Cybercriminals don’t just go after big companies – small businesses are being targeted more frequently and many are unprepared for the devastating impact a cyberattack can have. October is Cybersecurity Awareness Month and an excellent time to raise cybersecurity awareness within your organization.
Small Businesses Underestimate the Risk
The Nationwide Agency Forward survey found that small businesses may be dangerously underestimating the threat of a cyberattack. Nationwide claims data shows that cyber claims recovery costs usually range from $15,000 to $25,000 and that restoration can take 279 days. However, 40% of small business owners think a cyberattack would cost them less than $1,000 and 60% think it would take less than three months to recover fully.
These misconceptions may be contributing to lax security practices. Only 56% of small business owners say they offer cybersecurity training at least once a year, whereas 94% of middle-market business owners offer yearly training. Fewer than three in 10 small business owners report having cyber coverage, whereas 71% of middle-market businesses have coverage.
Cyberattacks Are a Serious Threat
Whether or not small business owners realize it, cyberattacks are a serious threat.
According to the IMB 2022 X-Force Threat Intelligence Index, ransomware is the most common type of attack. Phishing is the most common infection vector (accounting for 41% of attacks in 2021) and vulnerability exploitation is the second-most common infection vector (accounting for 34% of attacks).
The cost of ransomware attacks has been increasing. The Ransomware Task Force estimates that ransomware victims paid $602 million in 2021, which is a 70% increase compared to 2020. Ransomware is also the most common cause of business interruption claims, representing 79% of these claims.
Attacks on Small Businesses Have Increased
Small businesses should not assume they’re too small to attract the attention of cybercriminals. Although massive attacks on large organizations may be more likely to make the news, businesses of all sizes are vulnerable to ransomware and other cyberattacks.
The 2022 Cyber Claims Report from Coalition shows that attacks against small businesses have increased by 40%. Additionally, the size of the average ransomware demand has increased, now averaging $1.8 million per claim. Ransomware is not the only threat – fund transfer fraud also increased by 18%.
A report from Coveware provides further evidence that small businesses are especially vulnerable to cyberattacks. The report found that 82% of the cyberattacks that occurred in 2021 targeted businesses with fewer than 1,000 employees. Companies with 11 to 100 employees were the targets of 37.2% of attacks.
Tips for Small Businesses
Hackers may see small businesses as easy targets, especially if the companies don’t have the same security measures as larger businesses. This may be why attacks on small businesses increase as larger businesses strengthen their cybersecurity. To avoid being perceived as easy targets, small businesses need to keep up with their own security measures.
The aftermath of a cyberattack can be worse for small businesses, too, because they might have fewer resources to support the recovery process. They could even be forced out of business.
Vigilance is key.
- Conduct an audit. Have a professional check your computer systems and practices for any security weaknesses and then take steps to make corrections.
- Train your workers. Being that phishing attacks are the most common infection vector, it follows that untrained workers are your weakest link.
- Conduct tests and practice drills. This is a good way to make sure your workers know how to avoid phishing. Your cyber insurance partner can often provide resources.
- Require multi-factor authentication. This is a basic security measure – many cyber insurers now require it as a condition for coverage.
- Back up your data. If an attack deletes or encrypts your data, a having data backup can help your business continue to run smoothly.
- Take advantage of resources available to your company. Smaller companies might lack some of the internal resources needed to boost cybersecurity, but help is available. For example, CISA has a list of free cybersecurity services and tools and the FCC offers the Small Biz Cyber Planner 2.0 to help small businesses.
- Be ready for an attack. Have your response plan ready to go to minimize damage and quickly return to business as usual. Cisa.gov offers many resources.
- Maintain insurance. Cyber insurance should be part of your cyber response plan and cyber risk management strategy. Your insurer can be another valuable source of cybersecurity support: if an attack occurs, insurance can help you recover.
Heffernan provides tailor-made insurance packages for small businesses. Ask us how to protect your business from cyber threats. Learn more.