It’s difficult to overstate the risk posed by cybercrime. There’s no question that your business will be hit. The only question is when. The 2017 Small Business and Cyber Insurance Report by the Insurance Information Institute stated that 55 percent of small and midsize businesses experienced a cyberattack in the previous year, and about half experienced a data breach. These numbers continue to rise.
Cyber incidents come in many forms.
When we talk about cybercrime, we’re actually talking about a wide range of threats. These include the following:
- Data Breaches: Personal information – such as credit card numbers, passwords, Social Security Numbers and other details – is a hot commodity on the black market.
- Malware: An infected computer system can wreak havoc on a business. Ransomware is used to encrypt files, holding them hostage until a sum of money is paid. Other malware may be used to spy on users or to access sensitive information.
- Business Email Compromise and Phishing: Some cyber attacks target the people using computers rather than the computers themselves. In phishing schemes, people are tricked into providing sensitive information. Spear phishing is similar, but the attacks target specific individuals. In business email compromise schemes, employees are tricked into wiring large sums of money to a third party.
- Denial of Service Attacks: In these attacks, a malicious actor floods a site with traffic, causing it to crash. This prevents other people from using the site as intended.
All companies are at risk.
Regardless of size or industry, your company is not safe. The cyber world has become inescapably linked to the physical world. Modern businesses of all types operate at least in part in the digital sphere. This makes all businesses vulnerable to cyber losses.
And don’t assume that your business is too small to be a target. While cyber incidents at huge corporations may be more likely to make the news, smaller companies are also impacted. According to the 2018 Cyber Claims Study from NetDiligence, most cyber claims are filed with smaller businesses.
Hackers aren’t always to blame.
Not all cyber losses are caused by hackers or viruses, although those are certainly threats. For example, some data breaches are the result of third-party hacking or malware. However, other breaches are caused by employee mistakes, such as when an employee loses a laptop or forwards an email to the wrong person. Other breaches are the work of disgruntled employees or former employees.
According to the NAS Insurance 2019 Cyber Claims Digest, the top causes of cyber losses for the health care industry in 2018 were employee negligence, ransomware and rogue employees. For other industries, the top causes were hacking, ransomware and phishing.
The damage is far-reaching.
When a cyber loss occurs, the business can suffer in many ways.
- Business Interruption: Denial of service attacks, malware and other cyber losses can result in significant disruption.
- Financial Loss: Some cyberattacks involve extortion or fraud. Business may have to pay money to repair or replace equipment, or to notify customers of a breach and provide credit monitoring. Companies may also face lawsuits and regulatory fines.
- Loss of Data and Intellectual Property: Cyber incidents can result in the loss of valuable information.
- Reputational Loss: Customers and vendors may lose trust in a company that fails to keep their personal information safe.
Businesses must be proactive.
Companies must do everything they can to mitigate the risk.
- Involve leadership. Executives and board members must lead the way in protecting their companies. This is not something to delegate to IT and forget. Directors and officer’s liability lawsuits are now being filed against leaders who fail to establish policies and procedures to protect the private data of their customers.
- Keep pace with changing regulatory requirements. Consumer privacy and data breach notification laws are continuously evolving. One example is the California Consumer Privacy Act, which will take effect in 2020. Someone in your organization should be responsible for tracking and implementing applicable requirements.
- Train employees. Employees must know how to spot and avoid phishing and business email compromise schemes. Frequently communicate with your team and provide examples of threats to avoid.
- Maintain a secure system. When companies are lax about software updates and antivirus protections, they make themselves vulnerable to attack.
- Secure portable devices. If employees take laptops and other equipment outside the office, any sensitive information should be protected, for example, with encryption and the ability to wipe the system remotely.
- Use strong passwords. These passwords should be changed regularly, especially after an employee leaves the company.
- Create a response plan. Don’t be caught off guard. Know how you will respond to different types of cyber incidents.
- Update your insurance. Know what types of cyber losses are covered by your business insurance policies and get cyber liability insurance if you don’t already have it.
Need help with cyber risk management? Heffernan Insurance Brokers can help. Contact us to learn more.