When you see a cyberattack in the news, chances are it impacted a major company that easily has the funds to cover the costs and then some. What the headlines fail to cover are the variety of businesses, both big and small, that fall victim to these covert attacks. In an era where technology is ever evolving, it is critical for businesses to keep pace and stay up to date with their cybersecurity awareness and training. In fact, the annual Hiscox Cyber Readiness Report revealed that 69% of U.S. companies reported an increase in cyberattacks compared to last year. To make matters worse, U.S. companies face an average of 62 cyber incidents per business each year—about as often as they receive company-wide leadership communications.
Business owners have many competing priorities and are often juggling responsibilities, so cybersecurity can be the last thing on their minds until one strikes. Luckily, there are some straightforward steps that small business owners can take to defend their businesses.
What Are the Top Cybersecurity Threats to Small Businesses?
Cyberattacks are like a box of terribly flavored chocolates; you never know which one you’re going to get. While similar forms of an attack can be categorized, no two cyberattacks are the same. That’s why the first step to prevention is education and understanding the most common cyber threats.
Ransomware
Ransomware, a malicious software that aims to lock down critical business systems, works by “infecting” a computer network and blocking access to important functions and data, which are then held hostage by the attacker until the business pays a ransom or takes a specific action requested by the perpetrator. While paying a ransom may seem like the only way to restore operations, it rarely guarantees full recovery. Once attackers gain access, businesses often never regain complete control or retrieve all their data. The 2024 Cyber Readiness Report found that among businesses that paid ransoms, only 7% successfully recovered all their data, while 10% experienced data leaks despite making the payment. To make matters worse, 43% of businesses struggled to attract new clients due to the reputational damage caused by an attack, and the recovery period strained critical relationships with employees, customers, and vendors. Many businesses believe that paying a ransom will resolve the issue, but beyond the operational disruption, it also serves as a target for future attacks.
Phishing
It could be an email from your bank, streaming service, or doctor’s office; according to Hiscox, phishing is the primary point of entry for cybercriminals in 57% of attacks. Especially with the use of AI, bad actors are becoming more sophisticated at crafting phishing emails that can lure recipients into a false sense of security with near-accurate branding and persuasive messaging, making it challenging for even a critical eye to detect. Phishing emails often play on urgency, such as telling the recipient they’ve been locked out of their account and they must reset their password using a specific link, a valuable package is stuck in customs, or their payment has been declined, and they must update their payment details. Clicking on a malicious link or attachment in one of these deceptive emails can lead to stolen card details or unknowingly downloading harmful software. Employees need proper training on the latest cyberthreats to recognize and stop these attacks before it’s too late.
Cyber Extortion
The cyber equivalent of taking a hostage and demanding payment in exchange for their release, or what is commonly known as cyber extortion, works by threatening malicious activity against a victim. Cyber extortion is distinguishable from ransomware by its objective: the former aims to steal data (and possibly release it publicly), while the latter intends to block access to important business functions, but both often demand a ransom in some form. A cybercriminal may threaten to leak sensitive business information to the media or on the dark web if the business does not comply with their demands for a ransom.
When a business is familiar with the various types of cyber risks they face, the next step is learning how to protect against them. There are several crucial steps businesses can take to protect themselves against cybercriminals.
How Can Small Business Owners Combat Cyber Risk?
1—Employee Training
When it comes to cyber risk, businesses are only as strong as their least-trained employee; it only takes one employee to click on a link in a phishing email and infect the systems of the whole business. Numerous sources and studies, including the World Economic Forum, indicate that nearly 95% of cybersecurity incidents occur due to human error. A key cybersecurity weakness, according to Hiscox, is employee awareness. In fact, 41% of businesses experiencing increased cyber risk attribute it to insufficient training. To address this, companies should teach employees how to spot a suspicious email, craft a strong security password, protect confidential information when working remotely or on unsecured Wi-Fi networks, avoid engaging with cybercriminals, and promptly report a cyber incident to the appropriate team. Conducting these sessions regularly will help teams stay current on the latest cyber trends.
2—Keep Software Up to Date
Technology evolves at breakneck speed, forcing cybercriminals and software developers into a constant game of catch-up. One of the biggest cybersecurity risks—cited by 47% of businesses—is failing to retire outdated systems, which pose even greater vulnerabilities than employee personal device use (39%). While software updates may seem frequent and tedious, they can mean the difference between preventing or falling victim to an attack. Notably, 35% of businesses that paid ransoms did so because they lacked adequate data backups and couldn’t restore their systems. The good news? Software developers do the heavy lifting by identifying vulnerabilities and creating patches—businesses just need to install updates when prompted.
3—Invest in Cyber Insurance
Insurance can often be a grudge purchase, until a debilitating cyberattack strikes, and it turns into one of the smartest decisions made. Many small businesses don’t recognize the importance of insurance or the need to update it, as 75% of U.S. small businesses are underinsured, according to the 2023 Hiscox Underinsurance Report. Underinsured businesses are not adequately protected from potential losses and could be held financially liable. A cyber insurance policy can help cover these costs, including the experts needed to contain a data breach or navigate ransom demands, funds lost due to an attack, legal fees, and more. Investing in cyber insurance can protect your business, and it costs less than the financial and operational tolls of a cyberattack.
Education is the First Step
Every business has weaknesses and vulnerabilities that cybercriminals can exploit. The first and most important step is learning the tactics that can be used against your business, and then educating all employees about those risks, too. Cyberthreats will only evolve and grow, but education significantly lowers the risk of a successful attack on businesses.
Mike Maletsky is the VP, Practice Leader of Technology E&O and Cyber at Hiscox USA, a leading insurer for more than 600,000 U.S. small businesses, independent contractors, and others. With over 18 years of industry experience, he has developed insurance products for customers around the world and currently serves customers across the Technology E&O and Cyber sectors. Connect with Hiscox at their website or LinkedIn.
Photo courtesy Getty Images via Unsplash +
