A new survey has found that most small businesses greatly underestimate the recovery costs after a company is hit by a cyber attack, as well as the time it takes to recover.
Nationwide Insurance’s “Agency Forward” survey found that 40% of small business owners estimate that a cyber attack would cost their organization less than $1,000, and 60% said it would take less than three months to fully recover. Those are significant underestimates, and it reflects how little most owners know about the true effects of these increasingly sophisticated attacks.
The rose-colored view is complicated by the fact that small businesses are now the main target of cyber attacks, particularly those involving ransomware. As a result, many companies are not taking the appropriate steps to guard against attacks, and may also forgo securing cyber insurance.
And that can be a mistake as the average cost of a cyber-attack claim is between $15,000 and $25,000, according to Nationwide. Additionally, the average recovery time for a business after an event is 279 days, according to the insurer. But many never recover. Most small businesses fail within six months of an attack.
Nationwide found that about 28% of small business owners said they have cyber coverage, compared to 71% of middle-market businesses.
Cyber-attack costs can mount quickly. After an attack and assessing the damage, a business may be faced with a number of expenses for:
- Systems and operational recovery,
- Data restoration,
- Addressing reputational damage, and
- Legal costs.
Worse yet, most small companies have not installed safeguards to protect against attacks. The survey found that:
- Only 48% of small business owners said they felt prepared to prevent a cyber attack (compared to 83% of mid-sized firms).
- 56% said they conducted cyber-security training at least once a year (94% of mid-sized firms hold training).
Protection against attacks
Malware is the largest threat, with the small business sector accounting for 50 to 70% of attacks. Malware is software — such as viruses and ransomware — intentionally designed to cause disruption and damage to a computer or network, or to gain unauthorized access to private information.
You can thwart the criminals by:
Educating your employees — Regularly update your staff on new security protocols. The more your employees know about cyber attacks and how to protect your data, the safer your business will be. Send out regular reminders not to open attachments or click on links in e-mails from people they don’t know or expect.
Implementing safe-password practices — Have employees use complicated passwords and change them regularly every 60 to 90 days.
Using robust security platforms and protocols — That includes installing web application firewalls and using secure payment gateways if you accept credit cards online. Your website hosting company should regularly patch security vulnerabilities, and you should ensure that all computers have antivirus software installed.
Regularly backing up all data — That includes databases, financial files, human resources files and accounts receivable and payable files.
Even with the protections in place, companies still can suffer an attack. If it’s a ransomware attack, your systems may be unusable until the ransom is paid.
Fortunately, cyber insurance can help pay for the costs associated with an attack, including expenses related to recovery, lawsuits and ransoms. Coverage will differ from one carrier to another, so it pays to call us to discuss your options.