Readers of a certain vintage might remember Scooby, Scrappy and pals being chased in and out of a series of doors in a corridor. The pursuer never quite caught his quarry and the fleeing gang never managed to completely outrun the baddie.

The reality of our modern world is that every time we close a door to cyber-attack, another one is forced opened by determined and well-resourced criminals and state actors. Unfortunately, quite often the cyber bogeyman in the mask is pretty adept at ensnaring even the most diligent targets.

It’s usually the big companies who make the headlines when they fall victim to a cyber attack, so you could be forgiven for thinking it’s only huge global organisations who have to worry about this. But that’s not the case. The Scottish economy is primarily made up of small businesses (49 employees or fewer); 334,505 of them, to be exact, making up 98.2% of the private businesses in Scotland. Medium-sized businesses – those with between 50 and 249 employees – number another 3,880. The potential exposure of this is enormous.

It’s these businesses, by nature of their numbers, who most commonly succumb to an attack. They’re also less likely than larger companies to have extremely well-established IT security in place.

SMEs, particularly the smaller companies, don’t always have the resources, time or capacity to build a properly robust cyber security defence.

And these organisations – the backbone of the Scottish economy – are increasingly coming under attack online.

Earlier this year, the insurer Hiscox released its annual Cyber Readiness Report, a global review of cyber-attack experiences, drawn from a survey of more than 5000 companies across eight countries.

It found that businesses with 10 or fewer employees reported an increase of 36% in the number of attacks over the last three years. Fraudulent emails are still attackers’ weapon of choice. More than half of all firms surveyed said they’ve been attacked at least once in the last year; the median cost of this was down slightly to about £12,500.

Having said that, Sky Business reported in June of this year that SMEs which are yet to experience a cyber-attack underestimate the financial impact by £85,000. Interestingly, the same research showed that one in five businesses which haven’t experienced a cyber-attack don’t think it would force them to close temporarily. Of those which had already experienced a breach, 100% of them said a closure would be necessary for any future attacks.

Then there’s the impact of AI. DIGIT.FYI reported recently that more than half of chief information security officers (CISOs) don’t think their security teams are prepared for AI-powered threats.

Every business is different, of course, and survey data only tells you part of the story. I think what we can safely assume, though, is every company would prefer to avoid a cyber-attack and the subsequent loss of customer data, confidence and income.

So what’s a small business owner to do? Facing challenges of growth, recruitment, stiff competition, and many others besides, the additional demands of cyber defence could seem like a bridge too far.

This isn’t the part where I tell you that a proper insurance policy is a must. There are other things you need to address first – that cyber defence, for starters.

No insurer is going to want to touch you without it. Having proper insurance in place means you can get a head start on getting back to normal. Most policies will offer you some kind of triage system, whereby you can access IT security, forensic, legal and even PR support to help you respond quickly to and manage the impact of a suspected attacks or incidents before they get out of hand.

But none of this matters if you don’t have your security sorted in the first place. That doesn’t mean you need to have the IT equivalent of a tank division, bristling with ordnance and weaponry.

Part of the issue for SMEs is in the brain-addling scale of security options out there. Speak to a reputable security expert who’ll advise you on what you really need – this doesn’t need to be an all-or-nothing question. Putting in place appropriate, considered security measures which meet the most likely threats to your business is a plenty good enough place to start for most insurers.

The important thing is to look at your business and take a sensible view on where your main risks lie, and what else you need to do to mitigate those. It’s exactly the same principle as ensuring your property is adequately protected against fire or theft, or managing your fleet risk by providing driver training and well-maintained vehicles.

But while risk management isn’t sexy, the fact is that cyber risk is growing and SMEs are every bit as exposed as the big-name victims which hit the headlines so regularly. Prevention is better than cure, as the saying goes, and a robust security posture will do more for your business than trying to find cover for a cyber risk that isn’t being properly managed.

Want to learn more? Get in touch with Team B. Email client manager, Stephen.Randall@blackfordinsurance.com.

You may also find ‘Digital Defenders: how and when to get cyber insurance‘ of interest This short paper aims to remove the gobbledygook and to simplify some of the complexities surrounding cyber liability.