Cyber Risks – The Current Surge in Attacks on Small Business and How to Reduce Their Impact

Stephen Watson, Account Executive
Often risk advisors will hear their clients say, “My company will never get attacked.­ I’m just a small fish in the big sea of potential targets.”   However, according to the International Risk Management Institute, small businesses are specifically targeted by cyber thieves because sensitive information kept by small business is much easier to obtain due to the lack of sophisticated security measures, compared with larger firms.  All businesses are at risk of attack no matter what their size or industry may be, although some industries are more prone to attacks than others due to the type of data they maintain.  The purpose of this article is to inform small business about cybercrime, the common trends of today’s hackers, and several best practices that should be implemented in cyber risk mitigation.

Any illegal activity that involves a computer and a network is considered a cybercrime.  The primary risk involved with a company’s cyber footprint is a loss that occurs when there is a data breach on a targeted system.  These breaches can impact an organization’s reputation, their ability to operate efficiently, their status with regulatory authorities, their trade secrets and intellectual properties, and their financial status. IBM reported that in 2016 the average cost for each lost or stolen record was $158, and the total cost of a data breach grew to $4 million.  Today’s cybercriminals do not need to have a high level of expertise. Online access to stolen credentials, hacking tools, data dumps, etc. are available to anyone with a small amount of money to invest and the ability to complete a Google search for such tools.

The most common trend of hackers today is phishing. Phishing relies on human error.  It occurs when hackers send emails to the masses with the hope that more than one person will click on the link in the email.  Once clicked, the hacker’s code can implement malware, ransomware, DDoS (a botnet flooding the targeted system with traffic), or a multitude of other detrimental viruses.  This method of infiltration is easier than hacking a system through the firewalls many organizations have in place because the mechanical system is bypassed and the human nature of curiosity or ignorance is exploited.   According to the 2016 Symantec Internet Security Threat Report, one million new cyber threats are released every day!

With all of these threats against today’s businesses, best practices in cyber risk must be implemented.  Three areas should be contemplated in a well thought out cyber risk mitigation plan including: strong internal policies and procedures; internal or external system monitoring, detection and remediation; and, the purchase of cyber liability insurance coverage.

The primary way to mitigate cyber-attacks is to have proper policies, procedures, and regular awareness training in place for all members of an organization.  The next step in a cyber risk mitigation plan is proper monitoring. The best way for small businesses to accomplish this is to hire a third party cyber security company to monitor, detect, and remediate the organization’s network 24/7.  These experts actively analyze attacker behavior patterns and methodologies and create solutions to minimize the risks to the company. They also perform penetration testing on the system to see if any employees will click a link or detect if they have failed to update their systems properly. If they do click the link, then the company should use it as a training tool to educate their team to prevent further successful attacks on the business.

The final step in a strong cyber mitigation program is to purchase a Cyber Liability Policy.  Cyber policies were first brought to the market in 1997 by an AIG agent, Steve Haase. Cyber policies have transitioned from first being a policy just covering third party suits arising from breaches initiated from an external source, to now covering both first and third party claims. First-party claims cover the direct costs for responding to a privacy breach and or security failure. Third party claims result when claims are made against the business by others and/or meeting regulators’ demands.  Each Cyber Policy can differ from one carrier to another. It is important to seek advice from one’s risk advisor as they can give insight on what is covered or not covered.

There’s no better time than right now to discuss with a skilled risk advisor the most current trends in cybercrime, the current methods of hackers, and the benefits of implementing cyber risk mitigation best practices.  Protecting the organization is essential, and the cost of a security breach is always higher than the cost of protection.  A Cyber Policy provides the insured with one more important layer of protection in battling this ever increasing risk.  It’s not a matter of ‘IF’ but it’s a matter of ‘WHEN’ a business will be under cyber-attack.

For additional information of this topic, please refer to the following articles by my colleagues:

Cyber Liability: What It Covers and Why You May Need It by Kelly Potter

Cyber Liability – What is it and is My Company at Risk? By Preston Cavignac