Resources

Native Article: Small Business Cyber
Writer/Editor: Michael Corcoran, Bloomberg Businessweek
Context: This article is one of 8 native articles written by Bloomberg Businessweek (BBW) on essential topics in our business. These support the Travelers point of view and often feature interviews with Travelers professionals. These articles are published within the new Risk area of the Bloomberg Businessweek media site. They are labeled “sponsored post” to distinguish them from adjacent journalism. They are meant to be consistent with the BBW editorial voice. 

Fight Back: How Your Business Can Survive the Cyber Threat

It was likely a morning that began like any other at the small business in this true story. Employees arrived for work, maybe had some coffee and checked their email inboxes. A few noticed an email regarding a transfer of funds that had failed and forwarded it to their in-house accountant, who clicked on the attachment to see if there was a problem that required attention. Twelve hours later, the bank account of the business was wiped clean of the $150,000 or so that represented the business’ operating liquidity.

Chris Hauser, 2nd Vice President, Travelers Investigative Services, leads a team that can be called upon in such situations.  After his team’s investigation, they were able to piece together how the cyber breach had taken place quickly.   At 5:00 AM, the company received about 30 spam emails describing a failed transaction. The emails were “laced with poisoned attachments,” says Hauser, and all but a few were blocked by the firewall as spam. But the few that got through were passed around by employees and found themselves to the accountant—putting the virus on the exact computer that the bad guy wanted to access.”

The accountant recognized something wasn’t quite right and ran an antivirus scan, but even though the virus was detected, it couldn’t be removed in time. “It was a preventable incident,” says Hauser, “and there were several opportunities to thwart it if the employees were aware of computer security and the appropriate response.”

But they weren’t.

Small businesses, big risks
In the past year alone you’ve undoubtedly heard of several instances of big businesses falling victim to hackers, imperiling sensitive personal information of millions of customers.

What doesn’t make the news are the countless incidents of cybercrime perpetrated against small businesses. For example, the latest iteration of sophisticated cyber attacks is ransomware, which quietly goes about encrypting all of a business’ data and then locks it down. Small businesses that have mountains of information—think local law firm, CPAs, dentists—are in a world of hurt if their data is taken hostage and they don’t have it backed up. (The end game here for the bad guys is that you pay a ransom, typically in Bitcoin, to have the keys to your data returned to you. So intriguing is this particular type of cybercrime that it was recently featured on the hit TV show The Good Wife.)

According to Symantec Corp., a leader in information protection, targeted cyber attacks against small businesses nearly doubled in 2013, skyrocketing 91 percent compared to 2012. If you’re a small business owner and your kneejerk reaction to that fact is Why would anyone bother to attack my business?

“That’s exactly the reason someone might target your small business,” says Travelers’ Mike DeHetre, Vice President of Product Development, Select Accounts. DeHetre is focused on small businesses in his work, and according to him, it’s a mistake to think the size of your business makes it safe from cyber attacks. 

“You might think your small business doesn’t have much to steal and that it’s fairly low profile, and as a result, you might not incorporate cyber risk management into your operations as thoroughly as you should,” says DeHetre. “That makes your business an extremely vulnerable and soft target for cybercriminals who aren’t looking to take down a multinational corporation—not all bad guys are after big fish. Some of them are happy to sit around and pick off low hanging fruit until they aggregate a couple of thousands of dollars of valuable material. From the mom and pop locksmith, the florist next door, the auto body shop down the street—and they line them up and take them down in that fashion.”

Part of the challenge and reward of running a small business is that as the owner you are involved in everything—which makes it hard to focus on any single thing. Risk management tends to be something you think about when the risks are becoming reality, only to give way to the daily responsibilities of your “day job” once those apparent risks recede.

“We encourage small businesses to change the lens they use to view cyber risks,” says DeHetre. “For example, most small business owners have no trouble envisioning the risks associated with a fire, burglary or lawsuit regarding their products. Intrinsically, they get how those risks could impact their business. What we try to do is get them to consider cyber risk in that same category.”

The good news is that while it might seem like a lot of extra work to incorporate cyber risk management into your overall risk considerations, it’s entirely possible you’re already doing so without realizing it. 

“A lot of what you’re already doing as a small business owner within your business practices and safety and security programs are also important for cybersecurity, which allows you to focus on additional controls to be put in place to upgrade the quality of your cyber risk preparedness,” says Bob Gazdik, National Director, Risk Control, at Travelers.    

Putting the pieces in place
Being subjected to a hacker attack isn’t the only technology-related risk faced by your business. An employee could leave a laptop in a car and return to find it stolen, or a trusted vendor could have a careless moment with sensitive information. And there is the now not-so-new threat posed by social media, which can quickly turn a small event into reputational damage.

One of the best ways to address all of this, according to Gazdik, is to build your cyber security plan into your business continuity plan— you’ll find a lot of time-saving overlap here—and on top of that, prepare a cyber-incident response plan to protect your business and meet any regulatory requirements that might apply. “Cyber risk management is so important we actually deliver resources with a self-assessment tool via our customer portal at Travelers.com to help our customers build their own core competencies,” says Gazdik.

The key, says Gazdik, is making sure your cybersecurity program stays aligned with your business strategies and your legal requirements. If you don’t have cybersecurity policies, you should develop them, and be certain that your employees and vendors are aware of them, and follow relevant procedures. “Keeping your technological controls constantly updated is an important part of cyber risk management,” says Gadzik, “but just as important is to self-evaluate what types of information your business is compiling, and to classify it by sensitivity level to decide who has access to the various levels of information and what level of security should be provided for each sensitivity level.”  And you can add to that list bricks and mortar security actions such as employee training, physical security, and access controls.

Into the breach
For a small business to have a risk specialist in its employ is unlikely, and in many cases, an independent insurance advisor could end up being a sounding board and de facto chief risk officer for your business. Think of it as a type of outsourcing. Even with that, your goal should be to have a complete risk management strategy.

“We have a flexible, available product suite that provides coverage if your small business suffers from a cyber event,” says DeHetre. “It covers the essential exposures for small businesses and can expand to a tailored product as your business grows and becomes more complex. The coverage and costs vary, so we recommend discussing the specific needs of your business with your independent [advisor].”

In short, Travelers can cover property issues and lawsuit and liability concerns—think of those as risk management essentials.