Cyberattacks Hit 67 percent of Small Business

By Harry J. Lew

There's no better time than National Cybersecurity Awareness Month to consider your firm's cyber risks. But don’t just think about them... take appropriate defensive actions!

Cyber crime and accidental data breaches happen to small-and medium-sized businesses (SMBs) every day... with devastating results. It’s important to keep that in mind not only during October 2019’s National Cybersecurity Awareness Month, but also during every month of the year.

Also important is taking full advantage of third-party cybersecurity assistance, including comprehensive cyber liability and data breach insurance from Gallagher Affinity Insurance Services.

According to the Ponemon Institute report, “The 2018 State of Cybersecurity in Small and Medium Size Businesses,” 67 percent of small- to medium-sized (SMB) companies experienced a cyber attack in 2018, while 58 percent suffered a data breach. These results were up from 61 percent and 54 percent, respectively, in 2017. The Ponemon report was based on a survey of U.S. and U.K IT professionals in firms with 100 to 1,000 employees.

The fact that roughly two out of three SMBs suffered an attack or breach last year is alarming enough. But the financial impact of such incidents should put SMB owners—you—on high alert. The Ponemon study found that SMBs spent an average of $1.43 million to investigate and remediate cyber incidents in 2018, up 33 percent from $1.03 million in 2017. But those were just the direct costs of cyber hacks and breaches. Companies also suffered an additional $1.56 million in losses due to disruption of normal operations, representing a 25 percent increase from $1.21 million in 2017.

SMB Cyber Threats Mounting

The evidence of an SMB cyber crisis is everywhere. For instance:

• According to Ponemon, the average number of individual business records lost to cyber incidents in 2018 was 10,848, an increase from the average of 9,350 in the prior year’s study.
• The IT professionals surveyed said 2018 cyber attacks against their firms were more “targeted, severe, and sophisticated” than in the past (62 percent, 60 percent, and 59 percent, respectively).
• The report identified a surge of ransomware attacks; 61 percent of respondents said they’d experienced either a successful or unsuccessful ransom attempt within the last year or longer, up from 52 percent in 2017.
• More SMBs are making hacker ransom payments. The study found that 70 percent of SMBs paid ransoms in 2018 to unlock their data files (up from 60 percent in 2018) and that the average ransom payment was $1,466.
• The most common cause of a data breach was a negligent employee or contractor (60 percent, up from 54 percent in 2017). Hackers were the cause in 37 percent of the cases, up from 33 percent during the prior year.

Perhaps most alarming was this revelation: Only 40 percent of the survey respondents said their current cyber-defense technology was capable of identifying and blocking most cyber attacks. Even worse, 72 percent of SMBs have had incidents in which external attacks evaded their intrusion detection systems. And 82 percent had instances of anti-virus applications failing to block malware.

Despite mounting threats against SMBs, the Ponemon report revealed firms’ defensive efforts hamstrung by lack of personnel to mitigate cyber risks (74 percent), lack of money (55 percent), and lack of knowledge about how to mount an effective defense (47 percent).

Do we have your attention yet? Let’s hope so, because SMB cyber threats are mounting. According to the Better Business Bureau (BBB) study, 2017 State of Cybersecurity Among Small Businesses in North America, only 35 percent of small businesses would stay profitable for more than three months if they lost access to their key data. Fifty-three percent would start losing money within a month, suggesting cyber attacks pose an existential threat to America’s SMBs. The U.S. National Cyber Security Alliance confirms this bleak assessment, warning that 60 percent of small businesses that experience a cyber attack fail within six months.

As if this data weren’t alarming enough, another study further explodes the myth that small businesses are immune from cyber attacks and data breaches. The Verizon 2019 Data Breach Investigations Report found that 43 percent of all cyber attacks target small firms, the largest share of all attacks in the report.

Most hacks (69 percent) were the handiwork of outsiders, Verizon discovered, including organized crime groups (39 percent) and state-affiliated actors (23 percent). But small businesses weren’t immune from insider attacks, which accounted for 34 percent of all incidents.

A Double-Barreled Defense

With cyber threats coming from all quarters, what should you do as a SMB owner? Adopt effective security technologies and implement best practices. The Ponemon report revealed the technology defenses most commonly used:

• Anti-malware applications
• Client firewalls
• Intrusion detection and prevention
• VPN and other secure web gateways
• Password protection and management
• Automated path management systems

Ponemon also identified 115 companies in its sample that were high performers—i.e., more successful at preventing cyber incidents than the overall sample. Here are some of the best practices that set them apart:

• They tended to have higher budgets and more knowledgeable in-house experts. Fifty-one percent of the successful firms described their cybersecurity budgets as adequate, compared with 37 percent of the total sample.
• 51 percent of the successful firms said they had adequate in-house expertise compared with 41 percent of firms overall.
• Another key differentiator between high and low performers was the use of strong passwords and/or biometrics. According to Ponemon, 71 percent of the former said strong passwords and/or biometrics were a pillar of their company’s cybersecurity. Sixty-two percent of respondents in the overall sample agreed with that statement.
• High performers were more likely to have an incident response plan (85 percent vs. 60 percent overall) and employee password policies (60 percent vs. 40 percent). They also were most likely to believe mobile devices were vulnerable entry points for hackers (62 percent vs. 55 percent).
• High-performing firms also had more effective anti-virus capabilities and intrusion detection systems. In the former case, 68 percent of the more secure firms reported cases of malware defeating their anti-virus software, and 59 percent had exploits evading their intrusion detection systems. The low-performing companies saw their anti-virus and intrusion detection systems defeated 82 percent and 72 percent of the time, respectively.
• But where the rubber meets the road for high-performing SMBs is their ability to prevent cyber incidents and to reduce their financial impact when they do occur. According to the Ponemon report, 56 percent of the high performers reported having a cyber attack in the past year, whereas 67 percent of the lower-performing firms said they’d had one.

Not surprisingly, Ponemon found that firms with more effective cybersecurity measures had substantially lower financial impacts from cyber incidents, posting lower numbers for each of the three key financial metrics:

• Cost from disruption to normal operations: $1.05 million vs. $1.56 million
• Cost from damage or theft of IT assets and infrastructure: $1.09 million vs. $1.42 million
• Cost per attack: $294,900 vs. $383,365

Action needed now

Numbers like these suggest that job one for SMB owners is to acknowledge their business faces immense cyber risks and to take defensive action. “No matter your size and no matter what amount of data you maintain, your customer and employee data can be targeted, and it must be protected,” says Scott Reid, National Director of Cyber Insurance for Gallagher Affinity Insurance Services. “This is no longer something SMB owners can ignore; it’s a fundamental part of managing and growing a successful business.”

The second step, Reid says, is to secure an independent, third-party risk assessment. This will help your business identify potential cyber threats and uncover areas in which your firm is out of compliance with state, federal, and industry information security standards. The result of this analysis: protocols for your firm to establish and to maintain proper security measures at all times.

If you lack the budget to hire a cybersecurity expert, another option is to manage your own cybersecurity under the guidance of a highly knowledgeable expert. This allows you to greatly reduce your cyber-defense outlay. How is this possible? By working with our cybersecurity partner, INVISUS, a leading provider of computer repair and security services for SMB companies.

Reid also suggests SMBs create a well thought out information security plan, which should include all the policies and procedures needed to prevent data breaches and hacks and to ensure data security compliance. Equally important is having a breach-response plan to help you deal with the aftermath of a cyber incident. This will allow you to quickly assess the event, contain losses, and notify all affected parties. It will also prepare you to pay for other damages and regulatory fines related to the breach.

Finally, Reid strongly advises SMB owners to consider purchasing cyber liability and data breach insurance. This relatively new form of insurance protects SMBs against the high costs of a cyber attack or insider (or vendor) breach. It helps you avoid costly fines and penalties that often ensue from an incident. Cyber insurance will not only protect you against a data breach or attack, it will help you to survive one.

Cyber insurance is designed to cover both first-party and third party costs. In the former category are things like:

• Replacing or repairing affected computer hardware or software.
• Conducting a forensics examination to determine exactly what happened.
• Notifying affected customers as required by state breach-notification laws.
• Providing funds to pay extortion demands.
• Providing cash to keep a restaurant afloat during a cyber-generated business interruption.
• Conducting a marketing/PR campaign to minimize customer defections.

While the prior costs result from losses your SMB experiences, third-party costs relate to losses other entities suffer from your breach. These include:

• Payment of legal judgments or settlements arising from the theft of their data from your computers.
• Regulatory fines and penalties after a breach.
• Judgments or settlements relating to you infringing copyright or libeling a third party.
• Attorney fees.

We provide this coverage and more to SMB firms nationwide via numerous affinity group relationships. Its cyber insurance policy is comprehensive, yet affordable, and is easily accessed via customized online portals.

The “more” refers to our worldwide network of cyber and data-breach experts, privacy lawyers, and technical specialists who can help you prevent incidents or respond to them. If your SMB suffers a data breach or hack, through your policy you will have immediate access—either onsite or online—to the technical experts you need for incident response and remediation.

In conclusion, There's no better time than National Cybersecurity Awareness Month to consider your firm's cyber risks. But don’t just think about them . . . take strong steps to defend yourself against them. And start doing this tomorrow—not next week, month, or year!

For more information about cyber liability and data breach insurance, go here.