Preparing for the risk of cyberattacks

KEY HIGHLIGHTS

• Most cyberattacks are designed to steal sensitive or proprietary data and/or alter, disable or destroy critical IT systems.
• Any business can become a victim of a cyberattack, but those that are prepared generally end up with less financial or reputational damage.
• Organizations need to understand cyberattacks and be willing to take the appropriate steps to reduce their exposures.

The world is more interconnected than ever before. Using computer networks and the internet, organizations have grown exponentially by leveraging data, creating efficiencies and reaching new markets. These new digital technologies have allowed them to unlock their potential in ways that were unimaginable just a few decades ago.

But those same technologies have also created a new set of exposures and threats that organizations must understand and address if they want to prevent or mitigate a cyberattack. In fact, Nationwide’s 2019 survey of business owners found that 86% of them believe their digital risk will only continue to grow.

Cybercrime is big business, and its perpetrators — which include organized crime and nation-states — are becoming more sophisticated. With companies’ increasing reliance on computer systems and the sheer amount of data being handled by them, cybercriminals have no shortage of targets and methods to attack. Making matters worse, the financial stakes have increased for businesses, and a cyberattack can haunt an organization for years. These incidents now cost businesses of all sizes $200,000 on average, according to CNBC. In 2019 alone, the FBI’s Internet Crime Complaint Center included information from 467,361 complaints of suspected internet crime — with reported losses exceeding $3.5 billion.

The threat and potential impact of cyberattacks loom large for all organizations, regardless of their size, industry or revenue. This is especially true for small- and middle-market clients who know they have cyber exposures but may not have the expertise or resources to protect their organization. Gone are the days when cybersecurity and cyber insurance conversations were reserved for the boardrooms of the world’s largest companies. It’s now critical that every organization understand cyber exposures and take the appropriate steps to protect its assets, customers and bottom line.

Common cyber threats facing all organizations

Simply put, a cyberattack occurs when a malicious party (e.g., an individual, nation-state or criminal organization) gains access to a computer system or network for financial or destructive purposes. There are several ways a cyberattack can be carried out, but most are designed to steal sensitive or proprietary data and/or alter, disable or destroy critical IT systems. The following are some common examples of cyberattacks as outlined by the U.S. Small Business Administration (SBA):

Malware

This is a common weapon for cybercriminals and can include threats such as viruses, worms, trojans, adware and spyware. In general, malware is installed on a victim’s computer when they accidentally click a malicious link, download infected software or visit an infected website.

Ransomware

One of the most common types of malware, this is used to lock victims out of files, applications or networks until they pay a ransom. Ransomware is typically installed via malicious links in emails, and recovering from attacks can easily cost over $50,000. The costs associated with these attacks include forensics, business interruption and expenses to restore systems, even when the ransom is paid.

Phishing

Attacks occur when a cybercriminal (disguised as a reputable source) sends a malicious email, text or similar message to potential victims. These messages are meant to trick recipients into opening malicious links, downloading harmful software or providing personal information. Phishing is more of a threat vector than an actual cyberattack.

Other examples include denial-of-service attacks, which occur when a website is overwhelmed with traffic intended to render it useless, and data breaches that involve the theft of personal, financial or health care information. Data breaches can also include theft of proprietary information.

How businesses can protect themselves from a cyberattack

Any business can become a victim of a cyberattack, but those that are better protected or have procedures in place to manage a cyberattack generally end up with less financial or reputational damage. As such, preparation is key when it comes to preventing or minimizing the harm caused by a cyber event. Organizations need to understand all the ways different cyberattacks can harm their business and be willing to take the appropriate steps to reduce their exposures. Businesses should consider the following strategies recommended by the SBA to prevent or mitigate a cyberattack:

Train your employees

While employees are often the gateway for cyberattacks, they are also a business’s first line of defense against them. Proper training can help employees identify common cyber threats and respond appropriately. Ideally, training procedures would be tailored to the organization’s needs, but even an “off-the-shelf” training program is better than none. And since one employee mistake can compromise a business’s entire system, it’s important that training isn’t simply limited to employee orientation but is done frequently and always covers the latest trends, threats and organizational changes.

Maintain cyber hygiene

Companies should install the latest anti-virus software, regularly patch their software, secure their networks and require employees to use strong passwords that are changed often. A strong password includes 10 characters or more and at least one uppercase letter, one lowercase letter, one number and one special character. Businesses should also make sure their vendors and suppliers have safeguards in place, especially for those that handle sensitive data. Businesses can take advantage of vendors, such as financial institutions, that offer multifactor authentication for their accounts.

Protect sensitive data

Organizations should regularly back up their systems and store that backup data remotely from their network. They should also work with their banks or card processors to ensure they are using the most trusted and validated tools and anti-fraud services. In addition, companies should prevent access to or use of business computers by unauthorized individuals. For example, laptops can be particularly easy targets for theft or can be lost, so employees should lock them up when unattended. Administrative privileges should be given only to trusted IT staff and key personnel.

These strategies can help organizations plan for and weather a cyberattack. Companies should also strongly consider securing a comprehensive cyber risk insurance policy tailored to their needs, and it should be reviewed regularly to make sure that it adequately meets changing needs and threats. However, even with an insurance policy, cybersecurity is an ongoing challenge, and organizations will need to continually invest in the right resources, strategies and expertise to remain prepared for an attack and ensure the longevity of their business.

KEY TAKEAWAYS

1. Train employees to be the first line of defense.
2. Maintain cyber hygiene.
3. Protect sensitive data.