Some of the biggest decisions that company CEOs have to make are decisions relating to the cost of doing business.

We have all heard of the term: cutting the fat; I am not suggesting that this is a poor approach to have, I am merely pointing out that there is a difference between cutting the fat and having the company exist on the bones of its ass.

There are certain costs that I feel a company cannot ignore. In a world that is being increasingly influenced by technology, spending money on cyber insurance is definitely beneficial to a company, no matter its size.

Time to wake up

A recent article on pointed out that it is unrealistic to think that we can put an end to cyberattacks, so it becomes necessary for companies to take strategic action themselves, get off the side-lines and invest in solutions that will protect them if the inevitable occurs.

Of course, for many organisations, cybersecurity represents a cost – technological, human, or organisational – and that means that investment is all too often put on the back burner. The article points out that according to recent research by the Ponemon Institute, less than 41% of UK organisations believe they have the right security technologies to adequately protect information assets and IT infrastructure.

The article adds that inevitably, implementing security safeguards does come at a price. But in the same way that we take out insurance to protect ourselves against risks to our property, we should be mitigating the risks to our businesses from cyber criminals.

The most effective way to do this is by positioning cybersecurity as a strategic area of governance in which the technological and organisational effects of an attack are taken into consideration and given priority.

Large or small, protection is needed

For a lot of companies, spending money on a cyber policy is a cost that they simply cannot validate, especially if the company is small or medium sized.

However, cyber criminals are not targeting large corporations, they are going after small and medium sized companies because they know that the likelihood of them having cyber insurance is low. A recent article by points out the importance of this type of insurance, especially when it comes to smaller companies.

The article points out that a significant portion of small businesses (SMBs) may not even know they have been a cyberattack victim due to a lack of understanding as to what constitutes a cyberattack. This is according to new research from insurance firm Nationwide.

The article points out that Nationwide recently published the results of a survey of 1 069 US businesses with between one and 299 employees to understand how small firms are addressing the widespread, complex threat of cyberattacks. But the survey, now in its third year, has also uncovered a significant gap in the understanding of what can be considered a cyberattack in the first place.

According to researchers, only 13% of small businesses said they have experienced any form of cybercrime.

But when small business owners were shown a list of different types of cyberattacks, the percentage of firms that said they had fallen victim to one of these tactics spiked to 58%. According to Nationwide, the data reveals “a 45% gap and lack of understanding about what constitutes an actual attack.”

The article points out that computer viruses were the most commonly cited form of attack, with 36% of small businesses saying they have been hit by this type of threat. Nearly a third said they had fallen victim to a phishing attack, while more than 10% each said they were the victim of a Trojan horse or a hacking incident.

Higher costs

Businesses could face a much higher bill than they expect or are prepared for after falling victim to a cyber-attack, according to research from Lloyd’s in association with KPMG and legal firm DAC Beachcroft.

A recent article on points out that as businesses increasingly become the target of sophisticated hacking attacks, they need to properly prepare themselves or face a hefty bill, including slow burn costs such as reputational damage, litigation and loss of competitive edge, said the report titled Closing the gap – insuring your business against evolving cyber threats.

The report looks at the nature of the current cyber risk landscape as well as top threats by industry sector.

The article points out that the research identifies ransomware – such as the WannaCry worldwide ransomware attack last month and the latest attack this week – as a rapidly increasing threat, together with distributed denial-of-service attacks and “CEO fraud” where cyber criminals pose as senior executives in order to access sensitive information.

The analysis also said that financial services firms are the most targeted by organized cyber crime, but that retail is also increasingly being targeted.

“The reputational fallout from a cyber breach is what kills modern businesses. And in a world where the threat from cyber-crime is when, not if, the idea of simply hoping it won’t happen to you, isn’t tenable,” Inga Beale, CEO of Lloyds of London told “To protect themselves businesses should spend time understanding what specific threats they may be exposed to and speak to experts who can help handle a breach, minimize reputational harm and arrange cyber insurance to ensure that the risks are adequately covered,” she said.

She added that by reacting swiftly to mitigate the impact of a cyber breach once it has occurred, companies will be able to minimize the immediate costs and their exposure to subsequent slow burn costs.

“Cyber risk has moved up in the business agenda and businesses are taking measures to prepare themselves,” Matthew Martindale, Director in KPMG’s cyber security practice, told

“However, they are failing to factor in the long-term damage that a breach can cause and the cost implications of it,” Martindale emphasized. “Dealing with things like reputational issues and litigation in the aftermath of a breach, can add substantial costs to the overall loss. Businesses really need to start thinking about the cyber risk holistically rather than one that is currently very short sighted.”

Whatever the case, cyber insurance should never be seen as a business cost that cannot be validated.