By one recent analysis, three-fourths of all small and medium sized businesses (“SMBs”) carry no cyber insurance. What’s more, in spite of the increased prevalence and awareness of hacking attacks, almost two-thirds of SMB’s have no budget or resources for protecting against cyberattacks and more than one-fifth of SMB’s do nothing to back up critical data. One conclusion from these statistics is that SMB’s are ill-prepared to respond to a cyberattack even though they are increasingly exposed to significant financial losses from such an attack.
SMBs cite a number of common excuses for not preparing to protect against cyberattacks. Many SMB’s believe that because of their small size, they are not appealing targets for hackers. Others mistakenly assume that their data is safely stored in the cloud, or that a hacking attack will be no worse than any other technical problem that can be managed internally. Still other SMBs feel that cyber insurance is an unnecessary expense or that cyber insurance will not cover losses from an attack.
These excuses are readily dismissed in view of the fact that more than half of all cyberattacks target SMBs. Hackers perceive SMBs to be appealing targets for a number of reasons.
Consider, for example, one of the more common current forms of a cyberattack, namely, ransomware. A hacker can insert a malicious piece of code into an SMB’s network that freezes all access to the SMB’s data and systems until the SMB pays a ransom to the hackers, usually on the order of tens of thousands of dollars. If the SMB fails to pay the ransom, the hacker threatens to delete all the data and information that it is holding hostage. SMBs are far more likely to pay this ransom than larger companies that are better able to recover lost data with sophisticated backup systems.
Further, a Verizon small business study suggested that employees are the single biggest threat to SMB security. SMBs that maintain a casual atmosphere with fewer security safeguards are more likely to have employees who unwittingly open attachments in emails from unknown sources, or that use personal computing devices and public Wi-Fihot spots for remote access to an SMB’s network. Hackers use these propensities to insert keystroke trackers and other malicious software into the network, which then gives them access to a trove of data. An SMB might believe that it does not retain a large quantity of sensitive data, but information about the SMB’s customers, including names and billing addresses and banking information, will always have value to a hacker. Regardless of whether the SMB’s data is only a small sample, a crafty hacker can frequently use it as a stepping stone to access data and systems of large companies that do business with the SMB. Conversely, those big businesses often process or maintain data from SMBs, and when the big businesses themselves are hacked, the SMB data can be fully compromised.
Experts are almost universal in their recommendation that SMBs need cyber insurance. Enhanced internal network protections and cyberattack response teams may be able to control the damage from a cyberattack, but they cannot prevent the all-but-inevitable from happening. General liability insurance policies will not provide the coverage that dedicated cyber insurance policies from carriers such as CyberPolicy, Inc. can offer. A good cyber insurance policy can provide funds to help an SMB recover from direct losses, including compromised data files and damaged hardware.
Perhaps more significantly, cyber insurance can establish a fund to compensate third parties whose data might have been lost or compromised as a result of an attack on an SMB’s network. Cyber insurance can also help cover the costs of fines that might be levied if regulatory authorities determine that the SMB did not adequately protect third-party data and information that was entrusted to it. In almost every case, cyber insurance will be the best strategy to keep an SMB’s operations up and running while it recovers from a cyberattack.