By: Edward L. Blais, JD, CIC, CPIA
Last May, a cyberattack shut down the United States’ largest pipeline, causing gas prices to spike on the East Coast.
Colonial Pipeline is the largest supplier of gas on the East Coast, but if you think being a small business makes you a smaller target, think again.
According to Expert Insights, a cybersecurity firm, “As attackers increasingly automate attacks, it’s easy for them to target hundreds, if not thousands of small businesses at once. Small businesses often have less stringent technological defences, less awareness of threats and less time and resource to put into cybersecurity. This makes them an easier target for hackers than bigger organizations.”
Small businesses need to start taking cybersecurity more seriously, especially as more employees work remotely. The Colonial Pipeline hack was reportedly caused by just one leaked password, snatched from a remote account. A major attack on your data and systems may not only disrupt your business like it did with Colonial Pipeline – it could put you out of business.
Common Types of Cyberattacks
Businesses face any number of threats from cybercriminals. Some of the more common ones are:
- Phishing. These are the most common, making up 90 percent of attacks on businesses. In phishing, a scammer sends emails from what appears to be a trustworthy source, such as a bank or company official, in order to obtain confidential information.
- Spoofing. This is similar to phishing, in that you receive what appears to be an email from a trusted source. The difference is that spoofing focuses on identity theft. In one attack, a phisher pretended to be the company CEO, asking a payroll employee for employee W2s. The information was then used to file fraudulent tax returns on behalf of those employees. (Fraudulent tax returns can be used to steal someone’s tax refund.)
- Malware. This is the catch-all term for any ‘malicious’ code that is used to infect your systems, stealing or deleting data.
- Ransomware. In this attack, hackers encrypt all of your data, locking you out. You can only gain access by paying a ‘ransom’ fee, which is what happened in the Colonial Pipeline case, but they are hardly an isolated case. In 2018, over two thirds of ransomware incidents involved small businesses, with $116,000 in average ransom amounts.
How to protect your business.
Fending off cyberattacks takes a multi-faced approach. It doesn’t make much sense, for example, to purchase cybersecurity insurance, without also training your employees. Likewise, taking these steps without having a firewall or virus security system will still leave you vulnerable. We recommend the below actions.
- A cybersecurity audit. Begin by assessing where your business stands right now. Do your employees have work laptops and cell phones? Do they work remotely? Do you use two-factor authentication for email logins?
- Cybersecurity insurance. Like any other risk your business faces, you need to make sure you have insurance. Right now, just a fifth of businesses carry this form of insurance. One option is Selective’s Cyber Liability Insurance and Data Breach Response Coverage.
- Security software. Having security software is a must today, for both individuals and business alike. Expert Insights has some recommendations here.
- Staff training. One of the biggest vulnerabilities businesses have isn’t their hardware or software, it’s the human element. Attacks like phishing or spoofing can only be effective with employees who aren’t vigilant. There are numerous cybersecurity training programs available. Here’s one list. You may be also to get a training program through your insurance carrier.
- A Cyber response team. In addition to the above steps, it’s prudent to have a cybersecurity team in place to respond to attacks. Selective’s Cyber Liability Insurance and Data Breach Response Coverage include support from a team of cyber experts who will assist and guide you in how to respond to the attack.
Incidents like Colonial Pipeline’s ransomware attack should be a wakeup to all businesses. Small businesses need to recognize their small size does not make them less likely to be attacked. Instead, it makes them more vulnerable, especially if they haven’t made the investment that a larger business may have in cybersecurity. With the above proactive steps, you can ensure cybercriminals won’t catch you off guard.
Here at Blais Insurance, cybersecurity insurance is among the products we offer to businesses. For any questions or assistance, call us at (401) 725-0070.
Sources: Selective, Expert Insights, and ZeroFox.