The High Price of Cyber Attacks: Chubb
The average price tag for a business to recover after a cyber attack is $400,000, which can be fatal for small-and-medium-sized enterprises (SMEs), according to a report published by Chubb.
This hefty cost of repairing the business and its reputation is exacerbated by the frequency of cyber attacks, which are reaching 4,000 per day since Jan. 1, 2016, said Chubb, quoting FBI statistics.
Despite these dire statistics, many SMEs may not believe they are at risk, Chubb warned.
“Cyber attacks against SMEs often go unreported by the media, so these quite-frequent crimes tend to fly under the radar, and smaller companies may subsequently fail to understand the true extent of the risk,” said the report titled “Cyber Attack Inevitability: The Threat Small & Midsize Businesses Cannot Ignore.”
“Small and mid-sized businesses are directly in the crosshairs of cyber criminals in the United States and across the world,” said William Stewart, division president of Chubb’s Global Cyber Practice. (Stewart co-authored the report with Dave Charlton, executive vice president of Westchester, a Chubb subsidiary.)
“These businesses often assume they are not targets for cyber criminals, due to their size, industry, or lack of large databases of personal information,” said Stewart in a statement.
“However, the reality is quite the opposite: smaller businesses are actually more vulnerable and considered prime targets for cyber criminals, as their security measures are more likely to be outdated or under-prioritized, opening the door for cyber criminals to deploy attacks quickly, cheaply, and anonymously,” he added.
Part of the perception problem is that many SME leaders lack sufficient information about risk protection and assume their cyber attack risk is relatively small, which creates vulnerabilities that cyber criminals exploit, affirmed the report.
Chubb cited the following real-life examples used by cyber criminals:
Stolen email account. After a cyber criminal gained access to an email account belonging to a real estate office, he convinced a client of the firm to wire transfer $300,000 to a fraudulent bank account set up by the criminal.
Ransomware scam. When an employee at a nonprofit accidentally visited a malicious website at work, the company’s shared server became infected with a virus that encrypted all of its files. Cyber criminals then tried to extort money from the nonprofit in exchange for releasing the nonprofit’s stolen documents.
Phishing scam. When an accounting employee at a social services agency got a seemingly legitimate email request, he provided the W-2 forms of current and former staff members.
Computer heist. When a small healthcare company was the victim of a laptop theft, sensitive employee payroll information stored on that laptop was lost and compromised.
“From device theft to ransomware, and phishing scams to unauthorized access, cyber criminals can access sensitive information by targeting organizations from the outside, as well as the inside,” said the report.
How Can SMEs Protect Their Businesses?
Despite the gloomy outlook, Chubb emphasized the majority of cyber incidents are preventable, as they mostly stem from human error or a simple lack of proper training. The company recommended SMEs take the following preventative measures:
- Create a cyber-attack response plan and invest in the resources to ensure the plan can be executed.
- Use a secure password manager to make it easier for employees to manage their credentials in a secure manner.
- Educate employees about the risks of cyber crime and deploy software that can reduce social engineering attacks such as phishing.
- Install good antivirus software and ensure it is always up-to-date.
- Update operating systems and applications regularly to ensure they are supported by the manufacturer.
- Protect networking activity with a secure router on your internal network and a virtual private network (VPN) externally.
- Purchase a cyber insurance policy.
“In addition to the built-in loss mitigation services to reduce the risk of being targeted in the first place, a cyber policy will likely include incident response services if an attack succeeds,” said the report.