SMBs Are Vulnerable on Cyber

Small and medium-sized businesses must improve their risk management protocols while putting in place a cyber insurance safety net. 

Computer code over a blurry blue background

Small and medium-sized businesses (SMBs) have been grappling with an array of economic and cultural forces over the past two years that threatened their viability. Stretched thin by the global pandemic, the Great Resignation and spiking inflation, SMBs have no doubt relegated other important concerns to a lower priority, including cybersecurity and cyber insurance. However, an attack on a small business is often catastrophic, leading to a tarnished reputation, customer dissatisfaction and, even worse, closures. In a National Cybersecurity Alliance study, 25% of small businesses that experienced a data breach filed for bankruptcy, and 10% went out of business. 

A recent survey reports that only 50% of small business owners are fully prepared for a cyberattack. Many SMBs do not view cyber insurance as urgent, because of the cost and the effort required to conduct due diligence on providers. Cyber insurance is a crucial safety net to have in place, but companies must also improve risk management protocols.

Risk management is a neglected piece of the cybersecurity puzzle  

An excellent place to begin is with employee training, especially because 85% of breaches involve the human element. Forty percent of people simply do not see themselves as responsible for looking after their workplace’s sensitive information. Remote workforces have added a level of challenge for companies to control risk factors, such as home network connections. 

Addressing the human factor in risk management

Robust education and awareness programs are essential because a personal cyberattack on one employee creates an enormous burden to the entire company. Training courses should include recognizing privacy risks, preventing phishing attacks and detecting an attack. Multi-factor authentication (MFA) has emerged as a great, inexpensive way for SMBs to combat potential account takeovers or bad password hygiene. If MFA is not in use, then password blacklisting -- a list of words disallowed as user passwords due to their commonplace use -- becomes a must. In addition, like large enterprises, SMBs can take an extra step of protection by imposing a password protection cadence where employees are expected to change their username and passwords regularly.

SMBs need to also remain vigilant when it comes to their vendors. The often-overlooked process of scrutinizing insurance requirements in vendor contracts, confirming where the onus lies in handling a cyberattack and understanding the full spectrum of liability, is necessary.

See also: Tips for SMBs Buying Cyber Insurance

Cyber insurance considerations 

Once these risk management logistics are in good standing, adding a layer of protection by seeking cyber insurance is a must. To execute proper due diligence, SMBs need to fully understand what cyber exposure is, what cyber insurance can do and what it covers. (If an SMB stores any sensitive client data whatsoever on computers and network technology, they have the potential for cyber exposure. Cyber insurance generally covers a business' liability for a data breach involving sensitive customer information. Not all cyber insurance policies cover the same things; most provide breach response services and damage mitigation and ensure the obligatory investigation and notification procedures are implemented. Some insurers may offer an enhanced plan that also helps protect against lawsuits and regulatory actions.)

Before applying for cyber insurance, SMBs should have a sense of the depth of internal information carriers will require. Carriers want to get comfortable with the risk before they're willing to offer decent insurance coverage. There aren't many insurers willing to offer a minimum limit of cyber insurance without extensive supplemental applications. The process may require time, but SMB leaders should not be discouraged, as cyber liability insurance ensures the organization has a concrete response plan.

The proper guardrails in place to succeed 

SMBs have made strides in recent years in recognizing the existential threats that data breaches present, but they must be even more vigilant as remote work models and the digital transformation continues to sweep through virtually all industries. While they have fewer resources than enterprises, SMBs should adopt the same level of caution against cyber criminals through a combination of cyber liability insurance and comprehensive cyber risk management practices.

Richard Clarke

Profile picture for user RichardClarke

Richard Clarke

Richard Clarke is chief insurance officer at Colonial Surety.

With more than three decades of experience, Clarke is a chartered property casualty underwriter (CPCU), certified insurance counselor (CIC) and registered professional liability underwriter (RPLU). He leads insurance strategy and operations for the expansion of Colonial Surety’s SMB-focused product suite, building out the online platform into a one-stop-shop for America’s SMBs.


Read More