You are not the target of cyber threats, everyone is.

The popular interpretation of a cyberattack is that it starts with a target, and then a vulnerability is found to gain access to sensitive information.

In reality, most of the time, the reverse is true.

Outside of government agencies or large public companies, hackers typically don’t start by picking a business and then spending days attempting to access it. Instead, they send thousands of emails with phishing links to randomly generated email addresses, or ping hundreds of servers looking for misconfigured ports. Once they find a weakness (a vulnerability or a misconfiguration), they leverage it to access a system.

Cybercriminals don’t start by targeting your local golf course, but maybe the owner just happened to click on one of the millions of phishing emails hackers send to randomly generated email addresses. Once she clicked, her email was compromised.

Given the random and constant nature of cyberattacks, cyber risk should not be thought of as an event or occurrence, it should be thought of as a force of nature.

Compare cyber threats to an earthquake.

The earth always has tremors. They happen constantly. The same is true for hacking attempts. Hackers are constantly working to gain access to business systems.

Real damage only comes when there is a specific magnitude of an earthquake. Variables align, one tremor happens to be stronger than the rest, and a business is damaged.

For comparison, hackers are always trying to access business data. Sometimes, a business’ server is set up incorrectly, a piece of software is out of date, or an employee clicks on a bad email link. Only then does real damage occur.

Businesses need to view cyber risk as an environmental factor, and as such, they can mitigate their risks with insurance. They might not be on a fault line, or in a tornado area, but the earth is always shaking, and the wind is always blowing, and hackers are always looking for security weaknesses.  

That’s why having a standalone cyber insurance policy is essential. Every business has a cyber risk, and making sure it is adequately covered is vital.