Many small business owners believe that hackers prefer to prey on big business. After all, the big hacks are the ones you hear about the most, especially when they involve plenty of money or huge data breaches. But don't let those splashy news stories fool you – small businesses are far from immune to these crimes. In fact, they're now the principal target of fraudsters.
According to the 2016 State of SMB Cybersecurity report, breaches occurred in half of the 28 million small businesses in the United States. This isn't because small businesses are holding particularly attractive assets; it's because they're often easy targets without the resources for dedicated IT personnel or proper training. Consequently they’re more susceptible to phishing, email malware, cyber ransom, and e-commerce attacks, which continue to increase.
According to a study by PricewaterhouseCoopers, the number of security incidents across all industries is at its highest in ten years. What was once the sole responsibility of IT professionals is now an important consideration for every small business owners.
Despite the obvious threat, a March 2017 Manta poll found that 87% of small business owners felt their company was not at risk of a cyber attack. Nonetheless, Symantec’s April 2017 Security Threat Report states that thieves stole more than 1.1 billion identities in data breaches in 2016 – almost double the number stolen in 2015. Clearly, cyber crime continues to increase as thieves organize and target more and more small businesses.
The problem is so rampant the Main Street Cybersecurity Act of 2017 (currently under review in the Senate) specifically addresses the need for “industry-led guidelines and procedures to cost-effectively reduce cyber risks to critical infrastructure”.
Recent Petya ransomware attacks show that every business, but especially small businesses, face the risk of malicious cyberattacks. Cyber criminals constantly develop new threats and have more ways to access data.
Social media is now an important part of many small businesses, but few companies establish best practices. Employees and contractors can intentionally or unintentionally leak data, infringe on copyrights, or post defamatory statements.
Mobile use is also growing exponentially and small businesses often rely on devices such as laptops, smartphones, and tablets to conduct their operations. Lost, stolen, or infected portable devices increase the risk of data loss.
According to the Nokia Threat Intelligence Report, malware infections increased 96% from 2015 to 2016, primarily on Android phones. The Kasperksy Lab Malware Report also found that mobile ransomware rose more 250 percent during the first few months of 2017.
Public Wi-Fi; weak, repetitive, or non-existent passwords; outdated software; and devices without antivirus protection are open doors for cyber thieves.
Complex Legal Obligations
As of April 2017, all states except Alabama and South Dakota have legislation requiring private entities to notify affected parties of security breaches involving personal information.
This legislation describes what constitutes “personal information,” who you must notify and when, and any exemptions within the state. Notifications may include contacting customers, suppliers, and third parties affected by data loss. Most companies do this voluntarily to salvage their reputation and brand, but it is a painstakingly long and involved process.
Serious Reputational Damage
Data breaches also cause serious reputational damage. Recovery from a breach may require hiring more staff to field calls, employing a PR company, establishing best practices and training employees, and more.
A cyber incursion also impacts your profits when you need capital the most. Consequently, small businesses are very vulnerable to cyberattacks without layered protection.
Major Financial Impact
Statistics from the National Cybersecurity Alliance show cyberattacks are so financially catastrophic for small businesses that 60 percent of them close following an attack.
According to Ponemon Institute’s 2017 Cost of Data Breach Study, breach costs hit a record high in the United States this year. The average cost is now $225 per compromised record, including the cost of greater than normal customer loss, new technologies, and legal fees. The post-hack costs for forensic and investigative activities, audits, crisis management, and communication with customers also reached all-time highs.
The First Market Data Insight report states that the average cost for a small business breach is $37k.
Cyber Liability Protection
So, with all this on the line, what can a small business owner do? Proper cyber protection is your first line of defense, and solid insurance coverage is your second. Standard business liability policies do not include cyber liability and will, therefore, provide inadequate coverage in the event of a breach.
Cyber liability insurance can cover losses from a data breach when a criminal accesses your customer, supplier, or third party sensitive data through your business. It can also protect your business from the costs of claims arising from social media liability as well as those associated with an infected, lost, or stolen device. It may also cover the costs associated with notifying those affected, even if your state does not require it by law.
Cyber liability insurance might also include the cost of defending claims, credit monitoring services, penalties and fines, and losses related to customer identity theft. Liability coverage can also include compensation for lost funds transfers, loss or destruction of data, business interruption, extortion, and fraud (see An Introduction to Cyber Insurance for Businesses to learn more).
Internet-driven business is here to stay, and small businesses face more risk than big corporations. Data is often one of your company’s most valuable assets. Cyber liability insurance, then, is a reasonable precaution to ensure business continuity, customer retention, and peace of mind.