Businesses are facing unprecedented circumstances. When I first drafted this blog, 10 days ago, COVID-19 was not yet a global crisis. With many employees working from home and connecting through WiFI, organizations can now become vulnerable to new types of threats. Cybercriminals have not been waiting and we’re already hearing about a significant increase in email attacks (phishing). This blog is just a reminder that nobody is immune to cyberattacks and staying vigilant with email and other technology tools is important.

We’ve all read news about large corporations such as Target, Capital One, or Equifax and cities like Baltimore or New Orleans falling victim to cyberattacks and ransomware. A good majority of these breaches were reported along with the benefits brought by cyber insurance. But do you know that small businesses are equally if not more at risk and could benefit even more than large corporations from having cyber insurance? There is also no question that 

You don’t read often about attacks on Small and Mid Size Businesses (SMBs) because:

  • For many industries, regulations do not require small businesses to report data breaches (which is one direct way for incidents to become public);
  • Incidents with only local impact are not covered by reporters;
  • In the case of ransomware, there is no obligation to report the incident which has created the false perception that ransomware targets only cities and hospitals.

Here are facts and statistics about cyberattacks on SMBs:

  • Small and mid-size businesses are as susceptible as large organizations to cyberattacks
  • Businesses underestimate how long it takes to identify and remediate a cyberattack
    • 314 days is the lifecycle of a breach caused by a malicious attack, i.e. the number of days it takes to identify and contain a breach (source: IBM and Ponemon, 2019 Cost of a Data Breach Report)
  • SMBs severely underestimate the cost and scope of a data breach  
    • $150 is the average cost per lost record. In the case of a data breach where 10,000 records are compromised, it’s a $1,500,000 expense.  
    • $2.74M is the average total cost of a data breach for companies with less than 500 employees 
    • 25,575 records are the average size of a data breach
    • (source: IBM and Ponemon, 2019 Cost of a Data Breach Report)

Until one faces a data breach and experiences the range of post-breach activities required to recover, it might be hard to fathom how costly cyberattacks can be. Here is a list of expenses that any business could likely face in the aftermath of a data breach: 

  • Operational downtime
  • Costs of finding what systems, data, or accounts were impacted by the attack
  • Cost of notifying customers and employees whose data might have been compromised
  • Lawsuits from these customers
  • Costs of removing any malware and repairing systems
  • In the case of credit card compromise, cost of providing credit monitoring services for impacted individuals
  • Regulatory fines if protected data has been compromised
  • Lost business because the business’ reputation has been tarnished

Still not convinced? The ITRC (Identity Theft Resource Center) maintains a list of cyber incidents that have been made public over the years. Here are examples of small businesses impacted by cyberattacks in 2019 and a peek at the costly activities that they had to line-up in the aftermath of the incident.  

  • Incident #1: Email compromised at building cleaning service company (500 employees, $15M of revenue)

An unauthorized individual gained access to several employees’ email accounts. As specified in the breach disclosure communication to customers, the company had to make a significant investment to understand the scope of the incident and which type of data was compromised. 

  • Incident #2: Web site attack at an industrial bakery  

Through the use of malicious code, an unknown third party gained unauthorized access to the company website. According to the data breach notification letter sent to impacted parties, unauthorized access could have lasted for 22 months before being discovered.   

  • Incident #3: Email compromised at Health Club in Arizona 

An employee email at this health club with less than $10M of revenue and 120 employees was compromised. This mail notification highlights the steps taken post-breach to notify impacted customers and employees including free access to credit monitoring. 

  • Incident #4: Web site compromise at a business with about 30 employees  

Through the use of malicious code, an unauthorized person gained access to the eCommerce payment page of the online business. Credit cards and other sensitive data were compromised. In the data breach notice sent to customers, the company offers one year of identity protection services amongst other services. 

Cowbell Cyber currently offers standalone, admitted cyber coverage to businesses up to $100m in revenue (you can read more about our Prime 100 program in our recent blog). If you’re an agent interested in distributing Cowbell Prime, you can register on our web site under the For Agencies tab. Meanwhile, if you just want to learn more about Cowbell Cyber, check our video channel