You assume it’s going to be another day at the office. You walk into your small business, grab your coffee, and flip open your laptop expecting to work. But rather than your desktop lighting up, you are instead greeted by an ominous message: “Send us $10,000 or your customer data is gone.”
If this kind of cybersecurity attack once seemed implausible or even far-fetched, that time is long over. Attacks known as ransomware – in which a hacker holds your data ransom – are growing increasingly common. And these breaches don’t just happen to large companies. According to a 2019 Verizon report out of the U.S., 43 per cent of cyberattacks involve small business victims.
Securing data has become a fundamental responsibility for every organization. And for small and medium-sized businesses that may not have the capital, runway, or expertise to weather a serious breach, fending off cyberattacks can be a matter of survival.
But Donna Millingen, underwriting expert at Northbridge Insurance, says that many small businesses aren’t always doing enough to protect themselves.
“There’s almost a malaise around the topic,” she says. “Everyone thinks: ‘Oh this can’t happen to me’ or ‘I don’t have anything a cybercriminal would want, so I don’t need to worry about it.’”
Part of the issue, Millingen says, is around the word ‘cyber.’ Many small business owners assume that if their company doesn’t operate online, they're safe from attacks. But data breaches can happen to any business in any industry, even those that conduct themselves for the most part offline.
“Hackers don’t discriminate,” says Millingen. “Any data they can get is money to them. And it’s not just credit card numbers—they’re after any kind of personally identifiable information or potentially sensitive business data.”
If you’re hit, the effects of a breach can be catastrophic. Not only can your business’ reputation be compromised, undermining customer and supplier trust, but it can lead to complaints being filed with the Privacy Commissioner of Canada and even lawsuits. Perhaps most seriously, however, is a business may be forced to close while dealing with the breach and incur an array of response-related expenses that can be significant – and sometimes financially fatal.
According to Millingen, cybersecurity really comes down to protecting your data from the outside world. That can involve simple things like protecting your devices with strong passwords and avoiding opening spam emails, to more complex technical measures that protect your systems and data.
Another key frontline defense is cyber insurance. It’s something that every small business owner should consider, according to Joseph Hines, an account executive with Gallagher Insurance, a global commercial insurance brokerage serving both small and large businesses.
"Larger companies often have dedicated IT staff or entire cybersecurity departments,” he says. “In addition to that expertise, they tend to have greater access to resources, and if necessary, the capital and credit with which to weather a breach.”
This isn’t always the case for small businesses. “Uninsured losses directly impacting the balance sheet can add up to millions of dollars and be so detrimental that you might not ever be able to open your doors again,” Hines says.
As cyberattacks evolve and become more common, insurance coverage is becoming more specific, too. While standard insurance policies can provide some level of coverage, experts agree that the best protection comes from cyber-specific policies.
“Standard policies can exclude certain events, leaving you without the protection your business needs,” Hines says. “An insurance broker can help assess your risks and make sure you have the right policy in place to cover your worst-case scenario.”
According to Millingen, cyber-specific policies can also be vital when it comes to dealing with the complicated aftermath of a breach, including customer notification.
The Personal Information Protection and Electronic Documents Act (PIPEDA) requires all Canadian businesses to report any breach of security safeguards of personal information to affected parties. While this transparency is important, it can be daunting for a small business that may not know where to start.
“There’s a lot of anxiety and anguish whenever sensitive data is exposed,” says Millingen. “You have to act quickly to address the breach and protect your reputation. Having adequate coverage and access to resources that can help you through that process can be lifesaving.”
That support can include expert guidance on everything from restoring your data to help notifying customers, managing public relations and engaging other experts as needed. In some instances, you may also need to offer credit monitoring for affected parties to help stave off any misuse of their compromised information.
“That’s a lot to manage at the same time,” Millingen says. “And during that, you also need to keep your eye on actually running your business.”
That’s why both Millingen and Hines agree that cybersecurity should be a key part of business planning and not an afterthought—for today’s small, medium and large-sized businesses.
Advertising feature produced by Globe Content Studio. The Globe’s editorial department was not involved.