You might think small businesses are unlikely targets for cybercriminals but, sadly, this is not the case. Each year, thousands of small companies are victims of phishing, malware, hacking, and other types of cyberattacks.
Cyberattacks against big companies are well-publicized by the news media, while attacks against small firms generate little attention. This can give small businesses a false sense of security. Yet, small firms are generally more vulnerable than large ones because they have fewer resources to devote to security.
Attacks Are a Serious Risk
Cyberattacks are a serious risk for small businesses. This was confirmed by a cybersecurity survey the Ponemon Institute conducted n 2018. The survey involved 1,045 small and medium-sized businesses in the U.S. and the U.K. Here are some key findings:
- Sixty-seven percent of respondents suffered a cyberattack in 2018 (compared to 61% the previous year).
- Sixty percent of survey respondents that had a data breach said the cause was a negligent employee or independent contractor.
- A significant majority of respondents experienced an exploit or malware that evaded their company's intrusion detection or antivirus software.
- Mobile devices were the most vulnerable entry points to companies' computer networks.
Types of Attacks
The most common types of cyberattacks against businesses, according to Cisco, are malware, phishing, denial of service attacks, man-in-the-middle attacks, SQL injections, and zero-day exploits. In a man-in-the-middle attack, a criminal inserts himself between two parties conducting a transaction so he can steal data. An SQL injection involves malicious code that's installed in an SQL server (a type of database management software developed by Microsoft). A zero-day exploit is an attack that occurs between the time a vulnerability is publicized and a fix becomes available.
Attacks can come from inside or outside your company. Inside attacks are often perpetrated by unscrupulous employees. Outside attacks may be committed by criminals located almost anywhere in the world. Some may be perpetrated by corporate spies.
Effects On Small Businesses
A cyberattack can impact a business in many ways.
- Loss or Damage to Electronic Data. An attack can damage electronic data stored on your computers. For example, a virus renders your sales records useless. Recreating them is a time-consuming process that involves sifting through old invoices.
- Extra Expenses. You may incur extra expenses to keep your business operating. For instance, a hacker damages two computers, forcing you to rent two laptops so you can keep your business running until your computers are repaired.
- Loss of Income. You may suffer a loss of income. For instance, a denial of service attack forces you to shut down your business for two days. The two-day closure causes you to lose both income and customers.
- Network Security and Privacy Lawsuits. If a cyber thief steals data from your computer system and the data belongs to another party(such as a customer), that party may sue your firm. For example, a hacker steals information about a customer's upcoming merger. The merger falls through due to the data theft. The customer sues you for failure to protect its data, alleging that your negligence caused the company to incur a financial loss.
- Extortion Losses. A hacker steals sensitive data (yours or someone else's) and then threatens to post it on the Internet unless you pay him a $50,000 ransom. Alternatively, you accidentally download ransomware that encrypts your data, rendering it unusable. The perpetrator demands a ransom payment in exchange for an electronic key that allows you to "unlock" the encrypted files.
- Notification Costs. Most states have passed laws requiring you to notify anyone whose data was breached while in your possession. You may also be required to tell the victims what steps you are taking to remedy the situation.
- Damage to Your Reputation. A cyberattack can seriously damage your company’s reputation. Potential customers may avoid doing business with you, believing you are careless, your internal controls are weak or that an association with you will damage their reputation.
Risks of Using the Internet
Like many small businesses, your firm probably uses the Internet. Perhaps you maintain a company website to advertise products or educate potential clients about your industry. You might sell a product or service that customers can purchase online. Any of these activities can generate cyber risks.
Information you post on the Internet may be a source of lawsuits against your firm. For instance, a competitor alleges that you libeled his company in an ad you posted online. Alternatively, a rival company claims that you infringed on its copyright, trademark or other intellectual property right.
Little Coverage under Standard Policies
Most standard property and liability policies provide little, if any, coverage for losses caused by cyberattacks. Many commercial property policies exclude electronic data under the definition of covered property. While some provide a small amount of coverage for damage to data caused by viruses and other perils, most don't cover losses involving hacking or extortion.
Most standard property and liability policies provide little, if any, coverage for losses caused by cyberattacks
General liability policies cover claims alleging bodily injury or property damage. Most cyberattacks don't cause bodily injury or property damage as these terms are defined in the policy. In addition, liability policies contain exclusions that eliminate coverage for many potential cyber claims. For example, Coverage A (Bodily Injury and Property Damage Liability) excludes damage to electronic data. Coverage B (Personal and Advertising Injury) excludes infringement of copyright, patent, trademark or trade secret.