Cyber Risk for Small Businesses: Understanding Your Individual Risks and What You Can Actually Do
Cyber risk has evolved alongside technology and society’s reliance on digital tools that connect us and make our tasks easier to complete.
Where once cyber threats were seen as solely a privacy-related risk, in which employee or customer data is exposed, cyber attacks involving malware and ransomware are shutting down businesses and can cost a small company hundreds of thousands of dollars to get back up and running.
This has made cyber risk increasingly important to address, especially for small businesses that may not have the resources their large company counterparts have to combat an attack.
“The larger companies have resources that will help them detect and respond more quickly if a cyber event comes to the forefront,” said Aaron Basilius, senior vice president, cyber, AmTrust Financial Services.
Small businesses, however, almost never have a dedicated cyber team to handle risks that come their way.
“Very few have employees dedicated solely to cyber security,” Basilius said. “But this is a risk that is always present and always lurking, even if it’s not something you’re always thinking about.”
It’s easy to forget the threat cyber poses to small business, especially if networks, emails and other communication systems are working. But, Basilius added, that does not mean small businesses are not vulnerable.
“It’s important that the small business knows its exposures and partners with experts that will help to address them,” he said.
Understanding Small Business Cyber Risk Vulnerability
When it comes to the specifics, small business cyber risk is similar to larger businesses in many ways — data breach, malware and the like can happen to all organizations.
Small businesses, however, are likely to face longer-lasting and harder-hitting consequences if a threat goes undetected or unanswered.
One recent data breach report released from Verizon noted that 43% of cyber attacks are aimed at small businesses. Another report found the average financial burden of an attack could reach upwards of $200,000.
There are 30.2 million small businesses in the U.S. alone, and technology is a key part of how these businesses interact with customers. The internet has opened the door for enhanced communication and operations, but it also lays the groundwork for hackers to step in.
“Hackers want to maximize the return on as little effort or expenditure as possible,” Basilius said.
“The advantage of targeting large, multinational businesses is the reward of a big payout,” he continued. “But hackers know large companies have significant resources to defend against threats.”
So, while a payout from a large company might look like a huge win for a hacker, the effort required to get it might not be ideal.
“Do small businesses have huge bank accounts like multinational corporations? No. But It’s easier to, on the whole, get into a small business’s system,” said Basilius. “A hacker doesn’t have to go to similar lengths to get in there.”
Targeting individual employees through phishing schemes becomes a lot easier when a company does not have sophisticated firewalls to block suspicious emails. Likewise, disguising one’s email to mimic a vendor or contractor for the small business can be as simple as a few keystrokes.
“These thieves can come in and lock down a small businesses whole system for a ransom. Yes, it’s a smaller payout, but at the same time, it’s an easier target. We’ve seen small businesses paying these ransoms, too, just to be able to stay up and running,” said Basilius.
How Cyber Risk Impacts Individual Industries
Knowing and understanding a small business’s vulnerabilities is key when it comes to preventing cyber threats. But another thing to remember is that small business cyber risk is vast and different for each industry, whether it be a retailer or a small manufacturer. That’s why getting a handle on cyber exposures is all the more vital.
For example, a small retailer might be keen on protecting customer personal data, whereas a small manufacturer might not have to review such an exposure.
“It’s important that they understand their individual risks and address them in a way that’s best for their business,” Basilius said.
Here’s just a glimpse at how cyber threats might differ for three individual industries:
1) Retailers
Small retailers might have two means of collecting customer data: through brick-and-mortar stores or online. Either way, that customer data is an important asset that they must protect.
“Many will have some type of credit card processor in use,” Basilius explained, “and will need to understand what protections that processor offers.”
Where is the data residing, he asked. Does the data stay on the retailer’s system, or does it go directly through the processor and get stored on its systems?
Another area where data can become vulnerable is through tracking information. “If they have a website, are they using cookies to track visitors and potentially build profiles around them?” Basilius said. “With laws like the California Consumer Privacy Act, retailers have to make sure their practices are in compliance with data privacy and collection laws.”
Operationally, as well, a malware or ransomware attack could stop a retailer in its tracks. If its networks or critical applications are down the retailer may not be able to process payments or even operate its website which, if severe enough, may make it impossible to do business.
“You have to look at not only the exposure from a privacy perspective for a retailer, but also operationally,” said Basilius.
2) Small Manufacturer
As mentioned, a small manufacturer might not have the same cyber exposures as a retailer, but that does not mean they are not vulnerable to attack.
“Small manufacturers have to review the systems they rely on. Are operations heavily automated, and if so, is that automation dependent on technology to direct and guide it?” Basilius explained.
Manufacturers also have to keep their orders in place and know when and what orders need to be met.
“That’s something that they rely on in real-time — how much do they need to make, where are they sending it, who needs to take it there. All of those things are typically heavily dependent on technology to help automate and streamline the process.”
Without the use of that tech, a manufacturer could be flying blind when it comes to meeting customer orders.
“This is place where the lost revenue could really add up, enough to significantly impact the bottom line,” Basilius added. “And it can become an existential threat if the system is down for long enough.”
3) Restaurants
Here’s another industry that collects credit card data, Basilius noted. And that is also a potentially vulnerability that must be reviewed and accounted for.
But another thing that those in the food services business do need to keep an eye on is how cyber risk can impact their supply chain.
“Restaurants, for example, have to review what technological dependencies they have in communicating with their suppliers and vendors. If their systems are down, will their vendors know what they need and when they need it? Or will that supply chain be interrupted or impacted because the underlying technology was unavailable or impaired?” Basilius said.
Steps Small Businesses Can Take to Combat Cyber Risk
Protecting against cyber threats and bolstering security efforts starts with reviewing where vulnerabilities lie and deciding how best to address those risks with expert vendors and insurance partners alike.
Basilius said that the key thing for small business owners and operators to do is think about what will help them grow and achieve their goals.
“When small businesses are thinking about the future and growing their business, they have to take a moment to sit back and say, ‘Okay, what do I need to make sure that I am protected? What do I need that will enable me to operate in the event something happens?’ ”
They must understand their business and what they rely on to keep running. More often than not, that will include technology.
“Malware threats overwhelmingly tend to come through email,” he added. For that, Basilius recommends small businesses start putting cyber threat prevention efforts in place through good email hygiene practices. Train employees on good email habits, including being on the alert for and recognizing suspicious links. There are software solutions that can filter suspicious emails.
“Also, make sure when employees are logging in that their passwords are complicated and more secure. I would consider multi-factor authentication if possible,” Basilius said. This type of safeguard requires employees logging into a system to respond to a second notice, usually sent to a phone, to verify that they are the person logging in.
“It’s an extra step, but it can prohibit hackers from getting in.”
Even having regular conversations with risk partners will also help prevent cyber incidents. “Cyber insurance isn’t just a way to have money available in the event of an incident; the small business is also gaining a partner with experience in mitigating and responding to cyber risk,” he said.
“You want to make sure that you have a partner that will be able to not only provide the funds necessary and reimburse you in the event of a loss, but also, you want to partner with someone who’s experienced and can help guide you through that process.” &