Imagine owning a successful small business. You show up to work one morning on a day like any other only to discover you can’t access your system. Then a message comes on screen saying a hacker has encrypted your computer; your hardware, software, network and data are all locked down. Unless you pay a $10,000 fee (via Bitcoin) the person will permanently erase your information. Without a current hard drive backup, you are caught between a rock and a ransom. And it’s not a comfortable place to be.
Welcome to the ominous world of cyber-attacks, where the frequency and severity of data breaches has made running a business increasingly risky. Failing to properly secure your computers can result in devastating consequences, up to and including the failure of your business. This is why understanding your cyber-attack risks, along with buying cyber liability & data breach insurance, is so essential.
What are cyber-attacks? They’re criminal acts that originate from a single computer (or multiple computers). They attempt to disable your system or access your private data for financial gain. Cyber-attacks come in many different forms, but the underlying motives are malicious intent and financial gain. From a business owner’s perspective, getting hacked is extremely stressful, partly due to the disruption to normal operations it creates and partly because of the additional costs they create. To help your company survive a data breach, it’s important to anticipate potential attacks and mitigate them with comprehensive cyber liability & data breach insurance.
Examples of Cyber Attacks
The first step in protecting yourself against cyber-attacks is familiarizing yourself with their main types. Cyber criminals are extremely inventive, modifying their attacks in response to the defenses they encounter. But here are some common ones your business may face one day:
- Malware: Refers to malicious software designed to damage or incapacitate a computer, server or computer network. It does this by propagating a worm, virus or Trojan within a single computer or across a network. The goal is to do damage, take control of a system or both.
- Phishing: Often involves a deceptive email that tricks users to take an action that will cause damage. For example, hackers might send employees an e-mail with a link causing infected code to be downloaded. Or they might include a URL in the body of an email that will take people to a phony website form that asks them to enter confidential personal information.
- Ransomware: As mentioned earlier, ransomware is a malware sub-type that encrypts your computers, making your files inaccessible until you pay a ransom for a decryption key. If you fail to pay, the cybercriminal will erase your data permanently.
- Denial of service (DOS): This involves the application of brute force to render a website or online service inoperative. How does it work? Hackers direct a flood of users to a website or database in order to overwhelm its ability to respond. A variant of this attack is called a distributed denial of service attack (DDoS) in which cyber criminals use malware to take over thousands of computers, then direct those devices to bring down a targeted website.
- Man in the middle: With this attack, hackers position themselves between users and a website they’re attempting to access. They do this by creating a legitimate-appearing login screen that tricks people into entering their personal information, which hackers then use to steal their identities for financial gain.
- Zero-day exploits: This entails criminals attempting to leverage recently announced defects in software before users install the patches that fix them. In other words, the clock is ticking toward the “zero day” in which all users will have installed the patches, rendering the defect no longer useful to hackers.
- SQL injection: This refers to attacks on business databases, which often are coded in Structured Query Language (SQL). Hackers will use company web forms that collect customer data to issue a SQL command to the database to divulge private consumer information. If the company’s programmers failed to program their database correctly, it might mistakenly answer the query and release your information to criminals.
There are many in which cyber criminals can attack your company’s computer system. To keep your customer data and intellectual property safe, it’s important to maintain a robust cyber defense to defuse multiple and constantly evolving threats. If you’re not convinced of that yet, consider the following range of potential cyber-attack impacts, including economic loss, reputational damage and legal consequences.
The potential financial losses after a cyber-attack can be devastating. They range from direct theft of funds to the costs you will incur for assessing and mitigating the damage and then repairing all systems involved. If crucial business applications go down—for example, those related to sales, manufacturing, service delivery and financial management—then not being able to conduct business as usual may delay business income or eliminate it entirely.
When you add up post-attack costs, the total can be staggering. According to the 2019 Cost of a Data Breach Report from the Ponemon Institute and IBM Security, the average data breach financial impact was $3.92 million. This represented a cost per lost record of $150. The study also found that companies on average took 279 days to identify and contain a breach. This reflects the difficulty of discovering an attack and the complexity of assessing and repairing the damage. Can you imagine having to spend that long dealing with the aftermath of a data breach?
Consumer trust is the foundation of all successful businesses. But when a cyber-attack breaches customer data, the trust that took years to build can dissolve almost instantly. That’s because consumers expect you to safeguard their data and when you don’t, they will automatically lose faith in you. Lost trust then unleashes customer defections, dwindling sales and crimped profit margins. The reputational impact involves not only customers, but also suppliers, consultants and strategic allies. When word gets out you suffered a major data breach, everyone will begin to question your ability to protect their data and your worthiness as a business partner.
Making matters worse, businesses that suffer a cyber-attack in all U.S. states and jurisdictions must notify their customers. Some states also mandate giving affected consumers free identity theft mitigation and prevention services. Both responses cost a lot of money. Firms with cyber breaches may also be subject to state and federal fines for violating data privacy laws, not to mention civil litigation from consumers and business partners for failing to protect their confidential information.
When you combine the economic, reputational and legal impacts, it’s clear that the aftermath of a cyber-attack can be challenging at best and fatal at worst. According to a study from the National Cyber Security Alliance and Zogby Analytics, 10 percent of small businesses that experienced a data breach went out of business, 25 percent declared bankruptcy and 37 percent booked a financial loss after the incident.
Given these impacts, it’s crucial to take steps now to protect your business against them. As for cyber liability & data breach insurance, it’s important to understand how the coverage works and what does a cyber insurance policy cover. It typically provides two types of protection: first party and third party.
First-party protection means the policy helps you mitigate a breach’s negative impact on your business. It does this by paying for things like:
- Investigation: hiring a forensics IT expert to determine how the breach happened and to fix the security hole
- Ransoms: meeting a cybercriminal’s payment demand to unlock your computers, especially if you lack a current system backup
- Regulatory fines: providing funds to cover penalties or fines that result from the incident
- Public relations: hiring a PR or crisis management firm to help stem customer defections after a data breach
- Consumer credit monitoring: providing credit monitoring to all patients involved in the incident
- Notification expenses: letting your customers know their personal data was released in a data breach and in some states, providing them with free credit monitoring
- Legal advice: retaining an attorney to counsel you on the legal impact of the attack
- Business interruption support: providing cash to replace lost income after an incident
Third-party protection means the policy covers your legal expenses in the event you’re sued after a cyber-attack. If a judge or jury finds your negligence played a role, your insurance will cover your attorney fees and legal settlements and judgments.