The business is a battlefield – and the attacks are coming from cyberspace. It’s a visible war with plenty of high-profile casualties. The Equifax data breach of 2017 revealed the personal information of 143 million people. The Yahoo breach left billions of accounts vulnerable; a recent disclosure revealed that every Yahoo account was affected. Uber customers totaling 57 million found a ride – and had their personal data stolen.
Many small and medium-sized businesses are not acting quickly to protect themselves. “My business is smaller than those mammoth companies,” owners say. “Can the risk really be that high?” The answer is a resounding yes. Small and medium-sized business owners who believe it won’t happen to us do so at their own peril. It’s not just the ‘big fish’ who are targets; two out of three cyberattacks are now directed at small businesses. The reason for this is clear: these entities often do not employ adequate security measures. Add an absence of insurance protection to the equation, and a breach can be exceptionally disastrous. It’s a problem of preparation AND protection. Without the proper security in place, a breach may occur with ease – and without insurance coverage to handle the aftermath, the result can be financially devastating.
The takeaway is this: the threat of cyberattack does not necessarily increase as the size of a business does. Companies of all sizes are at risk. For proof, let’s examine real-life cautionary stories of Tampa Bay Area small businesses as reported by St. Petersburg insurance agency Wallace Welch & Willingham Inc (W3 Insurance). In the below examples, the businesses affected lacked adequate crime coverage, which did not include cyber-related losses.
Scenario One: The Classic Hack
In hindsight, it’s obvious that the accounting software was ‘a sitting duck,’ as the saying goes. A hacker found a way into the payroll program and methodically added fake employees to the roster one by one, shuttling money to an outside account and leading to more than $200,000 in losses before the hack was discovered.
Scenario Two: The Patient Robber
Some cyber criminals are exceedingly persistent. This one did his homework in a major way, learning about the company’s employees and customers in detail. He then requested a wire transfer from a client to a fake email address that read suspiciously close to a salesperson’s address. The money was wired without a second thought, and the result was a loss of thousands of dollars.
Scenario Three: The Last-Minute Switch
Yet another criminal accessed a seller account on a transaction. He monitored the email exchange between the buyer and the seller. Just as the transaction was to close, he sent an email with fraudulent wire instructions to the buyer from within the seller’s own email account. The seller naturally assumed the wire instructions were correct – and wired $388,000 to the criminal.
None of the above companies had adequate cyber insurance coverage in place as a safeguard. What could have been a simple add-on to an existing policy is now ultimately viewed by these organizations as a huge lapse in judgement.
Regardless of how a breach occurs, the end result is the same: potential economic devastation. Businesses may store private customer information protected by law; a cyberattack can create havoc for a business owner from a first and third-party standpoint. The business owner could lose access to valuable data necessary to run their business, resulting in a temporary shutdown and perhaps even a ransom to restore it.
If customer data is breached, the business could face lawsuits from third parties for not providing adequate protection of sensitive information, as well as government fines and penalties for certain types of legally protected data. After probable costs of legal fees, data forensics, public relations consultants, notification and data monitoring services are totaled, the loss is staggering. The 2018 average cost is $148 per breached record.
In this cyberattack battlefield, a two-pronged approach is necessary for the protection of businesses, no matter their size. By implementing loss control measures to avoid or reduce exposure to cyber risk and purchasing a cyber insurance policy specifically designed to cover this type of loss, organizations can avoid becoming a statistic.
Those who decline to prepare face a stark reality. Bankruptcy is a common occurrence for those businesses who choose to ignore the danger. The National Cyber Security Alliance states that a staggering 60% of small businesses close their doors for good within six months of a cyberattack.
It’s obvious that the need for cyber protection is dire, and there’s no one-size-fits-all answer for preparation and coverage. Encrypting important data is just one strategy, as is consulting with an insurance professional knowledgeable about cyber risk policies. Professionals like those at W3 Insurance examine the risk of each business and advise accordingly.
Based on reports of trillions of dollars being stolen from businesses, cyber criminals are winning this war. It’s time for all organizations to form a proper defense and to have a backup plan in the form of cyber security coverage if attacks do succeed.
- Federal Trade Commission, The Equifax Data Breach, https://www.ftc.gov/equifax-data-breach
- Natt Garun, Yahoo Says All 3 Billion User Accounts Were Impacted by 2013 Security Breach, The Verge (Oct. 3, 2017), https://www.theverge.com/2017/10/3/16414306/yahoo-security-data-breach-3-billion-verizon
- Mike Isaac, Katie Benner and Sheera Frenkel, Uber Hid 2016 Breach, Paying Hackers to Delete Stolen Data, New York Times (Nov. 21, 2017), https://www.nytimes.com/2017/11/21/technology/uber-hack.html
- Steve Strauss, Cyber Threat is Huge for Small Businesses, USA Today (Oct. 20, 2017), https://www.usatoday.com/story/money/columnist/strauss/2017/10/20/cyber-threat-huge-small-businesses/782716001/
- IBM.com, https://ibm.co/2Qiah9g
- Gary Miller, 60% of Companies That Suffer a Cyber Attack Are Out of Business Within Six Months, The Denver Post (March 24, 2017), https://www.denverpost.com/2016/10/23/small-companies-cyber-attack-out-of-business/