When running a small business your outgoings can seem tight, especially in the early inception of your company’s life when set up costs can seem endless. Due to this, it’s natural as a business owner to look at ways to reduce your annual expenditure. Of course, there are a plethora of costs which quickly end up moving outside your yearly budget. Even something as rudimentary as paying for your staff’s tea and coffee can end up outside your remit which leads to unhappy employees, especially on a Monday morning!
One area that is often seen as giving little return on investment is your business insurance policies. The cost paid is less about a return on investment and more about peace of mind. Despite this, there are common areas that SME owners often leave unprotected as a result of missing or inadequate cover.
Nowhere is this more prevalent than in cyber risk insurance, which is often the area where a small business underestimates just how vital cover can be. It’s hardly surprising – insuring a physical object such as your office or your held stock is more natural as you see it every day. Your business data is rarely thought about in the same light.
However, a company is 9x more likely to claim on a cyber insurance policy than one covering burglary. While you may think big companies are a large portion of that number you would be mistaken. In 2018 52% of SMBs suffered a cyber breach and without the correct level of cover most were left vulnerable to paying the costs incurred as a result of severe breaches.
An increasing number of malicious cyber actors are exploiting the current COVID-19 pandemic for their own objectives. In the UK, the National Cyber Security Centre (NCSC) has detected more UK government branded scams relating to COVID-19 than any other subject.
Although, from the data seen to date, the overall levels of cyber crime have not increased, both the NCSC and Cybersecurity and Infrastructure Security Agency (CISA) are seeing a growing use of COVID-19 related themes by malicious cyber actors. At the same time, the surge in home working has increased the use of potentially vulnerable services, such as Virtual Private Networks (VPNs), amplifying the threat to individuals and organisations.
APT groups and cyber criminals are targeting individuals, small and medium businesses and large organisations with COVID-19 related scams and phishing emails.
In this piece, we will cover the most common cyber risks to your small business, and how the correct level of cover can help prevent a cyber breach destroying your company’s reputation and finances.
What Is Considered A Cyber ‘Risk’?
When the word Cyber is used to describe something it can run the risk of seeming generic. As businesses move towards online platforms and modern internal systems, even something as simple as emails are considered part of your small businesses digital identity. The value that hackers put on this cyber footprint is huge, regardless of your size.
Modern methods of hacking mean sophisticated AI systems are now sent en mass to all corners of the internet to break down the walls surrounding websites, servers and anything they else can access. Long gone are the days when a cyber risk was merely a fictitious prince from a faraway land emailing you to transfer money in exchange for a share of a pot of money that never existed.
In fact, cyber risk now encompasses many areas. Furthermore, the initial signs of the most common threats are often unknown, especially to a small business where there are much more important things to do to keep your company running. No matter what, it is important to understand the most common threats and ensure your staff do as well.
The Most Common Cyber Attacks on an SME
This is a form of software that enters your computer or server before encrypting your data and holding it for ransom. Think of it like a burglar entering your home, changing all the locks and forcing you to pay them to reopen your doors.
Failure to pay can leave you permanently locked out of your data, or have your data moved on and sold to the highest bidder.
Fast becoming one of the most common types of threat, once set up to infiltrate the hacker needs do little more than sit back and await the ransom to be paid, making it all the more alluring to cybercriminals.
These are emails or any other messages that pose a threat by pretending to be a trusted partner. This could be your bank, or even a customer who has suffered a breach themselves.
The hacker’s objectives can range from the somewhat innocuous, asking for emergency money to get your ‘customer’ out of a tight spot, all the way to imitating your bank to empty your accounts.
As an SME your repeat customers are essential to your growth. Reaching out to them via an email campaign or ever a printed leaflet means storing their details. If this data falls into the wrong hands your customer’s privacy has been breached and you can be held accountable in line with GDPR regulations.
Having access to your client databases, or any other sensitive information, on multiple devices makes you more likely to fall victim to data leakage. Once a device such as a mobile phone is accessed then a hacker can walk into your files and take what they please.
Even global giants are vulnerable to this type of attack. In 2019 Facebook had hard drives stolen that contained data on 29,000 employees, including bank details.
Weak passwords and computer setups leave you vulnerable to hackers and don’t think that a unique password for each account means you are kept completely safe. Modern cybercriminals are sophisticated, and as such create password breakers that effectively crowbar their way into your accounts through brute force.
SMEs are often the most vulnerable to this threat, as large companies often have dedicated IT and even digital security teams to protect them. As a small business, all of your staff need to be aware of the dangers of hackers to prevent attacks.
Having more employees increases the risk of a staff member giving away sensitive data, either accidentally or maliciously. Indeed even disgruntled past employees are often the source for cyberattacks, thanks to their insider knowledge.
While that scenario cannot be completely ruled out it should be said that as a small business owner your more pertinent risk is employees accidentally giving out information. As an SME your staff can fill multiple roles and ensuring they are correctly trained on cyber threats is essential.
What is the Cost of a Cyber Attack to a Small Business?
There are three common outcomes to your business as a result of a cyber-attack. These rarely come individually and all of these scenarios can often happen to smaller businesses.
Being locked out of your data, or losing data completely will impact trading and lead to loss of business. For an SME often the business owner will be left to pick up the pieces, and with inadequate cyber insurance often without support.
When systems are breached, or equipment is bricked, then there is also the financial cost of upgrading or replacing these.
Data breaches often impact more than just your business. If your customer or supplier’s information has been accessed then this can have a seriously damaging effect on your reputation as a business.
If you are hacked your business can also become a hub for hackers to outreach to your customers with malicious intent. Managing this is difficult and requires professional consultation.
With the advent of measures such as GDPR you may find yourself at the mercy of a multitude of fines and sanctions. Don’t think GDPR and data protection laws only apply to large corporations, if you are a business offering a service then you can be held to the same level of accountability.
Even breaches which were as a result of unintentional actions by you or your staff keep the same level of culpability.
How Can A Cyber Insurance Policy Protect Your Small Business?
It’s vital to understand that any business insurance policy needs to fit your company and how you operate. This is also true with cyber risk insurance. Out of the box policies can be very effective for standard personal cover, but depending on your industry and your business risks, cover often needs to be tailored to what you need. That way you only pay for the cover you know will work.
A great cyber insurance policy can cover a multitude of areas. When searching for a policy for your small business we would encourage you to look for a wide range of cover and support. Some areas to consider include:
It’s in any insurance company’s best interests to support you with your cyber security. By helping you stay secure it decreases the risk of them having to pay out a premium and means you are less likely to have to endure the stress of experiencing a cyber crime.
Look for an insurance policy that offers free information, pre-breach consultations and access to approved vendors that can offer trusted services such as hosting of your website.
Being left to pick up the pieces following a cyber breach is guaranteed to be unpleasant. As a small business, your priority needs to be getting back up and running after an incident. Consider getting details on what assistance is offered by your insurance provider in the event of a claim.
Legal advice, forensic investigators and PR experts to manage a damaged reputation are all elements that are vital to have should you ever need them. An experienced insurance broker will be able to identify the providers that can assist you with this.
Costs incurred as a result of a cyber attack can be devastating to an SME. If your business has to down tools to fix an issue then the correct level of cover should help protect your finances.
Question what costs are covered as part of your policy. Ensure your business is covered for costs to keep your doors open, for any loss of income as a result of the incident and the costs to recover any lost data.
Legal costs can be devastating to your small business, and often something most will never recover from in the event of a claim against them. The correct insurance policy for your small business needs to cover legal and damages costs as a result of a breach or security failure.
About the Author
Paul Monaco – Client Director at Focus Oxford Risk Management
Paul specialises in the advice and arrangement of specialist business insurance and risk management to the Life Science, Medical Device, Scientific Research and Technology Sectors from new business start-ups through to PLCs.