The cybersecurity threat environment is increasingly dangerous. Ransomware attacks are on the rise, doubling in frequency over the last few years, and cloud-based attacks continue to catch insecure companies off-guard. It’s simply not enough to invest in prevention technology and cross your fingers hoping that your organization doesn’t falter and succumb to an attack. Instead, organizations need to be prepared for the inevitable — facing a data breach or a security incident.
This reality is particularly concerning for SMBs who are at an elevated risk. Not only do they face many of the same attacks well-funded enterprises do, but they’re more exposed to more vulnerabilities and zero-day exploits, making problems like log4j and Follina more dangerous. Hackers know SMBs are prime targets and are now directing attacks towards them.
To help offset this cyber risk, SMBs should look towards cyber insurance. This is key for ensuring a healthy recovery in the face of a cyber attack as it mitigates much of the financial repercussions associated with data breaches and cyber attacks.
In this article, we’ll show you why SMBs need to start looking for cyber insurance providers.
SMBs are exposed to more financial risk
SMBs don’t have the wiggle room in their budgets to account for a data breach or ransomware attack that affects business continuity. According to the IBM Cost of a Data Breach Report, costs of a data breach rose to $4.24M, on average. This includes costs related to investigation, recovery, and remediation services which are necessary steps any affected company needs to take to recovery appropriately.
While it’s not ideal, large enterprises with huge profits and revenue figures can afford these costs more comfortably. Smaller companies however, may not have the funds to cover these kinds of costs and are more likely to have their business disrupted due to an attack. Depending on the severity of the security incident, revenue loss can stack up and companies may even lose out on their customers. It may take months or years for an SMB to properly recoup and get back to a state of normalcy.
The damage and risk associated with a data breach is why 60% of SMBs who are hit with a data breach end up shutting down. Cybersecurity risk easily translates to financial and business risk — without any risk management controls and services in place, SMBs are sitting ducks for an attack they can’t afford to have happen.
SMBs don’t have enterprise-level cybersecurity resources
SMBs simply have fewer available resources — specifically budget and staff. Given these limitations, it’s hard to realistically expect SMBs to devote a significant chunk of their budget to build a robust cybersecurity department. Only the largest enterprises have effective in-house cybersecurity and SMBs wouldn’t benefit as much from having a partial cybersecurity department.
Operationally speaking, even if an SMB does try to properly build up their cybersecurity, it may take years before any cybersecurity value is realized, especially if the end result is to have a major cybersecurity department in place. SMBs may not also have the right staff or leader with the right cybersecurity experience. This makes prioritizing cybersecurity, and establishing a roadmap for cyber resilience difficult.
This is why many SMBs resort to third-party partners and services, like MSPs, to provide cybersecurity support and services. However, while this does provide beneficial services, it may leave the organization open to a supply-chain attack that leverages the MSP as an attack vector.
SMBs face elevated cyber risk
The majority of attacks deployed by malicious hackers and threat actors are automated, which is why attacks are deployed every 39 seconds and over 30K sites are hacked, daily. These automated attacks are constantly looking for an unsuspecting victim or for a company with minimal security controls in place. Unfortunately, too often, this means an SMB.
Because SMBs lack the right cybersecurity infrastructure or technology, they’re more likely to fall for an attack. They also can’t respond quickly or appropriately to an attack and don’t have the right capabilities to address new threats and risks. This also means they’re more vulnerable to new exploits and vulnerabilities, particularly zero-day vulnerabilities.
For example, log4j was a zero-day vulnerability that was being exploited in the wild and discovered by security researchers late 2021. While a patch was eventually released, smaller companies may not have even known that this vulnerability was out there, let alone knew how to mitigate the risk on their devices.
SMBs will struggle with every new zero-day vulnerability. Follina, another zero-day vulnerability, has recently been discovered, affecting Windows OS devices. While the attack is relatively sophisticated, how it reaches a company isn’t. A victim simply needs to open an Office document (or preview it) for the attack to get into an organization’s network.
Fortunately, Windows has released a patch, but that means it’s up to the organization to update their systems. If a company doesn’t have the right patch management system in place, they may not update all the devices needed to eliminate and reduce the risk of this vulnerability. They may also not have the right asset management and visibility process in place — resulting in shadow IT — without knowing what systems are connecting to your company’s network means you can’t account for its security. Against zero-day exploits, not knowing where your vulnerabilities lie can result in a security compromise quite quickly.
This is partly why hackers have expanded their methods and now have SMBs in their sights. SMBs are increasingly being targeted with ransomware, phishing, and APT attacks. Hackers know these companies are vulnerable and are taking advantage.
How cyber insurance can help SMBs
Cyber insurance is a service designed to cover the costs associated with data breaches, ransomware, and other cybersecurity incidents. This includes investigation, recovery, and remediation.
Cyber insurance is also more affordable for SMBs. The premiums are generally more affordable because the company has a smaller digital footprint. There are fewer devices, employees, and locations to insure.
The industry has also made requirements for procuring cyber insurance more stringent, largely because coverage has favored insured companies quite dramatically. However, this means that in order to obtain cyber insurance, SMBs need to develop better cybersecurity practices and meet specific cybersecurity requirements.
These requirements aren’t too demanding — instead, they help SMBs build up a better cybersecurity posture. Because this could be part of the cyber insurance procurement process and thus, a risk management priority, it may be easier for a company’s stakeholders to approve and devote resources to this initiative. This results in a more secure SMB that’s also insured in case of a compromise.
Ultimately, cyber insurance transfers the financial risk of security incidents to the insurer, securing the longevity of the organization and making it more capable of handling a cyber security incident. It should be considered a key recovery asset and makes the worst-case scenario much more bearable for smaller organizations.
Learn more about Bitdefender’s security solutions for small to mid-sized businesses and check out our webinar on Cyber Insurance 101.