Theft of digital information has become the most commonly reported fraud, according to the Federal Communications Commission (FCC). While security breaches at the nation’s biggest companies and data thefts affecting millions of records make headlines, the numbers show that small businesses are more frequently victimized by cyberattacks—attempts to disable, gain unauthorized access to or seize control of a computer, computer system, network or internet-connected or “smart” device. Some common methods include malware (“malicious software”) such as Trojans, viruses, worms and ransomware; phishing and email spoofing (posing as a legitimate institution or individual to lure someone into providing sensitive data), and denial-of-service attacks that prevent legitimate users from accessing information systems, websites, devices, and other network services.
With at least 43% of cyberattacks targeting small-to-midsized enterprises and average recovery costs estimated to range from $84,000 to over $200,000, a successful cyberattack can easily shutter a small business.
Average NJ small business is underprepared
Small companies are particularly vulnerable because they’re easier to hack. As small businesses have expanded their use of computer and internet-connected technology for conducting day-to-day operations, their security measures haven’t always kept pace. In fact, cyber crooks may attempt to infiltrate the computer system of a small to mid-sized business simply with the goal of finding a back door into the harder-to-penetrate systems of larger corporations with which the smaller enterprise may do business.
“Technologically sophisticated, larger companies have obviously addressed this for a longer period of time. They have systems, policies and expertise in place already to prevent, detect, neutralize and recover from attacks,” said Jerry Ford, a Trusted Choice independent insurance agent with Allen & Stults Co., Inc. The Hightstown agency works with a number of insurers that write specialized commercial policies to help businesses cover costs and mitigate other damages resulting from cyberattacks.
Initially, small businesses may have underestimated their risks. “There was a misperception that they didn’t have anything for cyber criminals to bother going after,” said Ford. “But with the growing amount of online transactions – payroll, point-of-sale payments, contracts, banking communications, databases, and more – any business is susceptible.” Even as they become more attuned to the dangers, many small businesses say they lack the resources – funds, expertise and personnel – to devote to cybersecurity, according to the US Small Business Administration.
Cyberattacks inflict more damage to small businesses
Not only are cyberattacks on small businesses more successful, but smaller companies bare a disproportionately higher financial impact from cyberattacks when compared with the largest companies. In addition to lost or damaged electronic records, costs generated in the wake of a successful cyberattack can include:
- Loss of Income. The attack forces the business to shut down temporarily or significantly interferes with operations.
- Extra Operating Expenses. To keep the business going it may be necessary to lease or buy new computer equipment or temporarily outsource services the business would normally be supplying to customers. Information technology consultants may have to be hired to identify the data breach and security vulnerabilities and then eliminate the problems.
- Data Security Lawsuits. If information belonging to a third party is compromised, that party may be able to sue for failure to protect its data.
- Extortion Losses. In the case of ransomware, a business might opt to pay to regain possession of data.
- Notification Costs. New Jersey's data breach notification law requires businesses to notify consumers of a breach of their personal information. In an effort to reassure customers, some businesses purchase identity theft protection for affected individuals for a set period of time.
- Damage to Reputation. Current and potential customers may avoid doing business with a company that is seen as having weak security.
Cybersecurity prevention measures for NJ small businesses
So what can a New Jersey small business do to help safeguard their business?
The FCC, Small Business Administration (SBA) and data security experts recommend the following:
- Protect against cyberattacks
Having the latest security software, web browser, and operating system; installing software updates promptly; maintaining an Internet connection firewall (programs that prevent outside access to a private network ); and securing the Wi-Fi network(s) are essential in protecting against online threats.
- Establish basic data security policies and procedures for your digital systems.
Setting guidelines and restrictions on using the Internet, email and removable media devices, such as thumb drives, can reduce the opportunities for malware to infiltrate. Designate an employee to take the lead as the cybersecurity/information technology security person—“Someone who will take charge versus leaving it ad hoc, in which case it might not get done,” Ford suggested. All New Jersey businesses that take personal information from people are required to have a privacy policy.
- Train (and retrain) employees on security principles and policies
Once policies are in place, it’s important to educate employees on how to adhere to these standards. Set up regular reminders for current staff to reinforce office policies and incorporate them into all new-hire orientation programs to make sure the importance of your security policy is a priority top-down.
- Pay attention to passwords and authentication
Require employees to use unique passwords and change them every 3 months. Implement multifactor authentication that requires additional information aside from a password to gain entry to critical systems.
- Limit access to devices, data, and ability to install software
Employees should only have access to the specific data systems they need for their jobs and should not be able to install any software without permission.
- Adopt best practices on payment cards
Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. Isolate payment systems from other, less secure programs.
- Back up data
Regularly back up the data on all computers and store it offsite or in the cloud to help your agency recover in the event of a cyberattack.
- Have a contingency/incident response plan
Even small security breaches can be costly and time-consuming. Advance planning and readiness to respond are key to restoring business operations and minimizing damage.
While there are costs involved in prevention, the alternative can prove much more expensive—financially and for customer relationships.
New Jersey Cyberattack Insurance for small businesses
Cyber risk insurance is a relatively recent and evolving option for small businesses. Most standard commercial property and liability policies provide little, if any, coverage for damages and losses caused by cyberattacks and many exclude electronic data under the definition of covered property. Select coverage may be offered as some type of enhancement (add-on) to a basic business policy starting at around $250 per year, while separate dedicated cyber policies with more robust coverage are available starting at around $600 to $750, according to Ford. Most options offer a combination of first- and third-party coverages.
First-party coverages, which pay expenses directly incurred as result of the breach, may include:
- Loss of Income and Extra Expenses
- Lawsuits and Extortion - legal expenses associated with the release of confidential information and regulatory fines; may cover ransomware payments.
- Notification Costs - costs of notifying parties (voluntarily or as required by law in New Jersey) affected by a data breach; may also cover costs of providing credit monitoring services and establishing a call center.
- Crisis Management/Damage to Reputation - marketing and public relations to protect company’s reputation following a data breach.
Third-party coverages apply to legal claims against the business by individuals or companies affected by the data breach. The costs of regulatory proceedings and fines or penalties that a regulatory agency might impose may also be included.
Simply going through the process of applying for cyberattack coverage can be an eye-opening experience for your small business, said Ford. “Insurers require some basic levels of security to be in place—things like firewalls and encryption for laptops for example. So it makes you think about what you’re doing and what you should be doing,” Ford said.
Access to cybersecurity resources for your small business
As part of premium costs, most insurers offer small-business clients “pre-loss risk management” services—tools and guidance to identify potential areas of exposure and take appropriate preventive measures. “It’s not that you’re going to be given the latest and greatest security software that’s going to prevent any hacks. But you can get access to experts who can look at what systems you do have and say ‘Look, this is where you’re vulnerable,’” said Ford. “And it’s not necessarily expensive things you have to do; it just could be the knowledge that you need to be educating your staff on what emails to be cautious of.”
Every organization that stores and maintains employee or customer information, collects online payment information, or uses the cloud needs to create a culture of security and privacy. A good cyber insurance policy can help improve a business’s level of precautions and facilitate recovery if something happens. Talking with a Trusted Choice independent insurance agent can help you identify which policy may be right for your unique risks.