“I don’t need to worry. Cyberattacks don’t hit small businesses. They only target BIG business … right?” Wrong. This statement is simply not true.
All it takes is one click. The vast majority of cybercriminals use email phishing scams to dupe individuals. Once an employee clicks that link, the process begins to infect the device or steal your company’s data.
Whitney Tabash, a Broker with All Risks, Ltd, recently sat down for an interview and answered the following questions. You can jump to her answers by clicking on the links below.
Cyber Liability Self-Assessment
Do small businesses need to worry about cyber threats?
Yes. Over 50% of small businesses have already experienced an attack. Phishing schemes are prevalent for small businesses. This type of attack casts a wide net.
They’re not trying to catch everyone, but the small amount of people that they can trick ends up being very lucrative for them. Again, that’s something where one employee who didn’t realize that an email wasn’t from the person that it appeared to be from. They click the link. Then, someone calls them and says “I’m your I.T. consultant and I need your log in.”
The number of things that small businesses are susceptible to, when it comes to cyberattacks, is unlimited. If you have a breach, it gets costly. There are laws you’re bound to, and it costs money to have to adhere to those laws. And if you don’t, you must pay a fine as well.
How much does a small business stand to lose in a cyberattack?
That depends and can vary greatly by attack. Recently I had a small paper distributor – distributing local to their area, less than $1 million in revenues a year, get hit by Social Engineering (someone convinces you to send money to an account which a bad actor* controls). They stopped it quickly, which was amazing, and only ended up paying about $20,000.
I’ve also seen a small snow cone shop get hit with a data breach. It was a pretty small claim. I think it was under $10,000. That was probably the one that surprised me the most – that a snow cone shop was a target.
Are there claims that are more common with small businesses?
A common claim I still see is lost devices. Most businesses are moving toward cloud-based servers and systems, and so employees that have laptops and phones don’t have any data stored on these devices.
But some companies still aren’t using cloud-based storage. So, if someone loses a laptop or even if the business gets broken into at night and a laptop or cell phone is stolen, those devices have data on them. That’s a breach. That’s probably the biggest small business claim I’ve seen in just under a decade of doing this.
I’m working with a nonprofit in Austin that does disability rights advocacy. They had two laptops stolen overnight. They had hired a security guard company, but the guard wasn’t there at the time of the theft, and the laptops contained data on their clients – personal health information. This ended up costing them about $85,000. To their knowledge nothing ever happened with the data. We don’t know if the hard drive was destroyed that had the information on it, but they still had to comply with privacy laws and regulations.
Why are small businesses especially vulnerable?
Cyber criminals know that most of the time small businesses don’t have teams that are in-house that are designed solely to keep the cyber defenses of the business up. And maybe if they do have some things like firewalls or anti-virus, they’re most likely not the best products out there, and there’s a good chance they’re not constantly being updated. So, in many ways, criminals think of small businesses as being easier to attack.
Most of the time people won’t be tricked. But, it’s easy to trick one person in a weak moment. So, cyber criminals might send a malware link in an email. It looks like it comes from someone that person knows. All it takes is that one click, and then whoever in the system got the email has given that bad actor* access to the entire system.
Summary
The days of small businesses ignoring cyber attacks and data breaches are over. By volume, they are the primary targets. But there is a lesson small businesses should learn from large enterprises.
Every big business knows a breach will happen. So, their plan isn’t “if a breach happens.” They have a reaction plan for when it does happen. Is it unreasonable for you to create a plan also?
*Bad Actor is term used to refer to entities (individuals, criminal enterprises, nation states, etc.) who act to breach or use an IT system in way that it opposite of the desires of its operators.
Bio
Whitney Tabash is an experienced Professional Liability broker at All Risks Ltd., the largest independently owned insurance wholesaler in the United States. Prior to joining All Risks, Whitney was a Senior Broker at Professional Liability Underwriting Specialists, Inc. With almost 10 years in the industry, she is a well-established resource on technology related exposures in the constantly changing regulatory environment. Whitney serves on the Texas Surplus Lines Association (TSLA) Membership Services Committee and was the youngest ever appointed Chair of the Texas, Oklahoma, Arkansas and Louisiana Chapter of the Professional Liability Underwriting Society (PLUS).
Disclaimer
Daniels-Head Insurance Agency (DHIA) seeks thoughts and insights from a variety of individuals and organizations in the industry. The guest content on this blog represents the individual opinion of the author and not that of DHIA. Nor is it the opinion of DHIA’s underwriters and business partners. Neither DHIA nor DHIA’s business partners are recommending, endorsing, or sponsoring any companies, or third parties mentioned in this blog.