Dangers of Cyber Attacks
If you are a small business owner, you might think your company is an unlikely target for a cyber-attack. After all, few criminals will bother attacking a little firm like yours when they can go after a big bank or insurance company, right? Unfortunately, the answer is no. Criminals attack small business more often than you might think.
In a 2016 survey of small and mid-sized businesses conducted by the Ponemon Institute, 55% of respondents stated that they had experienced a cyber-attack within the previous year. Half of respondents had suffered a data breach. Only 14% considered their defenses against cyber vulnerabilities and attacks to be highly effective.
Cyber-attacks against big companies are well-publicized by the news media, while attacks against small firms generate little attention. This can give small businesses a false sense of security. Yet, small firms are generally more vulnerable than large ones because they have fewer resources to devote to security. Thieves often take the path of least resistance, and small companies' systems are often easier to penetrate than those of large firms.
Types of Attacks
A cyber-attack may involve a hacker, a virus, malware, phishing or other activity on your computer system. Attacks can come from inside or outside your company. Inside attacks are often perpetrated by unscrupulous employees. Outside attacks may be committed by criminals located almost anywhere in the world, or sometimes even corporate spies.
A cyber-attack can be devastating because a single event can impact a business in many ways.
- Loss or Damage to Electronic Data A cyber-attack can damage electronic data stored on your computers. For example, a virus damages your sales records, rendering them unusable. Recreating them is a time-consuming process that involves sifting through old invoices.
- Extra Expenses A cyber-attack may cause you to incur extra expenses to keep your business operating. For instance, a hacker damages two of your computers, forcing you to rent two laptops so you can keep your business running until your computers are repaired.
- Loss of Income An attack may also cause a loss of income. For instance, a denial of service attack makes your computer system unavailable to customers for two days. You are forced to shut down your business during that period, and your customers go to your competitors. The two-day shutdown causes you to lose income.
- Network Security and Privacy Lawsuits A cyber thief may steal data stored on your computer system that belongs to customers, vendors and other parties. These parties may sue your firm. For example, a cyber-thief hacks into your system and steals a customer's confidential file that reveals his sexual orientation. The hacker makes that information public. Your customer is a prominent member of your community, and sues you for invasion of privacy. Alternatively, a hacker steals information about a customer's upcoming merger. The merger falls through due to the data theft. The customer sues you for failure to protect its data, alleging that your negligence caused the company to incur a financial loss.
- Extortion Losses A hacker steals sensitive data (yours or someone else's) and then threatens to post it on the Internet unless you pay him a $50,000 ransom. Alternatively, you accidentally download ransomware by opening infected email. The malware encrypts your data, rendering it unusable. The perpetrator then demands a ransom payment in exchange for an electronic key that allows you to "unlock" the encrypted files.
- Notification Costs Most states have passed laws requiring you to notify anyone whose data was breached while in your possession. You may also be required to tell the victims what steps you are taking to remedy the situation.
- Damage to Your Reputation A cyber-attack can seriously damage your company’s reputation. Potential customers may avoid doing business with you, believing you are careless, your internal controls are weak or that an association with you will damage their reputation.
Risks of Using the Internet
Like many small businesses, your firm probably uses the Internet. Perhaps you maintain a company website that you use to advertise products or educate potential clients about your industry. Maybe you sell products or offer a service that customers can purchase online. Any of these activities can generate cyber risks.
Information you post on the Internet may be a source of lawsuits against your firm. For instance, a competitor alleges that you libeled his company in an ad you posted online. Alternatively, an industry rival claims that you infringed on his firm's copyright, trademark or other intellectual property right.
Little Coverage under Standard Policies
Most standard property and liability policies provide minimal, if any, coverage for the types of risks described above. A major problem with commercial property policies is that they exclude electronic data under the definition of covered property. While they may provide a small amount of coverage for damage to data caused by viruses and other perils, they do not generally cover losses involving hacking or extortion.
General liability policies mainly cover claims alleging bodily injury or property damage. Most cyber-attacks do not result in bodily injury or property damage, as these terms are defined in the policy. In addition, liability policies contain exclusions that eliminate coverage for many potential cyber claims. For example, Coverage A (Bodily Injury and Property Damage Liability) excludes damage to electronic data. Coverage B (Personal and Advertising Injury) excludes infringement of copyright, patent, trademark or trade secret.
As you can see, relying on standard property and liability policies as your main source of protection against cyber-attacks is a bad idea. You can safeguard your firm by purchasing cyber liability insurance.