Think cyber risk is only a problem for the Targets and SolarWinds of the world? Think again. The fact is, nearly 50 percent of cyber attacks1 are directed at small to medium-size businesses (SMBs), and SMBs are exactly the kinds of companies that can't survive an attack that takes their systems down for days at a time or shakes consumer confidence in their business.
That's why, in early November, the U.S. House of Representatives approved two bills1 that aim to strengthen the cybersecurity of small businesses. The Small Business Administration (SBA) Cyber Awareness Act would require the SBA to issue a report on its cybersecurity capabilities and notify Congress of a cybersecurity breach that could compromise sensitive information. The Small Business Development Center Cyber Training Act would establish a cybersecurity counseling certification program.
Before the vote, Rep. Jason Crow (D-Colo.) said, "Cyber attacks are one of the biggest threats to our economy and small businesses and way of life. This bill would ensure we are doing everything we can to protect the millions of small businesses that the SBA serves and prepare them for 21st century threats."1
Like any company, SMBs aren't immune from cyber attacks. But they have a lot more to lose when a hack or data breach happens. Small businesses are a favorite among cyber criminals because they often lack the resources or technical knowledge needed to protect themselves that larger-sized companies with more means have in abundance.
Yet only 26%2 of small businesses say they carry cyber insurance.
The Stakes Are High for SMBs and Cyber Attacks
One reason many SMBs lack cyber coverage that they have an "it will never happen to me" attitude. In a survey conducted by CNBC and Momentive among America's small business owners, 56% said they are not concerned2 about being the victim of a hack in the next 12 months — and among those, 24% said they were "not concerned at all."
SMBs also have the confidence that they could easily handle an attack if one happened. Fifty-nine percent2 said they could quickly resolve any cyber attack. Forty-two percent said in the event of a cyber attack, they have no plan in place for response.
These SMBs don't grasp the reality of the situation. Not only can it happen to them, when it does, the financial repercussions of an attack can be devastating to SMBs. According to IBM's Cost of a Data Breach Report,3 organizations with fewer than 500 employees had an average data breach cost of $2.98 million per incident in 2021, a 26.8% increase from 2020.
The ramifications of failing to install proper cyber security measures can be horrific. The missing data, employee downtime, operation resumption, reputation damage and other enormous losses are just the tip of the iceberg from a cyber attack. According to the National Cyber Security Alliance,4 60% of hacked SMBs go out of business within six months.
Given the pressures on smaller IT departments to keep pace, these companies should consider outsourcing their network security to a third-party provider.
How to protect your SMB clients from cyber threats
For agents who work with SMBs, knowledge is power. Your clients should start reading up on the various types of risks and then take steps to improve their security protocols. The types of attacks against SMBs are constantly evolving, but generally are related to social engineering, ransomware, malware, unpatched systems or comprised passwords.
The SBA recommends some best practices:5
- Employee training. Emails are a leading cause of data breaches for small businesses. Train employees to spot a phishing email, avoid suspicious attachments and use good browsing practices.
- Antivirus software. Every computer should have antivirus software and antispyware. The software should be updated regularly with vendor-provided patches or be set to update automatically.
- Strong passwords. Instruct employees to use different passwords for each account and to not share passwords. For additional security, install multi-factor authentication (MFA) on all accounts.
- Data protection. Automatically back up the critical data on all computers and store the copies either offsite or in the Cloud.
- Secure networks. Use a firewall and encrypt information on Internet connections. Hide Wi-Fi networks and password-protect access to the router.
Organizations need to make training engaging and help employees feel that they are part of the solution.
The reality is that, even after taking steps to reduce cyber risks, SMBs are still vulnerable to cyber attacks. Adding cyber insurance coverage is additional protection for minimizing losses and recovering from an attack.
When working with SMB clients on cyber policies, look at the types of data they have and where that data is stored. Businesses that mainly use computers or mobile phones, accept credit cards or store sensitive data in the Cloud are particularly at risk, and you need to know what they're doing with their data to best guide them.
It is also important to educate SMB clients on the must-haves that many insurers today require in their cyber policies — usually an incident response plan, MFA, third-party risk management and patch management. SMBs have different risks and needs, but most small businesses carry about $1 million6 in cybersecurity coverage limits. It's up to you to help make sure they understand the scope of the problem and are prepared to step up and protect themselves from it.
Sources
1Miller, Maggie. "House Passes Bills to Shore Up Small Business Cybersecurity," The Hill, 2 Nov 2021.
2Rosenbaum, Eric. "Main Street Overconfidence: America's Small Businesses Aren't Worried About Hacking," CNBC, 10 Aug 2021.
3"Cost of a Data Breach Report 2022," IBM Corporation, Jul 2022. PDF file.
4Gavin, Joe. "60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here's How to Protect Yourself," Inc., accessed 26 Sept 2022.
5"Strengthen Your Cybersecurity," U.S. Small Business Administration, accessed 23 Sept 2022.
6Vandiver, Whitely. "Cybersecurity Insurance: What It Is, Which Businesses Need It," Nerdwallet, 1 Sept 2021.
