Preparing for the risk of cyberattacks

Steps that can help protect systems, assets and customers


man and woman meeting at conference table with office tools and materials



Most cyberattacks are designed to steal sensitive or proprietary data and/or alter, disable or destroy critical IT systems.


Any business can become a victim of a cyberattack, but those that are prepared generally end up with less financial or reputational damage.


Organizations need to understand cyberattacks and be willing to take the appropriate steps to reduce their exposures.

The world is more interconnected than ever before. Using computer networks and the internet, organizations have grown exponentially by leveraging data, creating efficiencies and reaching new markets. These new digital technologies have allowed them to unlock their potential in ways that were unimaginable just a few decades ago.

But those same technologies have also created a new set of exposures and threats that organizations must understand and address if they want to prevent or mitigate a cyberattack. In fact, Nationwide's 2019 survey of business owners found that 86% of them believe their digital risk will only continue to grow.

atm icon

A cyberattack costs businesses an

average of $200,000. 1

Cybercrime is big business, and its perpetrators — which include organized crime and nation-states — are becoming more sophisticated. With companies' increasing reliance on computer systems and the sheer amount of data being handled by them, cybercriminals have no shortage of targets and methods to attack. Making matters worse, the financial stakes have increased for businesses, and a cyberattack can haunt an organization for years. These incidents now cost businesses of all sizes $200,000 on average, according to CNBC. In 2019 alone, the FBI's Internet Crime Complaint Center included information from 467,361 complaints of suspected internet crime — with reported losses exceeding $3.5 billion.

The threat and potential impact of cyberattacks loom large for all organizations, regardless of their size, industry or revenue. This is especially true for small- and middle-market clients who know they have cyber exposures but may not have the expertise or resources to protect their organization. Gone are the days when cybersecurity and cyber insurance conversations were reserved for the boardrooms of the world's largest companies. It's now critical that every organization understand cyber exposures and take the appropriate steps to protect its assets, customers and bottom line.

Common cyber threats facing all organizations

Simply put, a cyberattack occurs when a malicious party (e.g., an individual, nation-state or criminal organization) gains access to a computer system or network for financial or destructive purposes. There are several ways a cyberattack can be carried out, but most are designed to steal sensitive or proprietary data and/or alter, disable or destroy critical IT systems. The following are some common examples of cyberattacks as outlined by the U.S. Small Business Administration (SBA):

laptop icon


This is a common weapon for cybercriminals and can include threats such as viruses, worms, trojans, adware and spyware. In general, malware is installed on a victim's computer when they accidentally click a malicious link, download infected software or visit an infected website.

lock with u.s. dollar symbol


One of the most common types of malware, this is used to lock victims out of files, applications or networks until they pay a ransom. Ransomware is typically installed via malicious links in emails, and recovering from attacks can easily cost over $50,000. The costs associated with these attacks include forensics, business interruption and expenses to restore systems, even when the ransom is paid.

email icon


Attacks occur when a cybercriminal (disguised as a reputable source) sends a malicious email, text or similar message to potential victims. These messages are meant to trick recipients into opening malicious links, downloading harmful software or providing personal information. Phishing is more of a threat vector than an actual cyberattack.

Other examples include denial-of-service attacks, which occur when a website is overwhelmed with traffic intended to render it useless, and data breaches that involve the theft of personal, financial or health care information. Data breaches can also include theft of proprietary information.

How businesses can protect themselves from a cyberattack

Any business can become a victim of a cyberattack, but those that are better protected or have procedures in place to manage a cyberattack generally end up with less financial or reputational damage. As such, preparation is key when it comes to preventing or minimizing the harm caused by a cyber event. Organizations need to understand all the ways different cyberattacks can harm their business and be willing to take the appropriate steps to reduce their exposures. Businesses should consider the following strategies recommended by the SBA to prevent or mitigate a cyberattack:

Expand all

These strategies can help organizations plan for and weather a cyberattack. Companies should also strongly consider securing a comprehensive cyber risk insurance policy tailored to their needs, and it should be reviewed regularly to make sure that it adequately meets changing needs and threats. However, even with an insurance policy, cybersecurity is an ongoing challenge, and organizations will need to continually invest in the right resources, strategies and expertise to remain prepared for an attack and ensure the longevity of their business.



Train employees to be the first line of defense.

Maintain cyber hygiene.

Protect sensitive data.


Learn more about cybersecurity by visiting the SBA, CISA or NIST. If you're an agent interested in growing your commercial book of business, please go to

about the expert

Catherine Rudow, Vice President of Cyber Insurance

Catherine Rudow headshot

Catherine works with many departments within Nationwide to expand cyber insurance offerings to meet the needs of its members. Her in-depth knowledge of cyber risk also extends to developing strategies for non-cyber traditional lines of business that are exposed to... technology and the internet.

Catherine has over 25 years of experience in the reinsurance industry covering a wide range of casualty lines of business. Prior to joining Nationwide, Catherine worked at PartnerRe as a senior-level underwriter, where she built the cyber insurance portfolio and branded PartnerRe as a lead reinsurance market for cyber insurance business.

Catherine has a Bachelor of Commerce in international business and a Bachelor of Science in psychology from Concordia University in Montreal, and an MBA from Yale University.
Read more