Cyberattacks on the Rise
Cyberattacks are happening at an alarmingly high frequency. While these attacks are typically aimed at larger and internet-based companies, we are also seeing an increase in activity among privately held and family-owned businesses. Unfortunately, these smaller businesses are perceived to be easier targets for cyberattacks because resources devoted to prevention, detection and response can be limited.
Small Business Trends published the following statistics in a January 2017 article entitled “CYBER SECURITY STATISTICS – Numbers Small Businesses Need to Know”:
- 43% of cyberattacks target small business
- 14% of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective
- 60% of small companies go out of business within six months of a cyberattack
- In the aftermath of these incidents, targeted companies spent an average of $879,582 because of damage or theft of IT assets
- Disruption to normal operations cost an average of $955,429
- Damage to reputational risk could not be measured
The top cyberattacks experienced by small businesses were reported as follows:
- 49% were web-based attacks
- 43% included phishing/social engineering attacks
- 35% had general malware attacks
Small businesses reported the top three causes of data breaches as follows:
- 48% were caused by negligent employees or contractors
- 41% were caused by third party mistakes
- 35% were caused by an error in system or operating processes
Understanding Cyber Insurance
Some clients and prospects believe their company’s current general liability policy would cover cyber related risks. We caution them to confirm their understanding because it is rare that traditional coverage applies to cyber events.
If your company has cyber insurance, we encourage you to understand the exposures your company has to cyberattacks and work with your broker to tailor the coverage to your company’s needs. Rarely does a one-size-fits-all cyber insurance policy truly afford your company appropriate protection. Your business is unique and your risks are unique.
Although customized cyber insurance policies are a sensible form of risk management, they may not address the potential damage to your company’s reputation or loss of business that often goes along with a breach. In order to lessen the negative impact on your company’s reputation, it’s a good idea to have a thorough and up-to-date crisis communications plan in place which can provide guidance in a worst-case scenario.
What Can You Do?
Does your company use cloud based technologies? Do you have vendor oversight and management programs in place, such as those related to third party administrators (e.g., a payroll service provider or a 401(k)-plan administrator)? Do these providers have cyber insurance? Even if they do, keep in mind that their cyber insurance policy covers breaches on their side and does not necessarily provide your company with protection.
In addition to traditional internal controls, such as keeping current on all computer and server operating systems’ software updates, installing antivirus software, firewalls and filters, and changing passwords frequently, we recommend other security strength and risk mitigation tactics. These could include key cyber policies or procedures, virus and ransomware protection software, email filters, periodic vulnerability scanning, penetration testing, employee education on data protection polices and best practices, and data encryption software. Examples of frameworks that provide “best practice” cyber security guidelines include the NIST Framework for Improving Critical Infrastructure Cybersecurity, and NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations. These are great (and free) references for improving cybersecurity.
If you are uncertain about the risks and vulnerabilities your company faces from cyberattacks, or want to ensure your company’s internal controls are adequate and consistent with constantly evolving best practices, contact Seth Rensberger or Eric Schnieber for additional information and guidance.
