Most large companies are able to financially survive a cyberattack. But for a small business with fewer employees and less revenue, a data breach can bring business to a halt, and costs associated with the recovery can run a bank account dry.
Ransomware, a type of malware designed to render data or an entire network useless, is one of the most common ways hackers will try to extort money from small businesses. Typically, the victim will have to pay the attacker in exchange for a decryption key, which can cost anywhere from a few hundred to a few thousands of dollars, depending on the industry and whether a cyberforensics team is needed.
“When you factor in the additional cost, particularly of the forensics work, now you might be talking about $20,000 to $50,000 in cost, depending on the extent of the network and the nature of the attack. That number can be much bigger if you’re in the health care space,” said Michael Carr, a certified information privacy professional (CIPP/US) and technology practice leader at Argo Group International.
Eighty-nine percent of breaches overall this year had a financial espionage motive, according to the Verizon 2016 Data Breach Investigations Report. It is estimated cybercrimes will cost businesses more than $2 trillion each year by 2019, according to data from Checkmarx, a company specializing in application security.
Despite the lurking threats, many small businesses still don’t have cyber insurance coverage, said Carr, who has been involved with the industry for more than a decade.
“[Cyber insurance] started off as a very niche product aimed at people with a significant web media or e-commerce presence, which 12 years ago was not most small businesses,” Carr said.
Carr recommends small business owners purchase cyber insurance for multiple reasons, mainly because it may not be covered by traditional insurance policies. He says the ever expanding industry now covers “any kind of liability arising out of network security perils,” as well as data restoration costs, business interruption, regulatory fines, ransomware demands and obligations to third-parties.
“The people underwriting your commercial general liability coverage are looking at you in terms of product safety and the risk of slip and falls in your retail store,” he said. “They’re not underwriting your network at all… so cyber policies really fill the gap between what your traditional insurance policies cover.”
He also warned of potential damages a cyberattack can have on a small business.
“You’ve lost access to using your data and your systems, and the way most businesses operate today, that’s going to reduce the transactions they can handle,” Carr said. “[Businesses] may have customers walk out the door because they can’t use a credit card. They may have to hire temporary staff to do things manually that they would normally do in an automated fashion.”
Blue Moon Estate Sales, a small business franchise system, was hacked by cyber intruders in in November 2015.
“We had to hire an outside consultant to purge the entire website because malware got into the different files of the site,” said Debra Blue, who co-founded Blue Moon Estate Sales with her husband, Ken, and son David. “It didn’t disrupt our day-to-day business, but it cost us a few thousand dollars in fees.”
Because the company is in the process of working with a developer to create new software for their business, the owners decided to purchase cyber insurance for going forward.
“It could be as little as a couple hundred for $25-50,000 in coverage,” Carr said, noting that the numbers can change due to the nature of the cyber industry, and vary depending upon the size and type of business. “The standalone limit would be $1 million in coverage… for a $1 million dollar limit, on average, a business owner can pay as little as a couple thousand dollars to as much as maybe $10-15 thousand, which can include expenses related data breaches—credit monitoring services fees, for example.”
According to David Blue, the hack was not on the company’s main website, but the site that was impacted needed to essentially be rebuilt from scratch, resulting in extra, out-of-pocket costs.
But not all hope is lost for small businesses with equally small budgets. Carr recommends small business owners looking for the best defense for cyberattacks start by finding an agent who knows the product, or knows someone with expertise in the field.
“The owner should bring to the discussion the business’ tolerance for out-of-pocket costs, like deductibles,” he explained. “You should have an idea of how many records, customers or patients you deal with in a year. How much data you are storing and where you are storing it, as well as how it is secured. That all can help you get better terms.”