Big companies usually make the headlines when hackers compromise the confidentiality of millions of customers, but the truth is that 60% of all cyber breaches last year involved small and midsize businesses.
What’s more, many small to midsize firms typically prudent in other aspects of their business haven’t taken the time to understand the data security threat nor are they effectively managing the issue, according to new survey data from MMA.
Unprepared and Unaware
The 12-page report, 2015/2016 Cyber & Data Security Risk Survey for Small and Midsize Employers, highlights the fact that many are underestimating the potential danger to their business. Notably, the survey found the following:
- Just 6% of the respondents said they thought their organization’s data security was “bomb proof.”
- 2% said they did not have a corporate recovery plan to deal with the loss of confidential, personally identifiable information.
- 9% said their organization did not have the expertise to develop any kind of data security plan.
- Not surprisingly, those organizations that regularly talk about data security and risk management at the C-level are twice as likely to have implemented a recovery program to help manage a data security breach.
What To Do
Do something. Most companies get overwhelmed even thinking about how to prepare or prevent cyber attacks. From our experience, preparation is key to a company’s success in surviving a data breach. And that preparation can be as simple as 1-2-3.
- Find out where your “crown jewel” data (e.g. employee records, credit card information, health records, intellectual property) lives and invest in technologies to protect that information.
- Create a simple Incident Response Plan (IRP). The plan should outline the steps your company will take when a cyber security incident occurs including who will be involved, and what steps need to be taken.
- Understand what is covered under your cyber insurance policy and the tools available to help prepare for the inevitable. In my own experience working with companies to improve their data security, firms that had insurance when an incident felt it was a good investment.
In general, cyber insurance policies offer reimbursement for the expense incurred to respond to the breach (i.e. forensics, legal, crisis management, notification and credit monitoring). Coverage will also help pay the legal fees arising from litigation from individuals and from regulators. Many policies will also provide funds to keep a company operating if its systems are shut down.
The policy premiums vary widely, with some as low as $1,000 a year, depending on the coverage type. The lower your risk, the lower the cost. Most cyber insurance applications provide a handy checklist of what your company should be doing.
Completing the application often results in new procedures being implemented even before coverage is secured.
To assist companies, many cyber insurers and select insurance brokers have tools to help you prevent, prepare and respond to cyber attacks.
One of the key takeaways of the survey is that it pays to work with a broker who understands cyber insurance. Thirty-five percent of the respondents said they don’t understand cyber insurance. Some 28% said that the coverage wasn’t worth it. That lack of education is often the result of a broker’s lack of expertise.
So when it comes to cyber, a specialist can make all the difference. Just like you’d see a cardiologist instead of a general practitioner if heart trouble were suspected, the same holds true for cyber insurance. Talk to someone who truly understands the best way to mitigate cyber risk. You’ll be glad you did.
To download the full MMA report, click the button below.