When ransomware attacks hit government agencies, or data breaches cost multinational corporations millions of dollars, people might wrongly conclude only large organizations need Cyber Liability Insurance. But Cyber Insurance for small businesses is critically important, too.
As of late 2019, 43% of cyber attacks targeted small businesses. That percentage all but certainly rose with the onset of the COVID-19 pandemic and its accompanying rise in remote work. Consider:
- In 2021, 82% of ransomware attacks affected organizations with fewer than 1,000 employees, according to Coveware.
- In 2020-21, small-business data breaches rose 152%, according to RiskRecon.
- In 2022, Barracuda reported employees of businesses with fewer than 100 staffers see 350% more social engineering attacks than employees at larger enterprises.
We at ProWriters know cyber security isn’t always at the top of small-business owners’ minds. Day-to-day concerns of marketing goods and services, fulfilling orders, and making payroll may seem more pressing.
But cyber criminals target businesses of all sizes—and smaller businesses tend to suffer from the fallout the most.As a broker serving your clients’ best interests, part of your job is making the case for not only better small-business cyber security but also robust small-business Cyber Insurance. Here’s some information to help you.
Why Small Businesses Often Run Big Cyber Risks
A small-business owner might assume their company’s size works to their advantage in avoiding cyber incidents.
The truth is, small businesses’ size makes them all the more tempting. Why?
- Small-business cyber security often goes neglected.
As mentioned, the daily grind may lead business owners and employees to pay less attention to cyber security. When they do think about it, they may overestimate their ability to handle a cyber attack. A CNBC/Momentive survey in 2021 found only 28% of respondents had a cyber incident response plan. Only 26% carried Cyber Insurance for small businesses.
- Small-business cyber security is generally unsophisticated.
Some cyber security best practices can be expensive. For instance, small businesses may not be able to hire dedicated IT teams. But many inexpensive and readily available cyber security controls go underutilized. For example, only 38% of enterprises reported using multifactor authentication (MFA) in 2021, although 78% of consumers do.
- Small-business cyber security can unwittingly help criminals hit bigger targets.
By hacking a small business’s computer system, criminals can gain a foothold into one or more larger businesses. One of the most dramatic examples remains the 2013 Target data breach. Hackers used credentials stolen from one of Target’s contractors to push malware to point-of-sale devices. Any small business without adequate cyber security could become the first step in such a supply chain attack.
Potential Costs of Small Business Cyber Security Incidents
When cyber attacks hit big businesses, expensive problems can result, but the company may be able to absorb the costs.
Smaller businesses are often not as fortunate. On average, a cyber attack can cost them anywhere from $120,000 to $1.24 million. Whatever the final price tag, it will represent a bigger threat to a small business’s revenue and viability.
Costs associated with a cyber incident are many and mount up quickly:
- Ransomware payments made to quickly release encrypted data or computer systems
- Financial loss due to social engineering (criminals tricking targets into sharing security credentials or transferring money)
- Forensic IT costs to determine the cause and extent of a data breach
- Lost income due to business interruption
- Cost of notifying third parties and providing credit monitoring or other compensation to affected individuals
- Public relations campaigns and losses due to the business’s damaged reputation
- Legal fees and court judgments
In 2019 alone, 37% of small businesses affected by a data breach suffered a financial loss, 25% filed for bankruptcy, and 10% went out of business.
The cost of healthy cyber security pales in comparison to the cost of recovering from a cyber attack—should recovery be possible.
What Small Businesses Should Do When Cyber Criminals Strike
If your small-business client is one of the few that have a cyber incident response plan, they should execute it as soon as they know a cyber attack has occurred.
Here are some actions all businesses should take:
- Contain the breach as far as possible.
Small businesses can disconnect from the internet, disable remote settings, change all passwords, and install any pending software patches or updates. Such measures won’t undo the attack but might help mitigate its damage.
- Determine the source and extent of the attack.
Forensic IT specialists can discover exactly how a cyber incident occurred and exactly how much data attackers viewed, accessed, or exfiltrated. This information is necessary for knowing what weaknesses need strengthening, determining the business’s liability, and returning to normal operations rapidly.
- Inform staff and clients.
Keeping a data breach secret is unethical and illegal. Anyone with personal or sensitive information in the business’s system—phone numbers and addresses, Social Security numbers, bank account and credit card information, and more—needs to know about the breach so they can take action to protect their identity.
- Update existing cyber security defenses and test new ones.
Once updated or new security measures are in place, an IT professional should attempt to replicate the cyber attack’s method to ensure it cannot be used again. Further penetration testing can identify any remaining computer system vulnerabilities needing remediation.
- Notify government authorities and consult with legal counsel.
Small businesses should report cyber crimes to local and state law enforcement agencies and to the Internet Crime Complaint Center. Report fraud to the Federal Trade Commission, and computer or network vulnerabilities to the Cybersecurity & Infrastructure Security Agency. In addition, businesses must talk with their own lawyers about the legal response to the incident.
Easily Find the Cyber Liability Coverage Your Clients Need
Obtaining Cyber Insurance for small business is one of the most powerful proactive things your clients can do to protect themselves from cyber attacks’ consequences.
Despite some small-business owners’ assumptions, General Liability Insurance and other usual types of business insurance typically don’t cover the costs associated with a cyber incident. But a strong Cyber Insurance policy provides both first-party and third-party coverage to the insured.
ProWriters makes researching and preparing Cyber Insurance quotes for your small-business clients easier than ever.
Registered ProWriters brokers use our proprietary Cyber IQ Comparative Rate platform. It generates multiple quotes from leading insurance companies for side-by-side comparison in a matter of minutes. You’re sure to find the policy your client needs, and at a competitive rate.
Start taking advantage of the way we’ve streamlined finding and selling small-business Cyber Insurance. Register as a ProWriters broker today.