Small businesses become increasingly popular cyber targets

By Erin Ayers on March 26, 2015

Cyber incidents experienced by small to medium-sized businesses hit an all-time high in 2013, with 1,197 cases stemming from 1,030 events, according to Advisen’s Loss Insights Database. A slight decrease in the number of cases and events in 2014 may reflect a focus on larger, higher-profile targets, but 2015 has already produced 139 cases against smaller businesses in the first few months.

When it comes to the type of data lost to cybercriminals, smaller businesses face the same type of risks as larger ones, with personal financial information and personal privacy the most popular target. However, smaller businesses showed a slightly higher percentage related to corporate loss of business income, perhaps relating to those organizations being less able to bounce back from a cyber attack.

A 2014 joint report with The Hartford and Advisen highlighted the lack of awareness for some small-business owners, noting, “The cost and complexity of notification increases with the number of states in which a SMB does business since they are subject to the laws of each state where customers are located. Complying with the regulatory requirements of various states requires a tremendous amount of coordination, time, and resources, which many SMBs simply do not have.”

Cyber attacks generally take the same forms against smaller businesses as against higher-revenue firms, with servers, printed records, websites, laptops, and email programs at risk. Smaller organizations are slightly more likely to experience an attack via their website than larger ones, and slightly less likely to lose printed records. Following server attacks, the all-encompassing “other” category comprises the most frequent cause of loss. According to Advisen data, this category can include automated teller machine skimming attacks, cloud data, social media, mobile devices, and violations of telecommunications laws.

While organizations with revenue over $1 billion that experience cyber events tend to fall into the “services” category, the range of businesses with revenues less than $1 billion that are targeted are much more diverse in their operations. The most common industries to be targeted fall nearly evenly into the services (29 percent) and financial, insurance, and real estate sectors (26 percent). This may account for the appealing array of data tallied by the financial services industries, but again, may reveal that there can be fewer resources or lower awareness for cybersecurity at smaller organizations.

erin.ayers@zywave.com'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].