Small businesses face big cyber-risks by Mark Pribish

07/09/2014 21:54

Is your business prepared for the cost, liability and potential business interruption of a data breach? Your business being hit by ID-theft criminals is a frightening thought, but one you should consider. Thousands of small businesses experienced a data breach around the same time as Target was making headlines, according to a Department of Homeland Security report published in August.

The report from DHS, in partnership with the Secret Service and others, said the attacks were pervasive, with ID-theft criminals scanning computer networks of businesses for vendors or employees who had remote access. Hackers then were able to run programs to attain usernames and passwords for network access.

So what is a business cyber-risk, and why should you care? Cyber-risks include electronic and hard-copy information assets, computer networks, e-business applications, and a website and Internet presence. Cybercriminals really want and understand the value of the sensitive information companies commonly have on customers and employees, and they could care less about the financial, brand and other disastrous damage they inflict on the businesses they hit.

When any organization fails to prevent its information from being lost or stolen – known as a data breach event – that organization can be liable and/or legally responsible and may be required to send notification letters to affected individuals and provide them credit bureau monitoring in an attempt to detect financial ID theft.

Other cyber-risks include intrusions to steal trade secrets and cyberextortion, when a hacker threatens to steal or release confidential information unless the business pays the criminal.

What can you do about cyber risks for your organization? Consider cyberinsurance to help protect your business when you experience a data-breach event. Cyberinsurance reimburses for expenses such as notification costs, providing credit bureau monitoring, lost business, reputation, crisis management and the cost of restoring lost data. It can also cover accidental employee releases of confidential information or the commission of an unauthorized act.

Not all cyberinsurance is equal; different policies have different exclusions. Should you decide to get cyberinsurance, be sure to ask your broker about the coverage in general and specifically about the following list of common exclusions:

• Fraud and illegal activity.

• Unlawful collection of personal information.

• Spam or the distribution of unsolicited e-mails.

• Interruption of Internet access.

• Terrorism, as many cyberattacks originate in foreign countries.

• Undetected policy language in the court of law.

In addition, DHS recommends that companies limit the number of vendors with company network access and require more complex passwords for vendors and employees.

Small-business owners, please note: Your business is a target, and recent statistics show that 31 percent of data breaches were organizations with 100 employees or less.

Mark's Most Important: Cyberinsurance may be a good option to help your business minimize today's cyber-risks. Work with your insurance broker to determine your cyber-risks and the best coverage for your organization.

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., a national ID-theft and background-screening provider based in Phoenix. Reach him at