Cyber-Attacks: Risk Transference as Crucial as Risk Prevention

It’s a common misconception that large businesses, with their sizable financial assets, are the sole target for ransomware attacks. But small to medium enterprises (SMEs) need to take note: the U.S. Department of Homeland Security claims that 50 to 70 percent of ransomware attacks are aimed at small and medium-sized companies. Surprisingly, most small business owners aren’t seriously considering this risk: a recent study shows that 63% of small business owners think they are immune to a cyber-attack. As most businesses operate on connected data and cloud operations, they are increasingly vulnerable to a range of cyber-attacks, from ransomware to social engineering and data breaches.

For any SME owner or startup founder, the question is not if, but when, your business will be subject to a cyber-attack. Most businesses have some level of cybersecurity tools, policies and plans in place, but risk mitigation is not the only way to prepare and shouldn’t be. Unfortunately, there’s only so much you can do as a business owner.

Risk transference – planning for financial protection to cover the costs of an inevitable cyber-attack – is critical to keeping your business operations up and running and avoiding significant financial losses.

Gauge Your Awareness

Research shows that many tech founders lack awareness of the steps they can take to transfer the risk of a cyber-attack on their business. The same study mentioned earlier found that 58% of tech founders believe they will face a data breach or ransomware attack. Yet, only 34% of tech founders have made an effort to obtain cyber-insurance or transfer their risk. Therefore, an essential component to any ransomware preparedness policy involves purchasing a cyber-insurance policy. There are two kinds of cyber liability insurance: first-party and third-party. First-party cyber liability insurance will help you in the process of getting your own network and systems back up and running after a cyber-attack. Third-party cyber-insurance provides financial help if clients, customers and partners were affected by the cyber-attack on your network and want to sue for damages.

According to a 2021 Ponemon study, the average total cost of a data breach increased by nearly 10% to $4.24m from 2020 to 2021, the highest ever recorded. A good rule of thumb: if a business owner can’t afford their business to be shut down for 12 hours, then that business can’t afford a cyber-attack of any kind. Small business owners must have a financial backup plan when a cyber-attack occurs, whether in the form of a separate savings fund or a third-party cyber-insurance policy.

Prepare For an Attack

Not all small businesses have access to a bevy of lawyers, breach consultants, forensic experts and ransom negotiators at the ready when something wrong happens. This is where cyber-insurance products can provide not only a financial backstop but access to all of these experts to assist a small business with services they may not otherwise have in their arsenal.

"Small business owners must have a financial backup plan when a cyber-attack occurs, whether in the form of a separate savings fund or a third-party cyber-insurance policy"

When you buy cyber-insurance, you transfer the potential financial burden of such events to a third party, the insurer. This provides business owners with another benefit that might not be as obvious – peace of mind.

Despite all the evidence pointing towards the likelihood and damaging costs of cyber exploitation attacks, many small business founders are still unsure how to prepare their companies for the impending attack and subsequent response. Studies show that phishing training and IT teams are no longer enough to dissuade savvy hackers from targeting weak links within a business. Phishing attempts can often lead to social engineering attacks, in which a hacker may pose as a friend and try to persuade compromising company information out of an employee. Not every cyber policy covers social engineering attacks, but investing in good cyber-hygiene can help address this risk.

A 2020 Kaspersky study revealed that 45% of employees across various business organizations of all sizes didn’t know how to respond to a ransomware attack. With this in mind, businesses should invest in cyber-hygiene by performing a data audit, bringing in an outside perspective and developing a response plan. A data audit will expose what types of confidential information a company holds and reveal potential blind spots that a hacker could uncover.

Consult a Professional

An outside perspective of business systems and functions from a cybersecurity consultant or even a cyber-insurance professional like a broker could help better inform how cyber-attacks are evolving and expose weaknesses in a business’s current methods. In addition, developing a response plan for both internal and external stakeholders creates the proper verbiage to address vendors and customers. On top of that, it also prepares the company to handle a cybersecurity crisis and for the likelihood of a shut-down of some, if not all, critical business functions.

From a 2021 Cybereason survey conducted with 1,263 companies, 80% of victims who submitted a ransom payment experienced another attack soon after.

Ransomware is evolving into a more deceptive beast every day. Exploiting IT outsourcing services, ransomware-as-a-service and a shift to corrupting smart mobile devices can put founders and employees at risk. It’s important to evolve as hackers do by adopting the methods above and keeping abreast of the latest cyber-attack methods and trends. Regularly talking to an insurance broker specializing in cyber-insurance can help keep cyber policies up to date and your risk mitigation strategies current.

Protecting your business from ransomware attacks can seem like a daunting task. However, deploying both risk mitigation and risk transference strategies can make the difference between a small incident and an existential threat to your business and livelihood. It’s not IF a cyber-attack will occur, but when.

What’s Hot on Infosecurity Magazine?