**TL:DR at the bottom
When it comes to cybercrime, Hollywood has done what it always has done and created excitement and admiration around data breaches. In the movies, cyberattacks often involve the underdog – his identity hidden by a black hoodie – who ferociously types through antiquated software systems to save the world from corporate corruption. The protagonist is hailed for his intelligence, and everyone leaves the movie theater wishing they had taken a coding class in college.
But this is rarely the scenario in real life (unless your last name is Snowden), and if you own a business, cyber breaches are anything but heroic. They can result in business interruption, lost clientele, and thousands of dollars spent on recovery.
And if you’re thinking, That only happens to large enterprises, you would be wrong. In 2021, 46% of all data breaches happened to companies with fewer than 1,000 employees.
But before we get into more statistics and facts regarding small businesses and their vulnerability to hacking, let’s first answer the obvious question…
What is Cybercrime and Why Should I Care?
According to NIST, a cyberattack is “an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.”
Doesn’t sound quite so “cool” if you are a business owner, does it?
Most companies, regardless of services rendered or products sold, store private information from their clients including addresses, phone numbers, and credit card and banking information. If you keep virtual files of any of this data, you should have cyber protection. And not just because you should care about your clients, but if the data is breached, you could find yourself on the defendant’s side of a courtroom.
Furthermore, even if your clients decide not to sue you, if your company is victimized by a cyberattack, you will inevitably experience a stall in operations and the pain of forking over thousands of dollars to counter the attack.
Why do hackers choose to go after smaller companies? First off, small businesses are easier to access due to less security protection – either because they can’t afford it or because they think they don’t need it. Also, there is more opportunity to receive smaller amounts of money from numerous accounts that go undetected.
In other words, if you run a “mom-and-pop” shop, you could be just as susceptible to hackers as, say, Chase Bank or a hospital.
Don’t believe us? Let’s check out the statistics on data breaches that StrongDM published last year…
The Sobering Statistics of Small Businesses and Data Breaches
Articles such as this one can sound a bit anecdotal, so here are a few sobering stats that should drive home the importance of protecting your business and your clients against cybercrimes.
Stat: 18% of cyberattacks on small businesses are through malware (making it the most common).
Stat: 82% of ransomware attacks in 2021 were against companies with fewer than 1,000 employees.
And 37% of ransomware attacks were aimed at companies with fewer than 100 employees. Why? Because many hackers are trading in mega-sized targets for SMBs since risk of exposure and arrest are generally sparser. Note that RDP compromise–via access to a system administrator or user password–is the most common method in ransomware, so that password with your business name and the year it is simply won’t work.
Stat: Small businesses receive the highest rate of targeted malicious emails at a rate of 1 out of every 323 emails.
Such threats (including phishing, spam and email malware) mostly target businesses with fewer than 250 employees. If 1-in-323 emails are from hackers, and the average employee receives 121 emails a day, this means that the threat is higher than most would predict.
Stat: Companies with <100 employees receive 350% more social engineering attacks like phishing, baiting, quid pro quo, pretexting, and tailgating than larger businesses.
CEOs, CFOs, and executive assistants with access to the accounts of high-level company members are the most vulnerable to these types of cybercrimes.
Stat: 87% of small businesses have customer data that could be compromised in an attack.
Regardless of what services or products you sell, it is very likely you hold sensitive client information like social security numbers. Essentially, without proper security protections, your customers are sitting ducks for identity theft, privacy violations, and more.
Now that we’ve verified the likelihood of a small business being the victim of cybercrime, the most popular follow-up question is often, Yeah, but why? Small businesses and their clients rarely retain life-changing money like a bank or corporation would.
While this is true, SMBs are coveted targets for four, primary reasons:
- Withdrawing smaller amounts of money is less detectable. Because most hackers want to play the long game, by stealing modest amounts of money from various sources, they are less likely to get caught.
- These schemes can turn out quite profitable if culprits are withdrawing from a significant number of businesses as opposed to one large enterprise.
- As mentioned earlier, SMBs rarely have the same cyber security measures that larger companies do, so they are easier targets.
- Lastly, many smaller businesses are not financially positioned to recover from an attack.
**Image statistics of data breaches in 2022 from https://truelist.co/blog/data-breach-statistics/
Concessions for jeopardized cyber security can be quite expensive (as we’ll address later on in this article). Is your business prepared to pay large sums to counter an attack? Probably not. So now the question is, What do I do to protect my business from a cyberattack?
What is Cyber Liability Insurance and What Does It Cover?
Information Security and Privacy Liability Coverage (less formally known as Cyber insurance) does exactly what you have probably gleaned already – it covers your business’ liability in the event of a data breach in which private customer information is compromised. A good cyber liability insurance plan will help you with:
- Legal fees (if a client/customer sues)
- Compensation for lost wages and revenue as a result of business interruption.
- Contacting customers to notify them of the breach.
- Cover the costs associated with recovering from the breach.
- Customer credit (While this isn’t a service you are required to offer victims, it goes a long way in gaining the trust back of your customers.
One thing to keep in mind regarding Cyber liability insurance is that it’s largely designed for big corporations with thousands of customers. If you have an SMB, a Data Breach insurance policy will likely provide the right coverage at the right price.
What Is Data Breach Insurance and What Does it Cover?
A Data breach policy is great for SMBs because it’s business protection on a smaller scale. This type of insurance is valuable if personal identity information gets stolen – whether it’s the result of a virtual hacker or an employee. In the unfortunate event that your small business’ files or software gets compromised, breach coverage will cover costs associated with:
- Notifying your customers about the breach
- Offering credit monitoring services to victims
- Hiring a public relations firm
Additional coverage that you can add to your data breach policy includes business interruption expenses, extortion coverage (in the event of a ransom), and a few other perks that may or may not be necessary for your company.
What is the Difference Between Cyber Liability Insurance and Data Breach Insurance?
The difference between the two policies can be confusing… and rightfully so! Data breach coverage is under the umbrella of Cyber Liability. Depending on your insurer, Cyber Liability coverage can be written in a variety of ways with egregiously contrasting limits.
If your company already has Cyber Liability coverage, you probably also have Data Breach coverage. However, if you have Data Breach coverage, that doesn’t necessarily mean you have a cyber liability policy. (It’s comparable to what everyone’s third grade teacher hammered into our heads: a square is a rectangle, but a rectangle is not a square.)
As an example, Cyber Liability almost always has limits that cover the repair of breached data systems and computers. Yet, Data Breach insurance probably won’t offer the same.
In short, Cyber Liability offers a lot more services (including those offered by Data Breach policies). Data breach coverage is more limited. However, if you’re a mom-and-pop shop, you may not require all the bells and whistles that come with a Cyber Liability plan. When you talk with your insurance agent, make sure you have a full understanding of what your policy covers. Your carrier will use its own forms to formulate a personalized cyber policy that offers first-party and third-party limits and suits your needs.
As a final note, business owners are often misled to believe that General Liability insurance will cover them in the wake of a cybercrime. It doesn’t (unless specified by your policy holder). General Liability only covers bodily or property damage, not data security damage.
How Costly is it to Fix a Data Breach Without Cyber Insurance?
We understand that as an entrepreneur and business owner, you only have so much capital to work with and you have to budget for a lot of things that ostensibly seem more important. But let’s take a closer look at the numbers and the price you pay when you have a high tolerance for risk.
Statistics from the 2002 Verizon Data Breach Report:
*Information is only relevant to American business.
- 55% of people in the U.S. would be less likely to continue doing business with companies that are breached.
- In recent years (on average), there are over 700,000 attacks against small businesses, totaling $2.8 billion in damages
- Nearly 40% of small businesses reported they lost (and never recovered) crucial data after an attack.
- 51% of small businesses that fall victim to ransomware end up paying.
- 75% of SMBs could not continue operating if they were hit with ransomware.
- 59% of small business owners with no cybersecurity measures in place believe their business is too small to be attacked.
- Nearly half of small businesses spend less than $1,500 monthly on cyber security.
- SMBs spend 5% to 20% of their total IT budget on security.
- Just 17% of small businesses have cyber insurance.
*A survey of U.S. small businesses from late 2021 found that only 17% had cyber insurance. It also found that 48% of those companies did not purchase insurance until after an attack, and 64 percent of all respondents were not familiar with cyber insurance.
Now, to the number you were really looking for…
95% of cybersecurity incidents at SMBs cost between $826 and $653,587. This number includes lost business while trying to salvage the problem, legal and regulatory fines, hiring a third-party company to recover the data, etc. What this number doesn’t include is potential settlements in a lawsuit brought forth by your clients.
If you are interested to see what potential costs your company might face in the unfortunate event of a cyber hack, you can utilize eRiskHub’s Data Breach Calculator to run various security breach scenarios.
Whether you are now convinced you need cyber liability/data breach insurance – or we have at least piqued your interest – please reach out to us at firstname.lastname@example.org. We’ll answer your questions and promise not to push unnecessary products on you. Ashlin Hadden Insurance is only interested in protecting your business and your finances.
Why should small businesses worry about cyberattacks?
46% of all cyber breaches impact businesses with fewer than 1,000 employees.
Why do hackers attack SMBs?
- Withdrawing smaller amounts of money is less These schemes can turn out quite profitable if culprits are withdrawing from a significant number of businesses as opposed to one large enterprise.
- SMBs rarely have the same cyber security measures that larger companies do, so they are easier targets.
- Many smaller businesses are not financially positioned to recover from an attack easily. According to StrongDM, “In 2020 alone, there were over 700,000 attacks against small businesses, totaling $2.8 billion in damages.”
- Law enforcement does not respond as quickly/seriously as they would if, say, Verizon Wireless was
What is Cyber Lability insurance?
It covers your business’ liability in the event of a data breach in which private customer information is compromised. A good cyber liability insurance plan will cover legal fees, lost wages and revenue, contacting customers to notify them of the breach, costs associated with recovery, and customer credit monitoring.
What is Data Breach insurance?
This type of policy offers less protection than cyber liability insurance and is often recommended to smaller businesses. Data Breach insurance will help with notifying your customers, offering credit monitoring services to victims, and hiring a public relations firm.
What’s the difference between data breach and cyber insurance?
Cyber insurance generally covers all costs and services associated with a cyberattack, whereas data breach insurance is tailored more for small businesses that don’t need all the bells and whistles.
Will my General Liability insurance cover a data breach?
Unfortunately, it’s very unlikely. General liability insurance is designed to cover lawsuits/settlements associated with physical or mental injury or property damage.
How much does cybercrime cost if you don’t have insurance?
Obviously, this depends on what kind of attack it was and how much information they stole, but generally, victims pay between $826 and $653,587. If you want to see potentially how much money a cyberattack would cost your business, use the eRiskHub calculator here.
The Data Breach Cost Calculator is one of the most popular tools in the eRiskHub. Here we allow you to view a sample version that contains simplified results. The calculator allows you to run a scenario to see how much a data breach could potentially cost your company. Data breach costs can vary depending on the type of information lost, such as PII, PCI or PHI. The calculator breaks down the cost by incident investigation, customer notification costs and crisis management, regulator fines and penalties, PCI, and class action lawsuits.