Despite awareness, small businesses still highly vulnerable to cyber attacks

Despite awareness, small businesses still highly vulnerable to cyber attacks

Despite awareness, small businesses still highly vulnerable to cyber attacks | Insurance Business America

Cyber

Despite awareness, small businesses still highly vulnerable to cyber attacks

Nearly half fell victim to a cyber breach last year

Despite improving preparedness, US small businesses are still highly vulnerable to cyber incidents. A new report shows that while the segment paid less to respond to a cyber incident last year, this was offset by increased attacks and breaches.

In its annual cyber readiness report, Hiscox revealed the median cost of cyber-attacks decreased for small businesses in the US from $10,000 in 2022 to $8,300 in 2023. At the same time, the median number of attacks has risen from 3 in 2022 to 4 in 2023.

Additionally, 41% of small businesses fell victim to a cyber attack in 2023, a rise from 38% in the 2022 report and close to double from 22% in 2021. US small businesses paid over $16,000 in cyber ransoms over the past 12 months.

For Chris Hojnowski (pictured), vice president and product head of technology and cyber, Hiscox USA, the rise is highly concerning.

“Forty-one percent isn’t that far off from a coin flip of it happening to you,” said Hojnowski.

How are small businesses faring against cyber attacks?

Hiscox polled over 500 US small business professionals and gauged their preparedness to combat cyber incidents. This was part of a global survey involving over 5,000 professionals responsible for their company’s cyber security strategy.

Some of the cyber readiness report’s key findings are:


Small businesses take cyber risk seriously and are protecting themselves. A third (33%) of US small businesses consider cyber risk high or very high, ahead of economic issues and competition. Bearing the risk in mind, more than half (53%) of SMEs have either a standalone cyber insurance policy or have cyber coverage through another policy.
Ransomware is costing small businesses in a big way. US small businesses paid over $16,000 in cyber ransoms over the past 12 months. For enterprises that paid ransoms, only half (50%) recovered all their data, and 27% of the time, hackers made additional demands for money.
Phishing is still the primary point of vulnerability. In ransomware attacks, the most common points of entry were phishing (53%), unpatched servers/VPN (38%), and credential theft (29%).

See also  The 10 best condo insurance providers in Canada

“The cost has decreased a little bit year over year, which is good from the eyes of people affected by cyber breaches,” said Hojnowski.

“With that said, the number of attacks has grown, so you’re getting a little bit of offset from how much these acts cost.”

Small business owners are getting smart, but so are cyber threat actors

New artificial intelligence (AI) developments have also undermined some tried and trusted ways of spotting phishing emails.

“We used to be able to identify phishing emails pretty easily because the grammar used to be not perfect, punctuation would be off – the emails would just seem off,” Hojnowski said.

“Now, with the implements of artificial intelligence and ChatGPT, there are ways of making emails sound more realistic.”

But he added that AI tools – and constant vigilance – can also help small business owners protect themselves.

“There are ways to protect yourself from it, such as an inbox scanner that can spot any bad links or a corrupted email address. But you always have to be looking and aware,” Hojnowski said.

The growing complexity of cyber-attacks also underscores the importance of additional investments in cyber security, training, and insurance. But while IT security spending has increased, there are still areas of vulnerability.

Hiscox’s report showed that despite a 10% increase in median IT budgets and a 24% increase in cybersecurity spending over the last 12 months, 59% of small businesses don’t use security awareness training. Further, 43% of the surveyed companies don’t have network-based firewalls.

“From a claims perspective, better-trained employees are your number-one defence against many types of losses. Training needs to be better in this space,” Hojnowski said.

See also  Vermont continues tradition of enhancing captive insurance regulations

For all business sizes, the US ranks second (behind France, 2.98) for cyber maturity, scoring 2.94. Regarding cyber expertise, 63% of small businesses in the US are intermediates, and only 4% are cyber experts, according to Hiscox’s survey.

What are your thoughts on Hiscox’s cyber readiness report for small businesses in the US? Please share them in the comments.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!