith teleworking/mobileworkforces (7)19% 7% 8% 4% 14% 8% 6% 5% 7% 0%Breach of regulations whiletrading/selling online(eg, non-compliantdistribution to foreigncountries via the web) (5)12% 2% 10% 18% 11% 12% 10% 5% 8% 13%Source: The Economist Intelligence Unit.Bandwidth and ‘data culture’ challenges for SMEsExperts agree that many SMEs simply do not have the expertise or IT awareness to coverall the technology bases (both opportunities and threats). A skills gap is a major challengefaced by SMEs, and experts cannot stress enough the benefits that they feel trustedadvisers can provide to help these businesses to manage risks.Getting staff up to speed is important. Human error is probably the largest data risk,and while most SMEs are strengthening provisions for devices, back-up and virusprotection (72%), or at least considering this (19%), skills training and policies are takinga back seat. Only 46% of SMEs have trained their staff and only 28% have reviewedsecurity policies, yet ensuring proper use of passwords and driving policies all the waythrough the organisation are both critical to security.
  14. 14. 14An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyData protectionrisks: complex andinterconnectedConsequently, despite the huge amount of resources some SMEs (particularly larger ones)are putting into technology risk management, human error is still a major vulnerabilitypoint. ‘Data culture’ – in an era of proliferating customer information, workforce mobilityand an ever-expanding number of networked devices – is perhaps emerging as the coredata protection challenge.One key to risk management in this area, according to Mr Epton, is password policies,and driving those policies all the way through the organisations. But no matter whattechnology-based security SME owners put in place, employees must always have a clearunderstanding and appreciation of data and technology risks, as well as the personalgovernance and compliance requirements that reflect this.Table 9:What steps, if any, is your business taking to respond to technological risk?Taken Considering Not considered Don’t knowStrengthen protection against computerviruses or hacking (eg, by keepingsoftware & anti-virus programmesup-to-date & having a wellconfigured firewall)72% 19% 6% 3%Strengthen provision for devices &data back-up63% 24% 9% 4%Restrict access to IT systems (eg, onlyallow trusted users to access systems& ensure strong passwords)54% 18% 23% 6%Train staff 46% 20% 26% 9%Improve physical security around servers& devices42% 24% 28% 6%Create &/or review our IT disasterrecovery plan29% 30% 35% 6%Create &/or review technology policies(eg, personal devices policy)28% 32% 32% 8%Hire technology specialists 23% 20% 49% 8%Take out technology risk insurance 12% 21% 60% 8%Other (please specify) 10% 18% 32% 40%Source: The Economist Intelligence Unit.
  15. 15. 15An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologySMEs are more focussed on the benefits of emerging technologies than their risks.In this section we look at the top three emergent trends and the associated riskperceptions among UK SMEs now and into the future.Cloud risks – potentially under-appreciated and unknownSMEs are more focussed on the benefits of cloud-based services than their risks;compelled by the promise of flexibility, affordability and accessibility. Indeed, theadvantages of web-based software are so compelling that experts claim that it willsupplant the standalone desktop computer, and that ‘Software-as-a-Service’ (SaaS)3will be the new model for small business.“A cloud-managed back-up, for example, can reduce the total cost of ownership byup to 40%,” says Mr Porter. Larger SMEs now see the greatest potential benefit ofcloud computing as allowing for greater employee mobility and flexibility, accordingto a recent survey by IBM Mid-Markets. Critically, the technical expertise of web-basedservice providers often far exceeds what the SME has in-house or could afford.But while web-based services are generally considered secure, they could also besusceptible to browser exposure to malware, the increasing sophistication ofcyber-criminals and critical system failure (for instance, the failure of cloud servicesor an associated delivery network). Yet only 17% of SMEs even recognise failure ofcloud services as a ‘major threat’ to their businesses.Similarly low numbers (25%) of UK SMEs see the risks increasing in the years to come,while one-half feel that cloud risks have now stabilised; a surprisingly large number.Considering that the market is expected to grow at 20% per year and be worth £2bnby 2015, risks in this arena may be significantly undervalued by UK SMEs.The explosion of mobile working is opening SMEs to riskOnly a mere 8% of SMEs see IT exposure associated with teleworking/mobile workforcesas posing a major threat. This includes ‘bring your own device’ (BYOD), which, accordingto Mr Epton, is more prevalent among SMEs and may have the most dramatic futureimpact on the risk profile of SMEs. The interconnected risks linked to mobile computingand teleworking can extend well beyond the work environment, as the personal andprofessional use of devices increasingly merge.In Mr Epton’s experience, part of the risk management challenge for SMEs is simplyprioritising. “Until someone experiences some kind of situation, it is not top of mind,or a detriment to day-to-day business decisions,” he says.On the flip side, while a more healthy proportion (44%) see this as at least some threat,and almost one-third (30%) realise that this will be an increasing area of risk to theirbusiness in years to come, these figures are still alarmingly low overall.Against the fast-paced mobile backdrop, the explosion of a mobile-enabled marketplaceand the dramatic adoption curve of devices, better appreciating and managing the riskswill be vital.Emergent technology risks3SaaS (Software-as-a-Service), IaaS (Infrastructure-as-a-service) and PaaS (Platforms-as-a-Service).
  16. 16. 16An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologyEmergenttechnology risksSMEs underestimating social media riskSMEs struggle to quantify reputational risk, but in today’s more unforgiving environment,customer confidence is business critical. Research by Symantec shows that 63% of SMEsuse social networks, but only 13% of EIU survey respondents feel that this poses a majorthreat to their business.SMEs seem to be undervaluing the nature and complexity of this emerging risk.A single case of disparaging commentary on social media platforms can have a powerfulamplifying effect, with real long-term financial business implications. The spread ofdigital misinformation owing to hyperconnectivity – called ‘digital wildfires’3– has beencited as a critical emerging risk by the World Economic Forum.But social media also exacerbates other technology-based vulnerabilities, such as cyberattack. Cyber criminals can extract many separate bits of information from social mediaplatforms and piece these together to attack SMEs.Less than one-half (46%) of SMEs see social media risks as increasing in the years tocome – a proportion more aligned with expectations than that seen with cloud andmobile trends.Table 10:Do you think the following types of technology-related risks are increasing,decreasing or stable?Increasing Stable Decreasing Don’t knowCyber attack (eg, virus or hacking) 59% 28% 7% 7%Electronic theft or fraud 54% 32% 7% 8%Social media reputational disaster 46% 35% 5% 14%Data loss 35% 45% 11% 9%IT exposure associated withteleworking/mobile workforces30% 43% 5% 22%Failure of Internet-based service(such as cloud computing)25% 50% 5% 20%Breach of regulations whiletrading/selling online(eg, non-compliant distributionto foreign countries via the web)25% 48% 5% 22%Source: The Economist Intelligence Unit.The World Economic Forum is anindependent international organizationcommitted to improving the state of theworld by engaging business, political,academic and other leaders of societyto shape global, regional and industryagendas. Its Global Risks Reportanalyses 50 global risks in terms ofimpact, likelihood and interconnections.
  17. 17. 17An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technologySMEs are not sufficiently connecting the dots with respect to technology risk.Technological vulnerabilities are amplified by interconnectivity. And although more thanone-half of SMEs believe that cyber attack and electronic theft/fraud are increasing(59% and 54%, respectively), it is alarming that only 35% of SMEs believe that dataloss – intimately connected to cyber attack and electronic theft – is an increasing threatin the years to come.The relationship between an expanding range of connected devices and workforcemobility is also not being fully connected to threats such as data loss. With regard todata governance, workforce behaviour (data culture) is one of the most challengingareas to address, yet less than one-half (46%) of SMEs are training staff and less thanone-third (30%) see IT exposure associated with teleworking or mobile workforces asincreasing going forward.Too many SMEs also are not fully considering the potential risks and opportunitiesin a technology-driven world. While many may be aware that today’s emerging SMEleaders grew up in a technology-enabled environment and that foreign firms arereaching UK markets through the Internet, their appreciation of the potential risksthis poses to traditional SME business models falls short.Small businesses also need to connect the dots between their IT security strategies– opting for anti-virus software or back-up and recovery plans – and link technologyrisk management to their overall business model and initiatives.Too many see the future of technology trends and risks to be more stable than therapidly-evolving landscape that the experts believe it is and will continue to be.All SMEs, especially those revealed by the survey to be rather not tech aware, needto re-evaluate quickly the possible risks – and opportunities – that technology presents,in order to become more resilient in the face of this shifting landscape.Connecting the dots on technology risks
  18. 18. 18An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technology
  19. 19. 19An expanding network of risk and opportunity:How UK SMEs are under-estimating the growing complexity of technology
  20. 20. Zurich Insurance plc is authorised by the Central Bank of Ireland and subject to limited regulationby the Financial Conduct Authority. Details about the extent of our regulation by the FinancialConduct Authority are available from us on request, FCA registration number 203093. These detailscan be checked on the FCA’s register by visiting their website www.fca.org.uk or by contactingthem on 0845 606 1234.135559A02(04/4/413)ZCA

×