The cyberthreat against small businesses is mounting as attacks soar. And it's not just large retailers, like Home Depot and Target, getting hacked. Just ask Kevin Stecko, the owner of specialty T-shirt maker 80sTees.com. In January he was notified by Discover that cardholders using his site had experienced suspicious transactions on their accounts. The company immediately stopped collecting credit card data, brought in a forensic examiner and contacted the Secret Service.
Despite the expert firepower, the team found no evidence of an intrusion. But just a few months later, Visa and then MasterCard complained about fraudulent charges, confirming Stecko's fears: The personal data of thousands of customers had indeed been compromised.
The source of the breach was later determined to be a former senior executive who has since died. According to Stecko, it cost the company $200,000 to resolve the issue, which doesn't count the sales the company lost when it was only able to accept PayPal. He didn't have cyberinsurance to cover the data theft and was shocked to find out that the price for cyberliability coverage was $1,500 a month.
"It was just ridiculous," Stecko said. He had "fully expected to get a decent rate," since 80sTees.com had outsourced its payment processing.
Unfortunately, 80sTees.com's situation isn't unique. A Symantec report released earlier this year estimated that companies with 250 employees or fewer absorbed 31 percent of cyberattacks in 2012, more than double the 18 percent found in 2011. The two main types of attacks against small companies: ransomware, where an insider invades computers at a company's location and encrypt important data as was the case at 80sTees.com; and Trojan horses, often used to attack companies that are working in the supply chain of large companies.
"We are getting a ton of requests from small businesses," said Michael Cavanaugh, an assistant vice president at Apogee Insurance Group, an insurance wholesaler based in King of Prussia, Pennsylvania. "The minimum payments are pretty low for a lot of these guys. It's not like they can't afford it."
According to Insureon, an online insurance provider that serves small businesses, premiums vary widely, depending on the size of the business, based on revenue and payroll and the type of work it performs. E-commerce companies, for instance, can expect to pay premiums ranging from $500 to $2,000 a year, depending on the policy and work performed, the company said. A small professional-services firm could expect to pay about $1,000 a year, Cavanaugh said.
Multimillion-dollar businesses such as 80sTees.com, however, can expect to pay considerably more.
Small businesses face many of the same cyberrisks as large corporations, including data breaches, the liabilities and lawsuits that follow after confidential customer data is stolen, and the business interruptions due to attacks that cripple websites. Cyberrisk insurance covers these issues, as well as acts of extortion and the introduction of malicious code or viruses.
One of the reasons why smaller businesses are vulnerable to hackers is that many lack an IT department and tend not to be as diligent as larger companies about security. That attitude, though, is changing.
"It's an easier sell that it has been in years past," said Robert Parisi, Marsh & McLennan's managing director and National Cyber Risk Practice leader, in an interview regarding cybercoverage. "They typically haven't budgeted for it. It's not a mandatory coverage unless they are being required to do it because of a contract. Until fairly recently, there has been a belief that by being small, they were less at risk than their larger brethren."
For instance, a small business that doesn't store large amounts of confidential data, such as credit card numbers or medical history, can get away with spending a few hundred dollars a year by purchasing a simple addendum to their policies. E-commerce sites, doctors offices and other companies with data that has to be protected pay considerably more. The premium price that Stecko of 80stees.com was quoted falls within that pricey ballpark.
Companies who have their networks run through third-party servers, known as the cloud, need to buy this coverage as well, since cloud companies have exemptions in their service contracts absolving them from security liabilities.
"Even if the cloud provider is negligent for a loss, the cloud provider may have limited liability to the insured, which could still have first-party losses and third-party damage," said AON's head of cyberrisk, Kevin Kalinich.
Therefore, the need for small businesses to have cybercoverage is greater than ever. Here are four compelling reasons why:
1. Your general policy won't cover an attack. Some companies are under the impression that their existing general business insurance policies provide sufficient coverage for cyberattacks. They don't. Trying to get coverage under these traditional lines of insurance is proving increasingly difficult, if not impossible.
2. The cost of an attack can be devastating. The average cost of an attack on a small company with less than 100 employees is a whopping $3.5 million, according to Ponemon Institute's 2014 data breach study.
80stees.com's experience demonstrates how quickly expenses can add up. Not only do forensic examiners need to be hired but also lawyers, security consultants and public relations firms. Let's not forget the credit monitoring that companies need to provide affected customers. "It's hard to figure out what happened, when it happened and how many records were compromised," said Timothy Francis, an expert on cyberinsurance and vice president of portfolio management at Travelers Bond & Financial Products.
3. You can be ensnared in a regulatory quagmire. Data breach coaches—specially trained law firms—help companies sort through the 47 separate state laws and federal statutes that could come into play if a network is compromised. Failure to follow these laws can result in fines.
Not only do notifications have to be provided and credit monitoring set up, forensic investigators will need to be hired to determine the cause of hacking in order to prevent it from happening again. In some cases, crisis communications consultants will be retained as well.
4. Business interruption can put you out of business. A hack attack can put a company's e-commerce operations in a tailspin, since it usually causes a hardware malfunction and the freezing of credit card processing. Online merchants who have been hit with breaches can also find themselves in hot water with credit card companies and face potential penalties.
Nicholas Economidis, a professional liability underwriter at Beazley Group who specializes in cyberrisk management, points out that they will accept forensic audits only from companies they approve of, and they won't reactivate a company's account until its cybersecurity is brought up to an acceptable level. Insurance firms provide legal assistance and may hire a second forensic firm to review the work of another expert if needed.
Just the risk-management team a smaller company needs in this digital age.
—By Jonathan Berr, special to CNBC.com