By Reggie Dejean
When people think of companies at risk for cyberattacks, it’s usually the big-box retailers and national chains that come to mind, such as Target, Home Depot and Wendy’s. And those are just the ones that make the news. Approximately 40 percent of incidents do not need to be disclosed to the public.
Many may not realize that cybersecurity breaches affect all industries and companies of all sizes. In fact, small businesses and nonprofit organizations may be more vulnerable than larger companies, since hackers view those businesses as an easy mark with less-secure networks.
There are many ways the crooks can get in, but intrusions often arise from user error or employee mistakes. The Society for Human Resource Management points out that the growing policy of BYOD (bring your own device) workplaces, as well as the consumer apps and tools that come along with these devices, can create a major risk for data breaches.
While millennial employees are often more tech-savvy, technical fluency is no protection against an attack. In fact, the tendency to multitask and employees’ relaxed attitudes toward information sharing can introduce greater risk factors. According to the 2016 data security incident response report from BakerHostetler, 24 percent of security breaches are caused by an employee action or mistake.
Once a hacker is in, the average time from incident occurrence until discovery is just over three months. We’ve seen mom-and-pop shops, school districts and other small businesses fall victim to a cyberattack.
They’re seen as an easy mark and, at times, a back door into a larger company they do business with. Think about it: a smaller firm with a blue-chip client or partner. Once it happens, it gets ugly fast.
Costs add up quicker than you can think, between forensic investigators and lawyers’ fees. This can truly mean disaster to a smaller enterprise. According to the tech firm CIO, small and medium-sized businesses suffer four times greater cost per person from data breaches than do large enterprises, and 60 percent of those smaller businesses may never recover from the cyberattack.
In the past year, out of 30 cases where a forensic analysis was performed following a breach, only two of these companies had cyber liability insurance coverage in place to protect their assets. When you factor in the legal costs, in some cases, the cost to these companies exceeded $300,000 in the first five to six months.
These days, it’s a matter of when, not if. It’s important for businesses to realize the seriousness of having a cyberattack response plan in place and educating their employees on ways to mitigate the risk.
Reggie Dejean is specialty insurance director at Lawley Insurance in Buffalo.