New research shows nearly half (47%) of all small businesses in the United States have been hit with a cyber attack in the past year. Among those victimized, a similar number (44%) reported suffering two, three or even four attacks. Pretty staggering, no? What’s even scarier, 65% of these small businesses fail to take action following a cybersecurity incident, according to the 2018 Hiscox Small Business Cyber Risk Report.
Hiscox, an insurer, found that small businesses are less likely to have instituted strategies to fend off attacks, nor detect them early if they do occur. Not surprisingly, they are also less likely to be able to withstand the financial impact of a hack or breach than, say, the cyber-stricken corporate brands we so often hear about in the news. Small businesses estimated their average cost for incidents in the last 12 months to be $34,604. Among large companies (more than 1,000 employees), the annual average cost of cyber crime was $1.05 million.
Consider the indirect costs that can result from an attack, such as lost customers or difficulty attracting new ones. How about lasting damage to the brand? Then there are costs associated with the hours required to resolve the attack and the distraction a breach can cause. Add it all up and it would seem a wise investment to fortify your business against such a thing.
The attacks come in various forms, including ransomware, spear phishing, malware, DDoS and something referred to as a drive by. The latter involves crooks on the prowl for insecure web sites who then plant a malicious script into HTTP or PHP code on one of the web pages. This script may install malware directly onto the computer of some unsuspecting user who visits the site. Hiscox’s survey found that cyber risk is actually a top concern for the majority (66%) of small businesses owners. Yet 50% said they lack the budget necessary to surmount a defense, with barely half (52%) reporting they have a clearly defined strategy around cybersecurity.
Best practices offered by Hiscox:
• Involve and educate all levels of the organization about cyber threats.
• Have a formal budgeting process and ensure cyber is a part of all decision making.
• Institute cyber training during the on boarding process and in an ongoing manner.
• Include intrusion detection and ongoing monitoring on all critical networks.
• Track violations (both successful and thwarted) and generate alerts using both automated monitoring and a manual log.
• Record all incident response efforts and all relevant events.
• Create a plan for all incidents, from detection and containment to notification and assessment, with specific roles and responsibilities defined.
• Review response plans regularly for emerging threats and new best practices.
• Insure against financial risks with a stand alone cyber policy or endorsement.