A TruShield Insurance poll found that more than three quarters of Canadian small businesses operate without cyber insurance. Here’s why no protection is a hack approach when it comes to managing cyber risk.
According to Ginni Rometty, IBM’s Chairperson, President and CEO, “…Cybercrime, by definition, is the greatest threat to every profession, every industry, every company in the world.” Bleak words from a large multinational corporation, but we wanted to get a view on what small businesses think about cyber risk. To find out, we polled hundreds of small business owners and decision makers from coast to coast, and it turns out that 77% of them don’t have cyber insurance.
“You can’t research your way to an effective response plan. Executing a recovery strategy as soon as you get hacked will mitigate the negative impact on your business from a financial and reputational perspective,” explains James McDowell, Blackberry’s Cybersecurity Director. An effective response plan should include cyber insurance coverage. Insurance can help cover some of the costs that may result from a cyber hack, including the cost of hiring the various professionals necessary to best execute a business’ recover strategy following a cyberattack.
So the question becomes, if cyber insurance can help mitigate the costs of a cyberattack, why do three quarters of Canadian small business owners polled not have it? Our research revealed a number of “myths” about cyber security that may be mystifying the consequences of not getting coverage. Here are the fourth myths you should watch out for.
Myth #1: Data doesn’t need to be backed up regularly.
33% of Canadian small businesses we surveyed don’t back up their data at least once a week. That may not seem like a lot, but considering how beneficial and easy it is to perform a back-up, that 33% should be a lot closer to zero. How often you back up your data directly correlates to how vulnerable your business is after a cyberattack.
33% of Canadian small businesses surveyed don’t back up their data at least once a week.
Let’s say your business falls victim to ransomware which locks you out of your own data, and the hackers responsible are attempting to ransom it back to you. If you happened to back up all your information a day before the cyberattack, your business would be in a better position to pick itself back up while you deal with the ransom issue. However, if you last performed a backup one month ago, there’s a greater chance that you’ll be locked out of important data, making it much harder for your business to resume operations. Ideally, your backed-up data is recent enough that you don’t even need to pay the ransom to get your locked data back. Instead, you can simply proceed with your backup version.
Myth #2: Customer data only needs to be protected if it’s related to financial information.
Our research found that of the Canadian small businesses we surveyed that aren’t protected by cyber insurance, only 9% store their customers’ credit card information. On the other hand, more than half of those same non-insured businesses collect non-financial customer data such as phone numbers and email addresses. Even though businesses may be more likely to protect customer data of a financial nature, the reality is that all customer data is worth protecting equally. This is because hackers and other criminals don’t need financial information to seriously damage a person’s finances.
Hackers and other criminals don’t need financial information to seriously damage a person’s finances.
If a cybercriminal obtains credit card information, how long is their window of opportunity to use it for illegal activity? While it could take a month or two for customers and companies to realize a card was compromised, odds are the card gets cancelled quickly and has a relatively short shelf life. However, what if that same hacker got access to names, emails and home addresses, then checked online sources such as social media sites to gather enough personal information to commit identity theft? That kind of crime can take victims years to recover from.
Scenarios like the one above highlight some of the reasons that businesses have been hit with class-action lawsuits after their data was breached, even though none of the compromised information was finance related. Speaking of which…
Myth #3: A class-action lawsuit is the biggest risk to a business whose customer info has been hacked.
Canadian small businesses seem well aware of the devastating impact a class action lawsuit can have on their company. Almost three quarters of the businesses we surveyed without insurance aren’t confident they have the financial resources to survive a class action lawsuit that may result from a cyberattack.
Unlike the first two myths, this one has some truth to it since a class action lawsuit might end up being the biggest repercussion a business experiences from a cyberattack. However, if a business’ customer data gets leaked to the public and the customers impacted decide not to file a class action suit, does that mean the business is in the clear? The answer, unfortunately, is: absolutely not.
Cyberattacks, even without class action or other lawsuits, can severely damage a company’s reputation. Existing and potential customers may distance themselves from the hacked business as a precaution. Enlisting reputation-management professionals to handle the crisis can be a significant cost, and they aren’t the only pros you’d need to hire either. Recovering your compromised data from the cyber criminals and restoring it to your systems isn’t something you’ll want to do alone, even if your business is tech-savvy. (Check out this article for some tips on how to proceed after experiencing a cyberattack.) And since it may take a while to get a business back up and running after a cyberattack, the amount of potential revenue lost during that process can quickly add up.
In short, lawsuits are a risk to businesses that have undergone a cyberattack but they aren’t necessarily the only one, as other risks can be quite problematic as well.
77% of small business owners operate without cyber coverage. Of that 77%, 64% store their customers’ data.
Myth #4: A business that stores electronic data isn’t better off with cyber insurance.
We’re hoping that by now, this myth debunks itself! The most common way the Canadian small businesses we surveyed justify not getting cyber insurance is that they “never really thought about it”. The second-most common justification is “I don’t think we need it.” The reason cyber insurance is worth thinking about and getting is because it can help a business with every nightmare scenario mentioned above. If you forget to back up your data and experience a cyberattack, you’ll be glad you have insurance. If hackers get a hold of your customer data, financial or otherwise, you’ll be glad you have insurance. If you need to hire a reputation-management professional after your business gets hacked, insurance can help you cover the costs. Can’t operate while getting your business back up and running following a cyberattack? Business interruption insurance can be included on a cyber policy. Even if you end up facing litigation as a result of your organization’s customer data being leaked, insurance can be there to help with the legal fees.
The reality is that any business, regardless of their size or resources, can be a few mouse clicks from getting cyberattacked. Thankfully, a cyber insurance policy to protect you is also just a few clicks away—and that’s no myth.
This blog is provided for information only and is not a substitute for professional advice. We make no representations or warranties regarding the accuracy or completeness of the information and will not be responsible for any loss arising out of reliance on the information. Terms, conditions and exclusions apply to coverage. See policy for details.