man sitting at a table looking at a laptop

Most businesses rely on computer networks for day-to-day operations, and this creates exposure to cyber risk. Any attempt to steal data or destroy, damage, or disrupt a computer system is known as a cyberattack.

Understanding cyberattack risks to small businesses

No business is too small to experience cyber threats and attacks. Cybercriminals use automation (for example, vulnerability scanners and bots) to quickly find potential targets. Small businesses are at risk because they:

  • Present a large pool of targets, there being so many of them
  • Have less sophisticated systems, providing a path of less resistance
  • Are easier to breach due to less employee training, monitoring and patching
  • Lack resources to invest in cybersecurity products or vendors

Our latest Agent Authority Study found that small business owners should be taking cybersecurity more seriously. Over half of small businesses report they are unprepared to prevent a cyberattack.1

Why you should prepare now

There are many reasons you should take the appropriate steps to protect your business from cyberattacks:

  1. Cyberattacks can be costly and can harm a small business’s reputation.
  2. Worse, some companies don’t realize they have suffered a breach until it’s too late and their finances and reputation are at stake.
  3. Costs include extortion payments, IT forensics, hardware and software upgrades, business interruption from system downtime, complying with notification laws, fines and penalties, lawsuits, and possibly more, depending on the type of attack.

Our survey found that of the small-business owners that have experienced a cyberattack, 33% experience impacted or jeopardized finances, and 32% took a month or longer to recover.

How cyberattacks occur

Cybercriminals can gain access to an organization’s network in many ways, including:

  • Social engineering, primarily phishing, which is when cybercriminals trick people into making security mistakes or giving away sensitive information
  • Remote desk protocol, which, if activated and not placed behind your VPN, can become an easy way for criminals to gain access to your computer systems
  • Compromised passwords, or passwords that are obtained by criminals to access accounts, are a risk for everyone, not just those with weak or easy-to-guess passwords
  • Unpatched systems, which create exposure to vulnerabilities in systems that can be used by cybercriminals to gain access

How cyberattacks impact your business

Once a cybercriminal has access to your network, losses to small businesses can come in many forms:

  1. Ransomware — A ransomware attack occurs when malware or ransomware accesses the computer system and proceeds to encrypt all files and data. Getting the encryption key to unlock the files requires a ransom payment in cryptocurrency, often bitcoin. Please note:
    • The cost of ransomware is increasing; Coveware shows that the average ransom payment in the second quarter of 2020 is $178,254, up by 60% compared with the first quarter2
    • Ransomware can dwell on a system for some time before it’s triggered
    • The complexity and sophistication of attacks is increasing
    • Ransomware can be combined with data breach attacks

  2. Data breaches — Data breach loss involves stolen sensitive information, such as PII (personally identifiable information), PHI (protected health information), financial and credit information, intellectual property and more. Please note:
    • The average cost of a data breach is $178,0003
    • Federal and state regulations require businesses to protect information and notify customers when a breach occurs
    • Data breaches typically result in reputational harm

  3. Social engineering scams — A social engineering scam occurs when a criminal deceives a user into sending money or sensitive data to the criminal’s account. This includes:
    • Impersonating an executive on an email to demand payment or information
    • Sending a fraudulent invoice for payment or intercepting a legitimate invoice and inserting fraudulent wire transfer instructions
    • Using compromised email credentials to pose as a legitimate request for funds

  4. Business interruption — Business interruption occurs when your business cannot operate due to a cyberattack. This can result from:
    • Ransomware
    • A denial of service (DoS) attack, which occurs when a perpetrator overwhelms a website or network with traffic, causing it to slow down or crash
    • System failure or a network outage due to operational or IT issues
    • Third-party dependency, when a supplier you depend on suffers a business outage and it impacts your networks or business income

Create a cybersecurity plan

Our survey found that half or fewer businesses have implement best practices around securing their technology. We recommend the following best practices on how to best prepare for a cybersecurity attack:

  • Train employees — Educate employees on good security practices and teach them how to spot phishing emails
  • Screen before you hire — Conduct background checks on employees who will handle sensitive data
  • Control user access — Prevent any access or use of computers by unauthorized individuals by having a separate user account that requires a strong password for each employee; conduct regular access reviews, during which you review who has access to your business’s systems and remove access as appropriate; revoke access immediately following an employee’s separation from service
  • Secure your networks — Use a firewall and encrypt information; WiFi networks should be secure and hidden, and if a router is used, it should be password-protected
  • Set up endpoint protection — Secure end-user devices such as laptops and mobile devices; this will provide added protection to employees using their own devices or connection to home or public Wi-Fi networks
  • Install antivirus software and keep it updated — All computers should have antivirus software and antispyware installed; software is readily available online from a variety of vendors, and it should be configured to install updates automatically
  • Use strong passwords — Implement a password policy to ensure the security and confidentiality of data
  • Back up your data — Regularly back up data, and store copies offsite or in the cloud; create a data backup and recovery plan, which can help you regain access, should a cyberattack occur
  • Consider cyber liability insurance — Nationwide’s cyber coverage assists with the cost of legal fees and expenses associated with a computer attack, investigating the cause of the attack and more

Stay focused

With the right resources and a detailed cybersecurity plan, you can protect your small business from cybersecurity threats — and continue to thrive.

Small Business Icon
Learn more about Nationwide business insurance Talk to a specialist  

1 2020 Agent Authority Study, Cybersecurity.
2 Ransomware Demands Rise with Market Share Split Between Big Game Hunters and Amateur RaaS Affiliates, (Aug. 3, 2020).
3 NetDiligence Cyber Claims Study 2019 Report,

The information contained in this blog was obtained from sources believed to be reliable to help users address their own risk management and insurance needs. It does not and is not intended to provide legal advice. Nationwide, its affiliates and employees do not guarantee improved results based upon the information contained herein and assume no liability in connection with the information or the provided suggestions. The recommendations provided are general in nature; unique circumstances may not warrant or require implementation of some or all of the suggestions. Nothing in this brochure is intended to imply a grant of coverage.