As cyber and ransomware attacks become more common, small businesses are facing increasing cyber risks. While cyber insurance as a product has been around for over a decade, the market has accelerated significantly due to the shift to remote work and cloud computing. More and more, small businesses are becoming the targets of cyberattacks, and increasingly, these businesses are looking to cyber insurers for financial protection against cyber losses.
AdvisorSmith conducted a survey of 1,122 U.S. small business owners and managers to understand their familiarity with cyber insurance and how they are preparing against cyber threats.
64% of small businesses aren’t sure what cyber insurance is
Our survey showed that overall, 64.2% of small business owners were not familiar with cyber insurance, with 25.3% saying they “do not know what cyber insurance is,” and 38.9% saying they were “not sure what cyber insurance covers.” It’s clear that it is still early in the adoption cycle for small business cyber insurance, but as cyber threat actors shift from big-game hunting to smaller targets, cyber insurance may become a more common coverage for small businesses.
Here is a breakdown of how familiar small businesses are with cyber insurance:
- 39%: Not sure what cyber insurance covers.
- 25%: Do not know what cyber insurance is.
- 19%: Know what cyber insurance is, but have no plans to purchase.
- 17%: Have some form of cyber insurance coverage.
72% of small businesses that purchased cyber insurance did so after hearing about or being the victim of a cyberattack
While other business insurance types like commercial general liability are almost automatic coverages for any business, and some coverage types like workers’ compensation insurance are required by law, cyber insurance is still generally thought of as optional for many businesses. However, our survey showed that experience with a cyber loss is a primary driver of seeking cyber coverage. Of those small businesses that carry cyber insurance coverage, the majority of them decided to purchase the coverage because they had either heard about a cyberattack or were the victim of one.
- 48%: Purchased cyber insurance after being the victim of a cyberattack or cyber loss.
- 20%: Purchased cyber insurance because of the high risks in their industry.
- 19%: Purchased cyber insurance after someone they knew was the victim of a cyberattack or cyber loss.
- 8%: Purchased cyber insurance upon recommendation from a broker or agent.
- 5%: Purchased cyber insurance after hearing about cyber threats in the media.
69% of small businesses are concerned about being the victim of a cyberattack
Our survey showed that overall, 69.2% of small business owners were concerned about being the victim of a cyberattack in the next 12 months, with 24.9% saying they were “very concerned,” and 44.3% saying they were “somewhat concerned,” and 30.8% saying they were “not concerned at all.”
Younger business owners 1.8x more likely to be concerned about cyber threats
Interestingly, an active concern about cyber threats skewed younger, with 31.2% of those business owners aged 18-29 saying they were “very concerned”, compared to only 17.1% of those aged over 60, 23.3% of those between ages 45-60, and 24.3% of those between ages 30-44. The same trend was seen for those who said they were “not concerned at all,” with 34.2% of those 60 and older not having any concerns about cyber threats, compared to only 23% of those aged between 18-29.
Age | Very concerned | Somewhat concerned | Not concerned at all |
---|---|---|---|
18-29 | 31.15% | 45.90% | 22.95% |
30-44 | 24.28% | 41.87% | 33.85% |
45-60 | 23.30% | 43.20% | 33.50% |
61+ | 17.09% | 48.73% | 34.18% |
This trend may prove to be in the favor of cybercriminals, as oftentimes, it is the older generation that is actually targeted more heavily for fraud and identity theft as they tend to be less technically savvy than younger individuals.
72% of small businesses have implemented cybersecurity precautions
A majority of small business owners and managers have prepared in some way for the threat of a cyberattack. While this seems like a promising step, there are still 28% of respondents that have not implemented any form of cybersecurity protocols. Even a few basic cybersecurity measures can make a big difference in helping your business ward off cyberattacks and data breaches.
The following is a breakdown of the types of cybersecurity preparations small businesses have taken:
- 21%: We have implemented a strong password policy.
- 20%: We have implemented multi-factor authentication.
- 17%: We have implemented data encryption.
- 16%: We have purchased cybersecurity software.
- 16%: We regularly train our employees on cybersecurity.
- 9%: We have hired a cybersecurity consultant.
Protecting Your Small Business Against Cyberattacks
For small businesses, just one cyberattack could mean losses and damages that are irrecoverable. To combat the threat of a cyberattack, consider taking these simple actions to beef up your cybersecurity:
- Practice good login/password techniques. It’s not surprising that many successful cyberattacks stem from exploiting common or easily-guessed passwords. A little bit of password rigor can go a long way. Make sure you’re not using the same login and password across multiple accounts, create strong passwords (and require your employees to do the same), and consider using a password manager, like 1Password, which can automatically create strong passwords for you. For even higher levels of protection, use two-factor authentication, which forces you to confirm your identity with extra information, like a phone number or unique security code.
- Train your employees. You know what they say about the weakest link—all it takes is one employee to fall for a scam or get hacked for your entire business to be vulnerable. Make sure you are educating your employees on basic cybersecurity, like recognizing common phishing attacks, avoiding opening attachments or clicking on links from unverified sources, and implementing strong passwords.
- Keep your systems up to date. Many of the most famous cyberattacks took advantage of out-of-date software and known vulnerabilities. Make sure that your computers and network systems are always updated to the latest versions. Many of these updates are specifically to plug security holes, so it’s important to ensure you and your employees take the time to update all devices.
- Backup your data. If your data is ever held hostage, deleted, or lost, you’ll be thankful you had a backup in place. While you can subscribe to cloud backup services like Backblaze, it’s also wise to keep a physical backup of your data.
- Use security software. Many operating systems already come built-in with security and antivirus software, so you’re more than likely already decently protected from known viruses and attacks (just make sure your software is updated and activated). However, if you are on an older operating system, you may want to consider purchasing an off-the-shelf security product, e.g. Norton 360.
- Restrict access to sensitive data. By limiting the people at your company who have access to certain files, you’ll be lowering the risk of those files being hacked or that data being breached. Make sure you’re implementing varying levels of security access, with the most confidential data being shared with only those who absolutely need access.
- Invest in cyber insurance. Even with security measures in place, there’s still the possibility that your business suffers a loss from a cyberattack. Cyber insurance can cover losses your business experiences due to cyberattacks, whether they are first-party losses or losses from third-party legal claims. Commercial crime insurance can also provide protections against cyberattacks executed through social engineering fraud.
Methodology
AdvisorSmith surveyed 1,122 people who own or manage a small-to-medium business in the U.S., in conjunction with Momentive.ai. This survey was conducted in November 2021. The margin of error for this survey was less than or equal to 3%.
Fourty-eight percent of respondents were male, and 52% of respondents were female. In terms of age, 27.3% of respondents were between the ages of 18-29, 40.2% were between 30-44, 18.4% were between 45-60, and 14.1% were over 60.
The industry breakdown of respondents is as follows: Advertising and Marketing (8.9%), Agriculture (5.2%); Airlines & Aerospace (2.1%); Automotive (3.6%); Business Support & Logistics (6.0%); Construction, Machinery, and Homes (6.2%); Education (9.4%); Entertainment & Leisure (5.1%); Finance & Financial Services (4.6%); Food & Beverages (4.8%); Government (2.9%); Healthcare & Pharmaceuticals (10.2%); Insurance (1.0%); Manufacturing (3.1%); Nonprofit (4.2%); Retail & Consumer Durables (9.5%); Real Estate (4.2%); Telecommunications, Technology, Internet & Electronics (5.5%); Transportation & Delivery (1.9%); and Utilities, Energy, and Extraction (1.5%).