Malicious hacking is a growing problem costing small businesses lots of time and thousands of dollars. Find out if you're covered.
Data breaches and hacked accounts are big problems associated with big companies like Yahoo, Home Depot and Target because those are the cases that get media attention. Small businesses however, are not immune.
A 2015 study by the independent research organization Ponemon Institute and IBM found companies with fewer than 10,000 records are more likely to be hacked than those with more than 100,000 records, probably because smaller businesses are viewed as easy marks, with less-sophisticated cyber security technology. A Fortune 500 company has more resources to shore up firewalls than a mom-and-pop shop, and thieves are opportunists if nothing else.
How are small businesses being hacked? In a 2016 Internet Security Threat Report, cyber security company Symantec says businesses with 250 or fewer employees are often recipients of fraudulent emails whose senders aim to steal financial information. Known as phishing, this practice targeted small businesses 43 percent of the time in 2015 — a 9 percent increase over 2014. The report notes that in 2011 only 18 percent of attacks focused on small businesses, so it’s clear how fast the risk is growing.
Symantec also reports about 1 in 40 small businesses are at risk of being the victim of a cyber crime. Within a targeted business, hackers will go after the email of employees with access to company finances. A malicious email opened by an employee who pays vendors or processes payroll, for example, could put financial information at risk, allowing hackers access to funds as well as personal employee, vendor and client information.
Criminals can use hacked information to remove money from bank accounts through wire transfers, steal customers’ identity information, file for fraudulent tax refunds, or commit health insurance fraud. Cyber crooks can even use one small business’ website to hack other small businesses.
Adding to the bad news, ransomware attacks are also increasing. This type of malware is used to freeze data or an entire computer network in order to extort money from a company. Hackers demand payment in exchange for a decryption key. Payment demands range from a few hundred to several thousand dollars.
PROTECT YOUR BUSINESS
So how can a small business be protected? First, try to reduce risk as much as possible. Make sure all employees are smart about passwords, and monitor who has access to critical files. Once you’ve identified and reduced risk, the next step may be insurance.
Of course, if fire is a possible threat to a business, one purchases fire insurance. If water is the threat, there’s flood insurance. Today, it’s a sign of the times that companies are offering cyber insurance, but many small-business owners don’t purchase it because they mistakenly assume any loss caused by computer glitches or hacking are covered by traditional insurance policies. What many find out too late however, is that commercial property insurance and business liability insurance policies don’t cover cyber liability, and the costs can be astronomical.
The price of a data breach includes financial reimbursement of stolen money, legal fees if lawsuits have resulted from the breach, and the cost of compliance with breach notification statutes. It can also be costly to identify what caused the breach and come up with solutions to keep it from happening again.
ASSESS YOUR RISK
Cyber liability policies may be offered by the insurance company already providing your business liability coverage, so that may be a smart place to start shopping, especially since having more than one policy with a company can mean qualifying for a discount.
If you’re still not sure this specialized insurance is necessary, take stock of your business. Cyber liability insurance makes sense if a business stores or transmits sensitive third-party information like credit card numbers, Social Security numbers, bank account numbers, etc., which is just about any business that accepts credit cards, pays bills or processes payroll. A good cyber liability policy will pay for damages associated with a breach including breach notification expenses, credit-monitoring fees, security investigation and repair, and cyber extortion expenses. Some of these are costs you probably never even thought about unless you’ve experienced a breach.
Another factor to consider is that as more and more companies safeguard themselves against cyber crime, they are becoming pickier about who they do business with. You may start to see big companies requiring proof of cyber liability insurance before agreeing to conduct business with you.
Cyber liability insurance rates vary depending on several factors including the type of industry, size of the company and amount of risk. You’ll get added protection and may qualify for lower rates if you’ve put some effort into beefing up your network security.
This is similar to how owning a car with a good safety rating can lower auto insurance premiums. It can be as simple as improving firewalls, adopting better password practices companywide, training employees to identify and ignore phishing emails, and limiting the number of employees with access to sensitive information.
Christine Marciano, president of Cyber Data Risk Managers, an insurance agency specializing in cyber liability, put together a sampling of what clients pay for premiums. While premiums will vary widely, from hundreds to many thousands of dollars, one of her examples that might be close to a PRO company would be a doctor’s office with $700,000 in annual revenues and a premium of $649.
While shopping around for cyber liability coverage, keep in mind that while no business owner looks forward to spending more to add insurance, the National Small Business Association technology survey reports the average cost of a cyber attack reported by small businesses that were targeted in 2013 was $8,699. That kind of unplanned and unwanted expense can cause serious financial problems for any small business.