Large-scale data breaches have become such a routine occurrence in recent years that many Americans have become apathetic. One of the big three credit reporting bureaus is taken down…oh well, what’s for dinner? Your insurance company just got taken for millions of health records…that’s alarming, but is it Friday yet? Another entertainment company is attacked…that’s terrible, what’s on HBO tonight?
Worse though is that the same apathetic attitude is pervasive among many executives and business owners – especially those who run small businesses. While hackers have proven time and again that nobody is safe (there’s really no type of industry or organization in the public or private sector that hasn’t been targeted in some way by hackers), smaller businesses in particular seem almost ambivalent about the threats their companies face.
Reinforcing that perception was a recently-released survey conducted by insurer Nationwide that focuses on small- and mid-sized businesses (SMBs) with between one to 299 employees – which revealed that nearly half (45 percent) of the more than 1,000 business owners polled said they had been a victim of a cyber-attack and did not recognize it.
Perhaps more troubling than the fact they did not know about the attacks, more than three-quarters of business owners said they had no cyber-attack response plan in place, and more than half reported they had no plan in place to protect employee or customer data.
Why such apathy? The survey reveals a typical human response – the “it will never happen to me” reaction. In fact, more than three-quarters of small business owners (76 percent) in the survey thought that a cyber-attack was unlikely to affect their business and another 41 percent of respondents believed that such attacks happened more frequently in large businesses than in small businesses.
Karen Johnston, technical consultant with Commercial Staff Underwriting at Nationwide, says it is concerning that so many small business owners have this misconception that they won't be targeted by a cyber-attack – especially when recent studies have found cyber-attacks are targeting small businesses at an ever increasing rate.
“I think there are a few things that make small business owners feel like they won’t be targets,” Johnston explains. “First of all, all of the headlines are from large corporations being affected by a cyber breach, so the media is not really talking about these smaller business owners that are also being affected. Secondly, they feel like they don’t have information cyber criminals are looking for, which is also incorrect. They are collecting a lot the same information that larger companies are collecting – personal information on their employees and customers, and they do online banking themselves. It is very similar to a larger company, just on a smaller scale.”
The Flip Side: Enterprises
Another survey – conducted by Zogby Analytics on behalf of The Hartford Steam Boiler Inspection and Insurance Company (HSB) – reveals that more than half of all U.S. business polled (53 percent) reported that they had experienced a cyber-attack in the past year.
This survey, which focuses on responses from 400 C-suite and other senior executives, also found that 72 percent of businesses spent $5,000 or more to investigate each cyber-attack, restore or replace software and hardware, and deal with other consequences. Of course, those costs can skyrocket; in fact, 38 percent spent $50,000 or more to respond, and 10 percent reportedly spent $100,000 to $250,000. The worst-case indicated seven percent who had to spend more than $250,000 to address a cyber-attack.
Executives in this survey also had profound concerns about the damage cyber criminals could do to their companies. Seven in ten executives said they were concerned that data would be destroyed as result of a cyber-attack, and 62 percent were concerned about equipment damage. Those fears were validated by the survey’s results, which found that the most common consequence of a cyber-attack was data loss (60 percent), followed closely by business disruption (55 percent).
Even among these cybersecurity-sensitive executives, according to Timothy Zeilman, vice president for HSB, many still show the persistent “it’s not going to happen to me” attitude when it comes to purchasing cyber insurance – although it tends to change depending on the market/industry.
“We find that people who work in industries that know they have an exposure – healthcare or finance, for example, where they know they are targets – buy cyber insurance in relatively large numbers,” Zeilman says. “But people in other organizations and industries – manufacturing, service industries and things like that – tend to think this affects retailers and financial institutions, and not them. From our own claims experience, that is really not case.”
The Challenge Facing SMBs
Unlike many of their larger counterparts, the fact is smaller companies do not have the resources to recover from a data breach and Johnston says many will end up closing their doors as a result.
According to the Nationwide survey, more than 20 percent of cyber-attack victims spent at least $50,000 and took longer than six months to recover; however, seven percent said they spent $100,000 or more and five percent reported that it took them a year or longer to rebuild their reputation.
“I think just maybe knowing of another small business that has suffered a breach might be more eye-opening and help them understand all that is involved to recover – which might spur them into action,” Johnston adds.
What Businesses Are Doing Right
Zeilman says the businesses that have decided to tackle cybersecurity threats head-on are not only investing in personnel and technology, but they are also making a concerted effort to train all of their employees on how to be more cyber aware. “When it comes to cybersecurity, you can have the best technical security in the world but if you have naïve or gullible employees; that can be a way in around all of the security protections you’ve worked so hard and spent so much money to put in place,” he adds.
Perhaps one of the biggest barriers that businesses have to overcome with cybersecurity training, according Zeilman, is this tension that exists between properly securing networks while still being flexible enough to allow employees to do their job in the most efficient way possible. In fact, the phenomenon around “shadow IT” – which essentially involves workers using devices and applications outside those provided and administered by a corporation’s IT department – is a prime example of how employee productivity and cybersecurity policies are at odds within many organizations.
Zeilman says he was pleasantly surprised to see more organizations participating in the cyber insurance marketplace as nearly two-thirds (61 percent) of companies in the HSB survey said they had purchased or increased their level of cyber insurance coverage over the past year. In addition, 56 percent reported that they had purchased cyber insurance for the first time.
“Not so long ago, maybe as recently as 2013 or 2014, the cyber insurance purchasing rate of businesses – particularly smaller businesses – was quite low,” Zeilman explains. “The rate has increased in the past couple of years, but it is surprising and encouraging to see in this study that significant portions – over half – were buying cyber insurance.”
With regards to SMBs, Johnston says many have basic protections in place, such as requiring employees to have unique passwords to log-in to their computer systems and mandating that they be changed on a regular interval. However, she says that they too need to be providing employee cybersecurity awareness training. In addition, Johnston says they need to have a plan in place on how to respond in the event of a cyber intrusion, which would include having a list of cybersecurity experts they can reach out to for help.
For business owners thinking about purchasing cyber insurance, Zeilman recommends working with a broker who has experience in the field and to ask questions about recent incidents and how your company would be covered under similar circumstances. “One of the issues in the insurance industry today is there is a wide range of experience and expertise among agents and brokers about cyber insurance,” he says.
In terms of how much and what kind of coverage a company needs, Zeilman says it largely depends on what kind of business it is and the type of information it handles. “Depending on the kind of business you are, your exposure might be customer payment information or it might be business interruption, if manufacturing lines go down,” he says. “But it is encouraging that more businesses are not just mitigating those risks through security hiring and spending, but also through other mitigation devices like cyber insurance.”
About the Author:
Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].
