- How vulnerable are small businesses to cyber threats?
- What are the biggest threats?
- How can small businesses protect themselves? What security measures should they practice?
- What role does cyber insurance play in cyber prevention and recovery?
- What makes a good cyber insurance policy? What’s covered? How much do small businesses need?
- How expensive are cyber insurance policies and is there anything small businesses can do to save on a cyber insurance policy?
- What our expert says
How vulnerable are small businesses to cyber threats?
Small businesses are often incredibly vulnerable to cyber threats. As many have written or said before, small businesses face the same threats as large businesses but without the same resources. It’s estimated that between 43% and 46% of cyber attacks target smaller organizations, assuming that defenses will be weaker if present at all.
Cyber criminals are looking for low-effort and efficient payouts. A small business that’s easy to breach will pay off much faster than a large organization with more complex defenses.
Security hygiene, however, is not just about minimizing the risk of a catastrophic event. Security is a business growth strategy. As the world gets more complex and interconnected, both B2B and B2C customers are examining the security and privacy practices of the people and organizations they work with. A strong security program protects your business and business growth.
Companies that promote security and privacy as a value proposition have a competitive advantage.
In a customer survey conducted by I.T. company Cisco, 75% of consumers said they would not purchase from organizations they don’t trust with their personal data. A study by the International Association of Privacy Professionals found that more than 80% of impacted consumers are likely to cease business with a company after it suffers a cyberattack, and an unfortunate – but well known – statistic indicates that 60% of small businesses will close within six months of a cyberattack.
What are the biggest threats?
Every business is unique, and particular threats will carry different probabilities and impacts for each. That said, below are five common threats, along with the recommended controls for protection.
Phishing: Phishing remains one of the biggest threats for businesses of all sizes. In years past, malicious emails were often painfully obvious due to grammatical errors or low production quality, for example. With the advent of artificial intelligence, phishing emails are getting increasingly sophisticated. A phishing email is designed to trick a user into opening an attachment, clicking on a link, or providing privileged information – such as login credentials. All it takes is one human mistake to bypass a host of other security controls.
Employee training, email filtering, and endpoint detection and response software can all help mitigate risks associated with phishing attacks.
Ransomware: Ransomware is a type of malware that encrypts a company’s data, and threat actors may promise the decryption key – and restoration of data – in exchange for an exorbitant ransom payment. This can cause serious business disruption. Even with payment, there’s no guarantee that threat actors won’t release sensitive information – like customers’ personally identifiable information, or PII, or sell it on the dark web – leaving a business open to further loss or litigation. Ransomware can infect a company’s systems via a phishing campaign or through a vulnerability within a company’s network.
The best approach to protect your company includes robust backup procedures – if you have reliable copies of your data, you’re less likely to find yourself in the position of having to pay a ransom – endpoint protection and response for company computers and servers, and network segmentation.
Business email compromise: Attackers will often try to impersonate senior leaders or known company partners in order to trick employees into transferring money or sensitive data.
Documented verification, payment, and change policies, multi-factor authentication and email authentication protocols can help your organization avoid business email compromise.
Weak passwords and credential stuffing: Human beings are predictable creatures, and threat actors know that people will create simple passwords that are easy to remember or reuse passwords across multiple sites and services. Criminals can use brute-force tactics to guess at passwords, and with today’s computer power a simple password like 123456 doesn’t take long to crack. They can also purchase stolen and/or leaked credentials from the dark web or use a social engineering or phishing attack to obtain a user’s credentials and then employ what’s known as a credential stuffing attack – trying the same list of credentials on multiple sites and systems).
Strong password policies, password managers, and multi-factor authentication are key to the prevention of this type of exploitation. The U.S. Cybersecurity and Infrastructure Security Agency, the CISA, offers guidance on creating strong password policies.
Supply chain vulnerabilities: An organization’s vendors, partners, and suppliers all become a part of what’s known as the attack surface. Attackers will often look to exploit a weakness in a third-party software or supply chain to gain access. Think about the critical software your company uses: Does that company have good security hygiene? How would you operate if that supplier or product was compromised?
Third-party risk management should include security assessments of critical vendors, ongoing monitoring of third-party access, and business continuity planning in case a critical system becomes unavailable.
How can small businesses protect themselves? What security measures should they practice?
It can feel overwhelming to get started, but don’t let that stop you.
No organization, even those with sizable security budgets and teams, can be 100% secure as the threat landscape continues to evolve. Every business is a target, and what you want to do is take steps to make yours a smaller one. This isn’t only about spending more money or implementing fancy tools. As the CISA website points out: “cybersecurity is about culture as much as it is about technology.” Everyone is responsible, and everyone has a part to play.
In addition to the controls mentioned above, I encourage small businesses to take advantage of tools, services, and protections they may already be paying for. Can you do more within your Google Workspace Admin dashboard to protect your business, such as requiring multi-factor authentication or enforcing strong passwords? Does your cyber insurance provider offer complimentary tools or services? For example, AmTrustCyber, for one, offers a suite of complementary services and tools designed to help our policyholders take a proactive approach.
Full-time security personnel may not be in the budget for smaller organizations, and many tools are created and priced for large organizations with high employee counts and hefty budgets. Small businesses may see the most return for security spending by utilizing a managed security services provider. MSSPs can offer services such as continuous monitoring, project consultation and deployment, managed endpoint protection and response, and professional guidance to help you craft the right security strategy for your business. Security is contextual and far from a one-size-fits-all industry.
With all that context as a lead-in, here is list of key recommendations:
- Multi-factor authentication: Require it wherever possible. Encourage your employees to utilize MFA for their personal accounts as well.
- Strong password policy and management: Many password managers have free versions available.
- Endpoint security: Anti-virus protection is good, but a more robust and reputable endpoint detection and response tool is better.
- Secure, tested backups: Threat actors will have less leverage in a ransomware situation if you can reliably restore your operations through uncompromised backups
- Network security: This includes properly configured, and monitored, firewalls, VPNs, wi-fi security.
- Access controls and adherence to the “least privilege” principle. This means employees should only have access to the permissions and data needed to fulfill their job responsibilities – no more, and no less.
- Regular software and system updates: Outdated software is a prime target for criminals. Don’t put off updating your software and installing security patches as released.
- Vendor and third-party management: Scrutinize the security practices of third-party software and vendors that are a part of your environment. Monitor access and have a business continuity plan should critical systems become compromised or otherwise unavailable.
- Security awareness training: Train your employees to recognize phishing, social engineering, or indicators of compromise within your environment.
- Logging and monitoring: The average “break out” time, or the time it takes from a criminal’s initial access to when they are able to move laterally within your environment, fell to 48 minutes in 2024. This means it’s imperative for businesses to detect and respond as quickly as possible to potential threats. Active monitoring and logging, either with an internal team or external service, is essential to both limit potential damage and effectively recover from a security incident.
In addition, have an incident response plan. What will you do if you suspect a security incident or data breach? I recommend cyber insurance protection as a part of this plan, as a reputable carrier can not only help you recover from potentially devastating financial impact but can provide you with knowledgeable experts who will help guide you through incident management and recovery.
What role does cyber insurance play in cyber prevention and recovery?
A thorough cyber insurance policy can offer financial protection in the event of an incident or breach and can cover the costs of forensic investigation, data restoration and infrastructure repair, as well as legal, compliance, and public relations support. However, the benefits aren’t all on the post-incident side.
Proactively, working with a cyber insurance carrier can provide security assessments and risk evaluation along with best practice guidance, employee training resources, and professional services and tools (complimentary or at a discount) to protect your business. Businesses with good controls in place are often rewarded with advantageous pricing, so incentives exist to put solid controls in place.
It's important to recognize that a cyber insurance policy does not replace the need for cybersecurity controls. Even with financial protection in place, a cybersecurity event can have a catastrophic impact on a small business, causing irreparable reputational harm or unsustainable business interruption. The best strategy is to address risk from multiple angles – insurance and prevention).
What makes a good cyber insurance policy? What’s covered? How much do small businesses need?
A good cyber insurance policy is one that fits the needs of your business. An organization may be required to carry a prescribed amount of coverage due to contractual obligations, or they may feel that the impact of a potential security event would be small. Like any insurance policy, they should consider the probability and impact of potential threats and their ability to absorb and/or recover from them.
Understand the coverage being offered for the premium you pay. What are the limits? Is a ransomware payment covered? Up to how much? Will the carrier provide a threat actor negotiator? Digital forensics and incident response? Breach counsel?
Ask questions, and don’t rely on assumptions. Working with a knowledgeable agent or broker can help small businesses navigate cyber insurance requirements and coverage.
How expensive are cyber insurance policies and is there anything small businesses can do to save on a cyber insurance policy?
I hesitate to document any numbers related to expense as – again – everything is contextual, and the market is in constant flux. Cyber insurance is generally very affordable and, for small businesses, likely to fall within the $500- to $5,000-a-year range. But, of course, this depends on several factors, including industry, company size, existing security controls, and history of claims or cyber incidents.
There are certainly steps that small businesses can and should take to save on a policy, notably implementation of some basic controls, as I shared above.
A good carrier should act as a partner in your security journey and work with you to fortify your defenses.
What our expert says
Q: What role does insurance play in cyber theft recovery?
