Pay Now or Pay Later

The majority of all cyber attacks happen to small and midsize businesses (SMBs, with revenues up to $1 billion), according to a 2018 Vistage report by Cisco and the National Center for the Middle Market.

Debunking the myth that cyber attacks usually hit large companies, the report calls SMBs “soft targets,” reasoning that these companies have valuable data but lack effective cyber-security controls and trained cyber-security personnel. 

SMBs are also good targets for ransomware because they are more likely to pay ransoms since they have not invested in offsite backups or developed and tested backup and recovery plans, which would allow them to simply restore their systems. 

Ponemon’s 2018 report on SMB cyber security analyzed companies in the United States and United Kingdom with the number of employees ranging from less than 100 to 1,000. The report found 67% of the respondents had suffered a cyber incident in the past year and 70% had paid ransoms. In general, SMBs do not know how to address cyber security, or they are overwhelmed by the requirements and financial resources needed to establish a full enterprise security program. When asked what kept them from having an effective IT security posture, 47% of the Ponemon respondents said they had no understanding of how to protect against cyber attacks, 74% cited insufficient personnel, and 55% said they had insufficient financial resources. 

Why are SMBs in this position? Many typically struggle with expanding their IT capabilities to keep pace with growth. Small businesses often begin with an outside consultant who periodically comes in and resolves issues or sets up a new capability. As they grow, they may expand IT capabilities by hiring a small internal IT team and using cloud services, software-as-a-service enterprise applications, and business process outsourcing (BPO) vendors. Thus, the “IT team” may be a mix of internal and external personnel, which increases complexity in cyber risk management, especially incident response. 

In fact, a 2018 report by the National Center for the Middle Market reported that the IT department is responsible for cyber security in 61% of SMBs. And the 2018 Vistage report found that 67% of SMBs use an external partner to manage cyber security. 

The unwillingness of SMB CEOs and CFOs to invest in dedicated personnel and enterprise cyber-security programs makes little sense when one considers the cost of cyber attacks. The Ponemon report calculated the average cost per attack due to compromise of employees’ passwords was $383,365, the average cost of recovery from damage or theft of IT assets was $1.43 million, and the average cost from disruption of operations was $1.56 million. The cost per incident had increased 33% and disruption to operations had increased 25% since 2017 due to damage or theft of IT assets. 

The Ponemon report found that companies that claimed to be effective at mitigating cyber risks and attacks have significantly lower costs related to cyber incidents than other SMB respondents. In fact, the difference in one incident is enough to pay for a strong cyber-security program consistent with best practices and standards. 

The table below illustrates that companies with effective cyber-security programs had an average cost from disruption of operations of $1.06 million—about $500,000 less than other SMBs. Their cost from damage or theft of IT assets or infrastructure was about $330,000 less than other SMBs, and the cost per incident was $88,465 less. That in itself is adequate justification for funding an enterprise security program. 

In 2018, Hiscox commissioned Forrester Consulting to assess the cyber readiness of organizations and noted that seven out of 10 businesses are not prepared for a cyber attack. Forrester concluded, “While big firms incur the highest costs in the aggregate, the financial impact of cyber-attacks is disproportionately greater for small businesses.”

Attacks today are complicated and often multipronged. SMBs need to understand their cyber risks and develop strategies to manage and transfer these risks. Just like any large business, SMBs need to conduct periodic cyber risk assessments, perform regular vulnerability scans and penetration testing, restrict access and require multifactor authentication, have dedicated personnel, and exercise cyber governance. The cyber-security labor market is tight, making it harder for SMBs to find qualified personnel to perform these tasks. Although consultants and managed security service providers can help with these activities, the company is responsible to its customers, shareholders and the larger cyber community to manage its cyber risks. 

One way for SMBs to manage cyber risk is to purchase cyber insurance. In analyzing market data, CyberPolicy noted a steep rise in SMBs buying cyber insurance, with an average quarterly growth rate of 34% over the past year. One factor in this is the affordability of cyber policies. The price for $1 million in cyber coverage dropped from $270 in April 2017 to $77 in June 2018. Other drivers are compliance and contractual requirements. 

Cyber risk management, however, is not as simple as buying a cyber policy. First, SMBs will need the expertise of their agents and brokers to help guide them through the maze of which types of policies will cover various aspects of a cyber event. For example, depending on the circumstances, a cyber event may trigger clauses in numerous policies, such as property and casualty, cyber, director and officer liability, and errors and omissions. 

Second, SMBs need to understand that buying a policy will not relieve them of the obligation to establish a strong security program. Not only do some laws and regulations require it, but customers and business partners will demand it. A company that values privacy and cyber security, establishes a strong cyber-security program, and transfers some of its risk through insurance will have a competitive advantage in the marketplace, and it will be better prepared when it suffers a cyber attack.