The Impact of Cyberattacks on Small Businesses

While larger business may look more attractive to cybercriminals in terms of the monetary reward, small businesses experienced a 40 percent increase in ransomware attacks last year. According to Coalition’s 2022 Cyber Claims report, these events raised insurance claim costs by over 50 percent.

Small businesses look more vulnerable and are seeing a growing number of attacks. If you’re worried about your business falling under the radar, here’s what you should know.

About the Cyber Claims Report

The Coalition report showed that hackers who seized a company’s data with ransomware demanded 20 percent more money. Small and medium-sized businesses saw more severe and frequent ransomware attacks 2021, with healthcare entities being regular targets:

• Businesses bringing in under $25 million saw a 56 percent jump, with the average claim costing $149,000.
• Attacks against mid-size companies grew 54 percent, with the average claim costing $358,000.

Although ransomware attacks are predicted to eventually plateau, the Coalition report shows that businesses of all sizes must anticipate a wider range of threats, including:

• Attacks exploiting software vulnerabilities, particularly Microsoft Exchange
• Digital supply chain attacks
• Funds transfer fraud, with attacks growing nearly 70 percent and losses doubling

Additional Insights

Accenture released a cybercrime study attempting to predict the field’s impact over the next five years. While these events may cost companies of all sizes up to $5.2 trillion, only 14 percent of small businesses have appropriate defense tools and procedures. Attacks not only interrupt operations but cause more than half of all businesses to permanently close. 

Frequent targets include organizations that serve a large population but often have fewer cybersecurity resources, like healthcare organizations, educational institutions and municipalities, where the effects of a network or data interruption could be disastrous. 

In line with these findings, a report from Hiscox report found that small businesses often experience a disconnect in terms of vulnerabilities and protective measures:

• Small businesses often prioritize the security requirements of their business partners over existing threats.
• Smaller businesses tend to believe that employees working remotely increase their risks for attacks.
• The company server is often overlooked when it comes to defending attacks.
• Over one-third of small businesses in the U.S. do not inform stakeholders when a cyberattack has occurred, which can violate disclosure laws in certain states.
• Nearly half of all small businesses do not have cyber liability insurance coverage.

While more businesses are starting to budget for cybersecurity threats, these costs need to take into account the full effects of a breach, including:

• The ransom amount – it’s recommended to avoid paying out or negotiating.
• Replacing damaged equipment.
• Working with more specialized cybersecurity experts.
• Lost income and productivity for the length of the attack.
• Potential lawsuits if you do not inform your customer base.
• Damaged relationships with clients and vendors that affect your future reputation.

Strategies to Help Reduce Cyberattack Risks

The Coalition report found that one primary factor causes cybercriminals to target small businesses: Outdated technology. An analysis of your website and internet presence can indicate if your business makes an effort to stay updated or uses older practices.

Cyberattacks have become more complex over the years, targeting both mobile and desktop devices with more specific techniques. With these points in mind, develop a cybersecurity strategy for your small business that factors in:

• Education: Make sure all employees are aware of common cyberattack techniques and the mechanisms in place to prevent them. Review ways to recognize phishing schemes and the importance of using a virtual private network (VPN) at home.
• All Resources: Have someone in-house or remotely monitor your network for intrusion attempts and record any incidents.
• Monitoring: Do not depend solely on software. Ideally, your business has an IT or cybersecurity professional who stays up-to-date on the latest threats and regularly assesses the network for vulnerabilities.
• Laws: Connecticut holds businesses accountable for not notifying customers of a breach. Updated in October 2021, the state’s Data Breach Notification Law expanded its definition of personal information to include a first name or initial in combination with a social security number, driver’s license or state ID number, credit or debit card number or financial account number with a password or other access information. When a breach that could potentially cause harm occurs, Connecticut businesses must notify their customers of the incident within 90 days, unless federal law specifies a shorter deadline.

Rather than putting your business at risk, update your cybersecurity plan with sufficient data breach insurance. To discuss coverage options, contact a HUB/Ion Insurance agent today.