Over the last two years, small businesses ($25 million in revenue and under) have become bigger targets for cyber criminals. Just within that time, reports of small business cyberattacks have increased by more than 200%, and cyber insurance claim payments have increased by 400%.
Cyberattacks include any attempt to damage, disrupt or obtain access to data, computer systems or networks. These attacks disrupt the flow of business operations, put sensitive data at risk, and may require a substantial payout to hackers before they will repair the issue.
Why? Because attacks on unsecure computer systems and networks, and even phishing scams, have become incredible money makers for cyber criminals. In fact, ransomware is now available as a product sold on the black market to anyone, not just experienced hackers, causing an influx of additional cybercrimes.
What are the main cyber threats?
It may surprise you to learn that the top three industries targeted by hackers are manufacturing, construction and nonprofits. The top three types of cyber insurance claims are for fraudulent payments, social engineering scams and ransomware (see graphic.)
The two most common cyberattack types are ransomware and social engineering scams.
Ransomware refers to programming hackers use for access to systems or equipment which are disabled and held for “ransom” until hackers receive money. For example, a manufacturing plant may find their machinery disabled and a demand for $1 million to return them to functioning. If you think that’s far-fetched, I know of three separate $1 million ransomware incidents that happened to small businesses just this year.
Social engineering can happen to any business, but the nonprofit sector is a primary target. Criminals use social engineering tactics, like sending an email that looks and sounds like it’s from an organization’s CFO, to manipulate employees into providing confidential information or making fraudulent payments. Employees unknowingly trust the request and make payments they later find went to an unknown source.
If your business handles any personal identifying information (PII), whether on a network or in the Cloud, cyber security measures need to be in place to help mitigate attacks and/or streamline recovery efforts.
So, how do small businesses protect themselves?
There are several steps I recommend for helping businesses protect against cyberattacks and financial loss.
- Don’t rely on credit card companies for fraud coverage—get a full cyber insurance policy.
I see this a lot. Credit card companies don’t provide full coverage, which includes three tiers: first-party, third-party and cybercrime. Cybercrime insurance covers things like social engineering scams that can result in fraudulent payments and computer funds transfers. Cyber insurance must have all three tiers to be considered full coverage, and many organizations only have one or two small sublimits in their business owners policy. Check with your insurance representative to verify what your policy covers, or contact me for help.
- Proactively develop and implement a Cyberattack Response Plan.
If your employees know what immediate steps to take when a cyber threat or attack occurs, there’s a better chance to mitigate the damage or stop the attack altogether. A plan typically includes creating a response group that knows immediately what steps to take when a threat or attack occurs. You must quickly contain and eradicate the attack and begin recovery from any resulting damage.
Your insurance provider likely has a sample Cyberattack Response Plan, or contact me, and I can provide you with one.
- Make sure your organization has checks and balances in place.
While it no-doubt annoys you as much as it does me, Multi-Factor Authentication (MFA) exists because it works. MFA includes extra steps to login processes that ensure the real account owner is logging in. Implement MFA for anything that requires secure access, such as company equipment or systems and passwords necessary for customer or service portals.
If not already part of your processes and procedures, I recommend that all electronic payments be reviewed and approved by at least two people. This lessens the chance for criminal manipulation of a payment system.
Just as technology continues to evolve faster than many of us can track, so do the ways criminals find access to valuable online information. Make sure your business is protected—contact your technology advisors about guarding against hackers and your insurance advisor to get the coverage your company needs. I welcome you to contact me at Vibrant Insurance Group for questions or for help understanding the cyber insurance your business needs!
Steve Snavely can be reached at steves@vibrantins.com or (515) 985-8235.