Though cybercrimes have long been on the rise, many small-business owners see their risk as outweighed by the high price tag that comes along with cyber insurance.
That trend is apparent in a BlackBerry report released over the summer, which found that only 14% of small businesses – defined in the survey as companies with less than 1,500 employees – have cybersecurity insurance coverage that meets the median ransomware demand of $600,000. And just over half of the small businesses surveyed – 55% – had cyber insurance coverage at all.
These findings weren’t surprising to Chris Parisi, co-founder of the Rhode Island Small Business Coalition and founder and president of his own small business, the marketing firm Trailblaze Inc.
To Parisi, cyber insurance is more than just a luxury, though he understands why other small businesses may see it otherwise.
The report “underlies a consistent issue for small businesses – a choice between doing what’s best for their business and what’s affordable,” Parisi said.
“Cyber insurance is often overlooked as a ‘nice to have’ but with online transactions and communication becoming ever so prevalent, it is becoming more of a ‘need,’ ” he said. “But how can small businesses afford these costs while also dealing with general business insurance costs rising as well?”
Small businesses shouldn’t discount the possibility of a cyberattack, says Michael Martin, an adjunct faculty member at Roger Williams University who specializes in risk management, cybersecurity and insurance. In fact, the assumption they won’t be attacked is part of what is herding some cybercriminals toward smaller targets.
“Essentially, many hackers have learned that large businesses are increasingly well-protected,” Martin said, particularly in sectors such as technology, health and finance, where highly sensitive and large amounts of information tend to be at stake.
These companies “have resources to protect various types of assets, and therefore [makes] it harder to access systems to install ransomware,” Martin said, “so what happens is the bad guys essentially move to the less-protected end.”
But that doesn’t mean that all small businesses should prioritize the most robust cybersecurity package possible, he says.
The BlackBerry report identifies a legitimate gap in cyber insurance coverage, Martin says, but there’s no one-size-fits-all solution when it comes to protecting businesses against cyberattacks, and cybersecurity needs vary largely depending on the sector, the type of information a business handles and its size.
“The good news is that there’s a significant interest in cyber insurance,” Martin said. “The bad news is … insurance coverage for cyber events is much less mature, or less standardized than traditional insurance like property liability or casualty insurance.”
On the broad range of “small businesses,” those at the small to medium end tend to be at higher risk, Martin says.
Hackers “want a firm that is big enough to pay them a substantial amount of money but small enough that it doesn’t have adequate protection,” Martin said.
Then, the hackers want to cause enough trouble to justify paying a ransomware demand but not so much that they cause the targeted business to fail.
Coverage needs also depend on the type of business, Martin says. When considering cybersecurity needs, business owners can take a critical look at just what a breach would mean: for some, it could just mean buying a new computer after a hacking event. But even the smallest of businesses that deal with highly sensitive data may want to consider more robust coverage, he says.
Mark S. Deion, president of Deion Associates & Strategies Inc., a business management consultant in Warwick, says that while all businesses should take some precautions against cyberattacks, he doesn’t see small businesses as high-risk targets.
For many small businesses, simple and often relatively low-cost measures such as regular data backups are reasonable measures to take against cyberattacks, Deion says.
“For your average small business, say a restaurant, something that has an internet presence, I don’t know how critical they would think [cyber insurance] needs to be,” Deion said. “The people that have been targeted for cybercrimes or ransom have tended to be utility companies, municipalities, hospitals – much larger institutions that potentially have deeper pockets.”
For smaller businesses, “I would say have some good security software in place, have backups that happen frequently and make sure you have protocols in place with employees so people aren’t accepting or downloading information from sources that aren’t trusted or verifiable,” Deion said.
Additionally, Deion cautions that while cyber insurance can offer businesses financial protection, it’s not designed to prevent cybercrimes from occurring.
“Having insurance is just going to cover an expense,” Deion said. “It’s not going to protect you against getting hacked – it’s just going to provide you with insurance for damages.”
While Parisi sees cyber insurance coverage as a need for an increasing number of businesses, he also notes that businesses need a customized approach in order to evaluate what they should pay for this protection.
To combat this trend, small-business owners need more resources to help them weigh how their specific type of business could be affected by cybersecurity threats, Parisi says. Additionally, he says, creative measures such as a cooperative to help small businesses purchase insurance could help to alleviate affordability barriers.