Small business. Big cybersecurity risks. We’re continuing to see cyber threats impacting growing companies at an alarming rate. Forty-six percent of all cyber-attacks now affect businesses with less than 1,000 employees, according to Verizon’s Data Breach Investigations Report. Combined with the startling IBM report that noted 60 percent of those businesses close their doors within six months of an attack, we know that cyber is a winner-takes-all kind of risk. Yet, many small businesses do little or nothing to protect themselves with cyber insurance.
If that’s you, I have a plan.
Why are small businesses big targets?
It’s helpful to understand the reality behind the statistics. Small and medium-sized businesses are a popular target because they tend to have poor cybersecurity compared to their larger counterparts. Many attackers want money, so small businesses are more likely to pay to recover. Others want access to data – and small businesses have that, plus access to larger partners and vendors.
Many small business owners think they are flying under the radar and are too small to be targeted, but phishing schemes and ransomware are crimes of opportunity and even a few hundred dollars of ransom is profitable for cybercriminals.
The case for cyber insurance
With new, next-gen attacks using artificial intelligence technologies to study and replicate human behavior for sophisticated phishing schemes, businesses of every size are being compelled to protect their company, employees, and data. And a natural starting place for many small-to-medium businesses is cyber insurance.
Cyber liability insurance protects the business from the high costs associated with recovering from a data breach or malware attack at a relatively low price point. Recovery costs may include ransom payments. But, also the technical resources needed to recover lost data and restore system access, communication with stakeholders, lost productivity due to the breach, and reputational damage.
While insurance can make the difference between closing your doors and surviving a cyber-attack, it isn’t a complete solution.
The one issue with cyber insurance
Cyber insurance may help your business recover from an attack. But it does little to fight off attackers in the first place.
Today, most insurance policies require basic cyber hygiene to qualify for coverage, such as having practices and plans to keep sensitive data organized, safe, and secure, with more advanced security helping to lower rates. Companies are allowed to self-attest their cyber protection. But, insurance companies are beginning to ask for objective evidence that controls are being met if marked implemented on a questionnaire.
A recent article from Insurance Journal explains how one insurance company refused to pay out the policy after it determine that the company filing the claim didn’t actually follow its cybersecurity plans, allowing an attack to happen.
A complete solution for companies of any size includes cyber insurance, cybersecurity protection, and employee training.
A three-step plan
Anyone running a business knows there are certain operational requirements. Cybersecurity now joins traditional tasks like running payroll, obtaining Internet access, and purchasing office supplies. Developing and maintaining comprehensive cybersecurity practices is a must for any company that has customers, data, or employees. In other words, every company.
Because small business owners tend to wear many hats and involve themselves in core business activities, they often view cybersecurity as a challenge. But it doesn’t have to be.
I’ve outlined a three-step plan for small businesses to establish a cybersecurity baseline and prepare for cybersecurity insurance coverage.
Step 1: Assess your cybersecurity posture.
Start by making a list of all hardware, software, and online applications your business uses. Analyze the list for security vulnerabilities. That might include how you dispose of old and unused equipment or how often you install software updates. It could also include what password guidelines are used and how often you back up data. Additionally, whether employees connect to work systems remotely.
Step 2: Create a basic cyber hygiene policy.
With insights from your assessment, write out a set of practices (the rules, procedures, personnel, and schedules) to maintain good cyber hygiene. Minimally it should include:
- Passwords: Complex passwords, changed regularly
- Software updates: Updating all software you use regularly and installing security patches when released
- Hardware updates: Computers, smartphones, and other mobile devices need firmware updated regularly
- Management of new installs: Anything new that connects to your systems or internet access needs documented and installed properly. Employees should not download apps or connect to new accounts without permission
- Limit users: Only those who need admin-level access to programs should have access
- Back up of data: All data needs backed up to a secondary source (such as a hard drive or cloud storage) to ensure its safety in the event of a breach or ransom.
- A cybersecurity framework. Select a framework used by your industry or available from the U.S. government, like the NIST cybersecurity framework, to guide more advanced security standards. Even if you aren’t fully compliant with all guidelines right away, these frameworks can help you focus your plans and security investments.
Step 3: Do your insurance homework.
All cyber insurance policies are not created equal. Compare rates and coverage and ask about factors that lower rates. You may be able to get a lower insurance rate simply by switching on multi-factor authentication for your email accounts. Or completing online training classes! So, look for policies with valuable benefits. Like cyber investigators helping during an attack or legal aid to determine your liability to customers and vendors.
Cybersecurity is for every business, and cyber liability insurance has quickly become an important part of protecting the country’s small businesses. While the threats will continue to be challenging, preparing your business to face them is feasible with sound cyber hygiene practices.