As cyberattacks become more and more prevalent, cybercriminals are increasingly setting their sights on small businesses. While the payoff for hackers may not be as large when targeting smaller businesses, the success rate for an attack is generally much higher, as many small businesses lack the resources and expertise to implement robust cybersecurity protocols.
In order to better protect your business from cyber risk, you must first understand the types of threats you are likely to face. In this article, we cover some of the most common cyberattacks and threats that target small businesses, as well as a few best practices to safeguard against these risks.
Get a quote on Cyber Insurance
Small Business Cyber Threats
While there are a number of different cyber threats and attacks, below we’ve listed some of the more common ones that small businesses may see.
- Ransomware
- Double Extortion Ransomware
- Malware
- Spear Phishing
- Credential Stuffing
- Business Email Compromise
- Doxing
Ransomware
Ransomware is any malicious software that infects a device and locks down the system or blocks certain resources until the business pays a ransom. Ransomware has become a much more popular method of cyberattack in recent years, with hackers often asking for payment in bitcoin or other hard-to-track digital currencies.
Ransomware often comes in two main forms:
- Encryption ransomware: Encrypts your files so that they cannot be read, holding them hostage until you pay a ransom fee and can unlock them.
- Lock-screen ransomware: Shuts down access to your computer system or electronic device by locking you out.
Your computer systems can be infected with ransomware through a variety of means, including clicking on malicious emails or links, downloading infected files and attachments, or visiting unsafe websites.
Double Extortion Ransomware
Double extortion ransomware is a form of ransomware that is even more damaging for a victim. In a double extortion attack, the hackers threaten not only to prevent access to the victim’s system or data, but also to release the data to the public. This can be particularly damaging for small businesses with sensitive or confidential data, like protected health information or financial records.
Private business data that is released to the public or dark web can create even more headaches for a small business. The business may face litigation from customers whose data was compromised, regulatory fines, or shareholder lawsuits. The potential damage for a business can lead hackers to ask for greater ransom amounts, further exacerbating the problem.
Malware
Malware is any type of software intentionally designed to damage or exploit a computer, device, server, or network. Malware can come in many forms, including viruses, spyware, Trojan horses, worms, ransomware, and adware. This malicious software can be also be spread through a variety of means, including email attachments, malicious links or apps, infected USB drives, filesharing, messaging, and more.
Spear Phishing
While you may have heard of phishing, which is when a hacker poses as a trusted authority in order to gain personal information like passwords or credit card numbers, spear phishing is a more sophisticated form of phishing that uses personalization to trick the victim. While phishing attacks are often done at a large scale with non-personalized messaging, spear phishing attacks are targeted at specific individuals, often using unique details like location, names of friends or colleagues, or names of businesses the victim works with.
Spear phishing attacks have a much higher success rate than ordinary phishing, as hackers put more time and effort into finding personal information on the victim to make any messaging look more trustworthy and believable. Once the hacker gains the trust of the victim, they usually make a simple request, like asking the victim to click a link, open an attachment, or provide credentials.
Even if just one of your employees falls for a spear phishing attack, your entire company may be at risk. Once a hacker gains access to one device or platform, they can quickly make their way into other devices or systems on the network.
Credential Stuffing
Credential stuffing is a simple and common way that small businesses may be hacked. Essentially, credential stuffing is taking a username and password and trying them on a variety of websites. If a cybercriminal has somehow obtained an employee’s username and password for their Facebook account, for instance, they may try the same username and password to log in to corporate accounts, bank accounts, and more.
Credential stuffing is not the most sophisticated cyber threat, but it is often successful as many people reuse usernames and passwords across multiple sites and platforms. If a hacker can obtain just one of these credentials, they could potentially have access to a myriad of accounts.
Business Email Compromise
Business email compromise (BEC), or email account compromise (EAC), attacks are increasing in frequency, with devastating losses for businesses. These attacks involve tricking the victim into thinking they are receiving email from a legitimate, trusted source, and then convincing the victim to share confidential data, wire money, or other compromising activity.
BEC attacks can be carried out through a variety of methods, including spear phishing, spoofing (creating an email or website that looks authentic), or malware. Cybercriminals have been known to pose as vendors, partners, senior-level executives, customers, and other trusted entities. All it takes is one employee to fall for a scam, and your entire business could be put at risk.
Doxing
Doxing (or doxxing) is a type of cyberattack that is used to obtain and release embarrassing, confidential, or sensitive information about the victim. Generally, the purpose of doxing is to extort the victim or cause reputational or financial damage. For small businesses, your leaders may be most at risk of doxing. If negative information on your leadership is released to the public—even if it has nothing to do with the business itself—it could have a detrimental effect on your business as a whole.
Doxing can be achieved through a variety of methods, including phishing, tracking IP addresses, or using data brokers to purchase information on a victim.
Protecting Your Small Business Against Cyberattacks
While the list of cyberattacks may seem daunting, there are a number of simple actions your business can take to protect your data and systems, as well as mitigate risk. Just as an alarm system for your business may ward off potential criminals, basic cyber protections can help to prevent cyberattacks and data breaches. Here are a few steps you can take:
- Practice good login/password techniques. It’s not surprising that many successful cyberattacks stem from exploiting common or easily-guessed passwords. A little bit of password rigor can go a long way. Make sure you’re not using the same login and password across multiple accounts, create strong passwords (and require your employees to do the same), and consider using a password manager, like 1Password, which can automatically create strong passwords for you. For even higher levels of protection, use two-factor authentication, which forces you to confirm your identity with extra information, like a phone number or unique security code.
- Train your employees. You know what they say about the weakest link—all it takes is one employee to fall for a scam or get hacked for your entire business to be vulnerable. Make sure you are educating your employees on basic cybersecurity, like recognizing common phishing attacks, avoiding opening attachments or clicking on links from unverified sources, and implementing strong passwords.
- Keep your systems up to date. Many of the most famous cyberattacks took advantage of out-of-date software and known vulnerabilities. Make sure that your computers and network systems are always updated to the latest versions. Many of these updates are specifically to plug security holes, so it’s important to ensure you and your employees take the time to update all devices.
- Backup your data. If your data is ever held hostage, deleted, or lost, you’ll be thankful you had a backup in place. While you can subscribe to cloud backup services like Backblaze, it’s also wise to keep a physical backup of your data.
- Use security software. Many operating systems already come built-in with security and antivirus software, so you’re more than likely already decently protected from known viruses and attacks (just make sure your software is updated and activated). However, if you are on an older operating system, you may want to consider purchasing an off-the-shelf security product, e.g. Norton 360.
- Restrict access to sensitive data. By limiting the people at your company who have access to certain files, you’ll be lowering the risk of those files being hacked or that data being breached. Make sure you’re implementing varying levels of security access, with the most confidential data being shared with only those who absolutely need access.
- Invest in cyber insurance. Even with security measures in place, there’s still the possibility that your business suffers a loss from a cyberattack. Cyber liability insurance, also called cyber insurance or cyber risk insurance, can cover losses your business experiences due to cyberattacks, whether they are first-party losses or losses from third-party legal claims. Commercial crime insurance can also provide protections against cyberattacks executed through social engineering fraud. Commercial general liability and commercial property policies generally exclude coverage for cyber liability and electronic data, so you may not have coverage for data breaches without a cyber policy or cyber endorsement in place.
Do small businesses need cyber insurance?
Small businesses can benefit from cyber insurance and protection from cyber threats just as much as large businesses. While much of the news you hear about cyberattacks and data breaches likely involves security lapses at large corporations, like Equifax or Target, the reality is small businesses are just as at risk.
In fact, small businesses may be even more vulnerable, as many smaller companies lack the time, expertise, and resources to establish advanced security protocols, train employees, and implement strong digital protections. Additionally, the financial costs necessary to remediate a data breach may be out of reach for smaller businesses.
Cyber insurance can provide small businesses with the financial support they may need in the event of a cyberattack.
What does cyber insurance cover?
Cyber insurance covers financial losses from data breaches, hacking, viruses, denial of service attacks, and other similar cyber events. Cyber insurance has two major components: third-party liability coverage and first-party coverage.
First-party coverage protects your company when you incur expenses from a data breach or when your company is hacked. You may choose to purchase either or both types of coverage.
Third-party coverage provides protection when a customer, vendor, partner, or other party sues you for allowing a data breach to happen.
How much does cyber insurance cost?
The average cost of cyber insurance in the U.S. was $1,485 per year in 2020, and our mid-year update in 2021 found that average premiums had risen 7% to $1,589 per year, driven by an increasing number of cyber and ransomware attacks on businesses and a rise in demand for cyber coverage.
The costs of insuring your business against data breaches and hacking attacks will vary based upon the nature and size of your business, as well as the state in which your business is located. Below, we list the average cost of cyber insurance in each state, along with the difference between the state average and the national average.
| State | Average Cost of Cyber Insurance | Difference from National Average |
|---|---|---|
| Alaska | $1,532.89 | 3.23% |
| Alabama | $1,539.40 | 3.67% |
| Arkansas | $1,646.50 | 10.88% |
| Arizona | $1,581.50 | 6.50% |
| California | $1,430.18 | -3.69% |
| Colorado | $1,521.67 | 2.47% |
| Connecticut | $1,593.62 | 7.32% |
| District of Columbia | $1,539.25 | 3.66% |
| Delaware | $1,446.47 | -2.59% |
| Florida | $1,529.82 | 3.02% |
| Georgia | $1,450.54 | -2.32% |
| Hawaii | $1,519.46 | 2.32% |
| Iowa | $1,505.73 | 1.40% |
| Idaho | $1,483.70 | -0.08% |
| Illinois | $1,434.59 | -3.39% |
| Indiana | $1,484.06 | -0.06% |
| Kansas | $1,501.38 | 1.11% |
| Kentucky | $1,587.10 | 6.88% |
| Louisiana | $1,623.94 | 9.36% |
| Massachusetts | $1,380.59 | -7.03% |
| Maryland | $1,471.18 | -0.93% |
| Maine | $1,467.39 | -1.18% |
| Michigan | $1,339.33 | -9.81% |
| Minnesota | $1,708.11 | 15.03% |
| Missouri | $1,509.00 | 1.62% |
| Mississippi | $1,472.55 | -0.84% |
| Montana | $1,478.29 | -0.45% |
| North Carolina | $1,421.49 | -4.27% |
| North Dakota | $1,464.42 | -1.38% |
| Nebraska | $1,485.64 | 0.05% |
| New Hampshire | $1,431.99 | -3.57% |
| New Jersey | $1,615.25 | 8.77% |
| New Mexico | $1,355.36 | -8.73% |
| Nevada | $1,507.55 | 1.52% |
| New York | $1,616.70 | 8.87% |
| Ohio | $1,553.68 | 4.63% |
| Oklahoma | $1,513.03 | 1.89% |
| Oregon | $1,462.50 | -1.51% |
| Pennsylvania | $1,466.49 | -1.24% |
| Rhode Island | $1,541.58 | 3.81% |
| South Carolina | $1,398.83 | -5.80% |
| South Dakota | $1,489.45 | 0.30% |
| Tennessee | $1,500.20 | 1.03% |
| Texas | $1,459.22 | -1.73% |
| Utah | $1,515.10 | 2.03% |
| Virginia | $1,467.83 | -1.15% |
| Vermont | $1,457.70 | -1.83% |
| Washington | $1,449.80 | -2.37% |
| Wisconsin | $1,523.03 | 2.56% |
| West Virginia | $1,629.64 | 9.74% |
| Wyoming | $1,426.89 | -3.91% |
Besides the location of your business, a number of other factors can greatly affect the premiums that you pay for cyber insurance. Insurance companies will take into account the nature of your business, the number of sensitive employee and customer records you store, whether your business stores credit card and banking information on your customers, and the types of security defenses your company has undertaken. Additionally, if your company has a history of cyber insurance claims, or if it has been attacked or hacked in the past, your premiums may be higher.
Final Word
As cyber risk continues to increase for small businesses, it’s important that you stay informed and aware of possible threats, as well as understand how to protect your business against cyberattacks. For most small businesses, even implementing a few simple security measures and training protocols can mean the difference between safety and disaster. While there is a lot to learn in this space, the first step is understanding what the threats are. From that point, you can determine how and what you can do to better prepare your business for cyber threats. If you feel like you need cyber insurance and aren’t covered, check out our analysis of top cyber liability insurance companies.
Expert Commentary
AdvisorSmith spoke with the following experts to provide critical insight on cyber risk for small business owners.
Shaji Khan
- Associate Professor, Information Systems and Technology
- University of Missouri-St. Louis
Tirthankar Ghosh
- Associate Director and Professor
- Center for Cybersecurity
- University of West Florida
Q. Should small businesses be concerned about cyber risk?
Mathias: All businesses, regardless of size, need to be thinking about cybersecurity and the risks to their organization. The significant difference is that large businesses typically have deeper pockets, an information technology (IT) team, and maybe even a cybersecurity team. They also will have devices such as firewalls, intrusion detection systems, web application firewalls, and a host of other devices at their disposal and actively utilizing them. These larger businesses usually understand they are targets and “try” to protect themselves with people and technology.
On the flip side, small businesses do not typically have those deeper financial pockets; they are paying to keep the lights on, satisfy customers, and grow their business. Some small businesses may have limited IT staff, but they are not usually focused on security. Some small business owners and CEOs also think that their business is too small to be a target.
The analogy I use in my classes is this if you are a robber, would you attack the house that has its lights on, an alarm system, and/or a dog roaming around, or instead would they go for another home with no lighting, no alarm system, no dog, and maybe an open window? The answer is simple, yes, as the dark house with little or no security is an easier target, one that you can probably attack without being caught. The same goes for businesses; would a hacker instead go after a major chain business with a security team and devices locking down their networks or go after a smaller business that does not have that infrastructure? Without a doubt they will go after the easier target with the hope of greater gains.
I have worked at several businesses before entering academics, and it truly amazes me how smaller businesses think that no one would go after them because they are too small. An attacker is going to come after you because you have something of value to them whether you are small or big. Unfortunately, smaller companies do not usually have the resources of the larger businesses. They may also not have the oversight of policies and regulations that larger businesses might be under and are thus an easier target for an attacker.
Cyber risk will never be avoidable as any connected organization is vulnerable to attack from a malicious outsider; they are vulnerable to mistakes made by their employees and insider threats by trusted individuals. The answer here is simply yes, a small business needs to be very concerned about cyber risks to their business.
Shaji: Absolutely! Cyber risks apply to all types of organizations and small to medium size businesses are no exception. Small businesses should be concerned both from the perspective of cybersecurity threats and also from the perspective of exposure to liabilities via government regulations and loss of business after a cybersecurity breach.
It’s true that large scale attacks often specifically target big business or government based on extensive planning and motives such as extortion, espionage, intellectual property theft, or “hacktivism,” among others. However, cyberattacks and crimes are predominantly crimes of opportunity. Put simply, cybercriminals are business-size agnostic. It’s imperative that small businesses move away from thinking that they do not have anything valuable or, “Who will target us…”
From a technical standpoint, many attacks originate with criminals performing automated scanning of vast swaths of the internet to identify vulnerable Information Technology infrastructure. They will likely attack whatever is attackable. Based on the type of vulnerabilities and type of attacks, even attacks are often automated.
Thus, small businesses do face a very active threat environment. However, they often do not have resources to effectively respond to cybersecurity incidents. On the other hand, depending on the type of business, they face a quagmire of government regulations. The United States has 50 different state-level laws regarding data breach notifications. Even large organizations often struggle with compliance. Not to mention contractual obligations and exposure to legal action by customers.
No one is immune.
Tirthankar: The short answer is yes. As per the Ponemon Institute October 2020 report, the average cost of a cyber incident has exceeded $200,000 in 2019. Rush to work from home and allowing employees to blur the boundary between the office and home has reduced organizations’ security posture overall to 44% (Ponemon Oct 2020). Small and medium businesses (SMBs) are at a bigger disadvantage as their IT and cybersecurity resources are very limited. Another report from the Ponemon Institute last year found that almost two-thirds of SMBs have experienced some form of cyberattack in 2019 with a 76% increase in the U.S. from a prior three-year period.
A report from Verizon in 2020 indicated that 28% of the breaches in 2019 involved small businesses. The same Verizon report also indicated that 83% of data breaches against SMBs are financially motivated.
Several small businesses are part of a larger and global supply chain, and they can be entry points to a bigger and more impactful cyberattack. This, among other reasons, has increased the cyber risk exposure of small businesses and has attracted attention from various threat actors globally.
Overall, for businesses in general, the Ponemon Institute October 2020 study has shown that 56% of organizations surveyed reported that time to respond to cyberattacks has increased. Insufficient budget and lack of expertise come at the top again for challenges to deal with cyberattacks. Worse still, more than 50% of organizations, as per the Ponemon survey, responded that they do not educate their remote workers on cyber threats.
Q. How can a business effectively organize and manage cyber risk?
Mathias: The best way for businesses to organize and manage risk can be a big undertaking as the initial investments can be steep, but continual management gets easier over time. First, the business will need to identify the assets and activities that need to be protected (what are their proprietary assets needing to be guarded). Once the business determines what those critical assets are, it can identify any threats and vulnerabilities to them and those assets.
The next step is that the business will need to find controls (those devices—hardware or software) that can protect the business and its critical assets/activities. These first steps can be costly as the business would most likely need to bring in a third-party assessment team to help the business find any risks and recommend the necessary controls to protect them. Purchasing the controls and implementing them can also be costly as you need special training for staff in the business to monitor and tweak the controls.
After this has been completed, the business will move it to a more manageable stance as they need to make sure the implemented controls are tweaked for new threats/vulnerabilities. Finally, a new risk assessment should be completed annually (at a minimum). This will ensure that the business is always prepared for new threats and risks and is the most effective way to manage its risk posture.
Shaji: As the maxim goes, there is no such thing as 100% security. Thus, the best thing a business can do is to focus its efforts on managing information security risks. That is, to create and implement systems that help the business bring down the risks to an acceptable level. While one can take a variety of technical and non-technical actions to help mitigate cyber risks, it is best that businesses follow a systematic approach.
Many frameworks exist that can help guide organizations systematically manage information security risks. The two most widely used are 1) the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and 2) the International Organization for Standardization (ISO) 27000 Family of Standards. The good thing about these two frameworks is that they can be used by organizations of any size and are fully customizable depending on business characteristics and needs. Another approach to manage risks that can be used in conjunction with a systematic information security management program is to transfer the risks via insurance.
Tirthankar: Businesses need to plan for effective mitigation strategies against cyber threats. Small businesses in particular, who do not have enough financial strength to deal with post-attack recovery, should prioritize their resources to strengthen their security posture. Some good cyber hygiene principles for businesses are:
- Know your risk
- Inventory assets
- Classify data
- Implement proper access control on a need-to-know basis
- Conduct periodic risk assessment (hire consultants if there is no internal resource or expertise)
- Develop and periodically revise security policy
- Have a data backup and recovery plan, test and implement the plan, conduct periodic review and testing
- Part of business continuity planning
- Conduct periodic internal vulnerability assessment (hire consultants if there is no internal resource or expertise)
- Install critical updates, test them before putting in production systems
- Have a test system ready for periodic testing and assessing vulnerabilities
- The test system must mimic production system
- Install honeypots if resources permit
- Install effective perimeter security like next generation firewalls and intrusion prevention systems
- Employee training
- Mandatory cyber risk training
- Periodic social engineering (phishing/spear phishing) training and exercise
- Employees should be encouraged to use multi-factor authentication and strong and long passwords
Q. Where do you see the cyber insurance market trending, and what are the main insurability challenges?
Mathias: The cyber insurance market is one of those new areas and is picking up speed regarding acceptance for businesses as a risk mitigation control. However, the problems we are seeing with this control are that price increases are becoming common as demand grows and attacks increase. As a result, some insurers are lowering coverage amounts to protect their businesses—the reasons go back to the lack of historical data.
Insurance companies can easily track the typical losses for other disasters over the years. However, cyberattacks and incidents have not been followed for long, making it harder for insurers to predict potential losses easily and is a trend in the insurance market related to cyber incidents. The United States Government Accountability Office released a report to congressional committees in May 2021 that summarizes the states of challenges faced by insurers and policyholders in the cyber insurance market.
Shaji: Large businesses have enjoyed cyber insurance protections for quite some time now. Large insurance providers such as Lloyds of London report an increase in the number of organizations obtaining insurance protections against cyberattacks. Ransomware attacks being one of the most common type of attack that renders well to insurance. However, I am not sure if small businesses have easy access to such insurance. I imagine, the costs will be prohibitive for most small businesses. I hope that market forces eventually lead to lower costs.
Tirthankar: According to Standard & Poor’s, the cyber insurance market will increase 20% to 30% per year on average in the near future. According to the Mordor Intelligence Report (2021), the cybersecurity insurance market was valued at $7.36 billion in 2020 and is expected to reach $27.83 billion by 2026. The market was valued at approximately $3.5 million in 2019.
As global supply chains become more intricated, businesses will increasingly face cyber risks that are beyond their perimeter and control, which will increase demand for cyber insurance. Increase in ransomware attacks will also increase demand for cyber insurance.
The main insurability challenges will come from absence of proper due diligence to implement security technologies and follow best practices. Businesses need to prioritize their resources—how much will be spent to implement these measures and how much will be used to transfer risk by buying insurance.