What’s more sobering than the cyberattack against Domain Name Server provider Dyn Inc. that halted access to a number of high-traffic sites last Friday? A whopping 78% of small business owners don’t have a cyberattack response plan.
This finding is one of many from Nationwide’s second annual Small Business Indicator, a national survey conducted by the Harris Poll June 10-23 among 502 small business owners with fewer than 300 employees.
As National Cybersecurity Awareness month comes to a close, agents should persist in spreading awareness to the 45% of small business owners who think they won’t suffer a cyberattack and do not have a response plan in place.
Start by assessing the following misconceptions they—and you—may have about cyber risk:
1. The size of my business makes it unappealing to hackers. Like any insurance consumer, many small businesses need convincing about cyber insurance because they don’t think it’ll happen to them. Even more dangerous, points out Karen Johnston, cybersecurity expert at Nationwide, “they don’t think they have the information cyber criminals want.”
Although major news headlines only portray large companies as victims of cyberattack, Johnston explains, “small business owners accept credit card payments and maintain personal information about their customers. Most of them have a website and do online banking. All these activities create an environment for cybercriminals to obtain the information they’re looking for.”
Laird Rixford, president of Insurance Technologies Corporation, adds that a perception of invincibility is exactly what increases a small business’s risk: “When they think they’re not vulnerable, they won’t invest in protection hardware or technology to make sure they’re lowering their risk profile.”
2. I’m safe using the cloud. Rixford points out that small businesses “have a false sense of security using the cloud because really, the cloud just is someone else’s computer. It’s just as vulnerable to attack.”
And although small businesses using the cloud assume the vendor would handle a hacker’s interference, “the user has one of the highest levels of standards to make sure they’re maintaining data security on those cloud host providers,” Rixford says.
For example, the cloud is not immune to a tactic like social engineering, or the act of tricking someone into revealing information like usernames and passwords. “When I first heard about this, I thought, how could anyone get away with that?” says Alex Wayne, president of A.J. Wayne & Associates, Inc. “But the reality is it’s becoming a more common loss.”
3. Cyberattack is just like any other computer problem. Cyber exposure is more than hackers stealing data electronically. As Johnston explains, “a misplaced or stolen laptop with unencrypted, sensitive information will also trigger breach notification laws, as will hard copy paper files containing customer information that aren’t filed or disposed of properly.”
Small business owners should also know they may be held liable for unintentional transmission of virus or malware to a third-party system. For example, a small business may inadvertently transmit a virus to one of its suppliers, shutting down the supplier’s website for a few days.
“Through computer forensics,” Johnston says, “it’s possible the virus can be traced back to the small business owner, and the supplier can sue them for loss of income for the period where they were unable to take online orders.”
4. A cyber liability policy doesn’t cover my risk. While previously, small businesses had to rely on crime insurance or business owner policy endorsements for specific coverage, cyber liability policies are constantly broadening.
In addition to coverage for the aforementioned social engineering and encryption on portable devices, “nowadays with cyber liability, it’s becoming more common to get full prior acts for unknown claims on a first-time buy,” explains Wayne, who notes that this inclusion is crucial because many victims of cyberattack don’t realize it until symptoms surface years later.
Even if a business doesn’t gather substantial amounts of personally identifiable information, “you still have exposure to cyber extortion and you still have some level of coverage that would be beneficial,” Wayne advises.
5. I can handle it if it happens. More than half of the respondents in Nationwide’s survey have already been victims of cyberattack. But Wayne points out that many small businesses simply don’t do anything about it—which is illegal.
“Almost all states have breach notification laws,” Johnston explains. “There’s no consistency among the states as far as what’s required. To further complicate matters, the breach notification law that applies is governed by the location where the affected individual lives—not the location of the small business.”
Of the small businesses that have not yet suffered an attack, 57% believe their company could recover within a month. They’re wrong: according to Rixford, “the overwhelming majority do not survive.”
If the small business has a cyber liability policy, however, it includes mitigation response. “An insurance company has it down to a formula,” Wayne says. “It’s going to be far less taxing on the small business’s time if it has the coverage in force. And it’s going to be less expensive because the insurance companies have preferred rates with companies that provide remedies. You’d have a deductible, but your rate is going to be much lower per record.”
And part of that mitigation response seeks to maintain the small business’s reputation. Wayne points out, “It’s still a black eye on the company. If you receive notification that your credit has been breached, what are you going to think about that business going forward? You’re probably going to think they’re being careless with their data, even though it’s not their fault.”
Jordan Reabold is IA assistant editor.