Building cyber resiliency for mom and pops
No business is too small to fall victim to cybercriminals, says Sam Shay of Socotra.
When business owners think about cyberattacks, they often picture high-profile data breaches, such as the most recent cyberattack on UnitedHealth’s Change Healthcare.
These breaches make headlines because the ransoms demands are for millions of dollars, but the median cost of a cyberattack was just $18,000 two years ago, according to the 2022 Cyber Readiness Report by Hiscox. The report warned that threat actors are targeting more small- to mid-sized businesses.
“There’s sort of a stigma around cyber insurance in that the largest attacks that make all the headlines all seem to sort of drive home the point that the most valuable targets and the most likely to come under attack are the world’s largest and most profitable corporations,” said Sam Shay, creative director at Socotra. “At this point, [there’s] no business that’s too small to have that kind of concern going forward.”
Cyber insurance is crucial
Despite more awareness of cyberthreats and increased risk of cyberattacks, the number of businesses carrying cyber insurance has dropped 24% since 2022, according to the Global Cybersecurity Outlook 2024 Report by The World Economic Forum. The report discovered 60% of cyber and business leader respondents do not carry cyber insurance at their organization, yet 33% said they lose sleep over the idea of losing access to services or goods due to a cyberattack. Further, 27% said they couldn’t sleep over concerns of cyber extortion.
Cyber insurance is essential for businesses of all sizes, says Shay. Insurers in the cyber market provide education and protection tools for policyholders to strengthen their cyber resiliency. Business owners who carry cyber insurance are more likely to implement best practices for cybersecurity, and their employees have the training to identify and prevent or mitigate a cyberattack when it happens.
“Having the added benefit of being able to protect against something going wrong in the first place through protection and education, that really goes a long way because the best insurance claim is one you don’t have to file,” said Shay.
Small business owners with cyber insurance can rest easy knowing their coverage gives them the resources to recover from cyberattacks. Still, they must plan for the worst and have procedures in place to stop the threat actors as soon as possible and prevent extensive data breaches.
“There need to be security drills in place in any business’s IT department, essentially just being ready to switch to Plan B at a moment’s notice,” said Shay. He notes that even pizza parlors and other unassuming businesses can be a target.
Increasing cyber resiliency
Cyberattacks are not like a ’90s hacker movie where they blast through systems via coding, says Shay. The top cyberthreat to today’s businesses is social engineering, in which the threat actor manipulates someone to gain access to the company’s system, such as phishing, business email compromise or baiting. However, businesses can mitigate these cyberthreats by implementing fail safes, closing weak external access points and increasing employee cybersecurity training.
“For property owners, it’s becoming more of an issue that there are so many connected devices, and there’s so many Wi-Fi-enabled sources of access to data streams,” said Shay. “[It] doesn’t matter how ‘smart’ or ‘dumb’ the appliance is — anything that is connected to your network through Wi-Fi is going to pose a serious threat.” He recommends keeping as many layers as possible between company data and end users, citing Socotra as an example.
Practicing the company’s cyberattack protocol is another crucial part of increasing cyber resiliency.
Jim Broome, president and CTO of DirectDefense, writes that role-playing tabletop exercises, in which a simulated real-world cybersecurity incident plays out, can educate leadership and staff on breach detection. Businesses of all sizes must review and update their cyberattack plan annually, consult their legal counsel and ensure they are compliant with their cyber insurance carrier.
Related: