You have permission to edit this article.

Even a small business must manage its cybercrime risks


The recent cyber-attack on Colonial Pipeline that resulted in a shutdown of oil and gas distribution on the East Coast — and a ransom of $4.4 million — graphically and tragically demonstrates how vulnerable we are to cyberattacks.

Yet, there is a risk management solution!

Small business owners frequently ask, “Why should I care? My business is too small to be a target!”


Cybercrime adversely affects small business for two principal reasons:

Most small businesses are easy targets because they are ill-prepared with little or no system protection; and

Most hackers are ill-prepared to hack sophisticated systems of major firms.

Targets by industry have been, according to Beasley PLC:

Healthcare (29 percent)

Professional services (14 percent)

Financial institutions (11 percent)

Manufacturing (8 percent)

Education (8 percent)

Retail (8 percent)

These incidents and attacks have increased 148 percent in the past year “fueled by the pandemic.” The average ransom demand this past calendar year was $154,108, according to Marsh LLC.

That’s the bad news — but there is a good news dimension to this devastating risk should your business become a target! It’s called risk management — an essential leadership discipline. Fortunately, it’s not complex.

It involves these four logical steps:

1. Risk Identification and Measurement — addressing the vast array of risks facing your business – including every risk from fire to liability to all crimes including cybercrime. Measurements are usually in terms of dollars to be lost — including ransom.

2. Risk Control — elimination, avoidance and reduction of the risks you face.

3. Risk Assumption — either total assumption of low-level risks of high probability or partial assumption of other risks with deductibles and Self-Insured Retentions (SIRs).

4. Risk Transfer — either to non-insurers (contractors, tenants, certain customers, etc.) by “hold harmless” clauses in written contracts — or to a commercial insurer via an insurance policy. Premium payments for insurance are logically very last in this process – and used only for risks remaining after all other alternatives have been applied.

That’s it. Easier said than done, of course — yet clearly doable.

The cybercrime risk is in two dimensions — direct and indirect property losses sustained by your business plus third-party liability to others for access by hackers to customers’ sensitive data. Precise measurement is not possible. Yet, major dollars can easily be envisioned — even with your unwillingness to pay any demanded ransom.

Control of this risk is where your major focus needs to be placed. Your IT professionals, of course, critically need to be brought into this part of the process. Some, but not nearly all, steps include:

  • Prohibit personal devices from connection to your business system;
  • Extend company security protocols to individuals working from home;
  • Train employees to detect phishing;
  • Keep back-ups inaccessible to outsiders;
  • Encrypt files;
  • Use dual factor authentication; and
  • Take advantage of services insurers offer to mitigate cyber security risks.

After risk control measures are in place, your ability to transfer most, if not all, of your residual cybercrime risk to others is your next, and final, step in the risk management process. Most likely, your sole option is commercial insurance.

You should address this risk in detail with your insurance broker or agent. The major points you need to consider are:

Unlike most other business insurance, there are no standard forms. Therefore, your broker needs to show you the different elements and scope of coverage offered by each of multiple insurers under consideration. Brokers represent multiple insurers and can access specialty insurers while agents typically can access only one carrier;

Both direct loss of your data, including ransom, and misuse of your customers’ data need to be considered;

Lower premiums should be offered by virtue of the risk control measures you have in place.

Now, it’s your turn. Do you prefer to continue to assume this major risk or initiate reasonable, effective steps to mitigate and transfer this risk?

Reviewing this risk with your insurance broker and IT consultant should be a high priority for you.

Coronavirus Cases widget

  • Positive Cases Among Kern Residents: 158,009

  • Deaths: 1,814

  • Recovered and Presumed Recovered Residents: 150,579 

  • Percentage of all cases that are unvaccinated: 92.04

  • Percentage of all hospitalizations that are unvaccinated: 92.61

Updated: 12/2/2021. Source: Kern County Public Health Services Department

More Coronavirus coverage


Most Popular