If your business depends on computer systems to operate, you need to understand the cyber risks you face and how they can impact your company. A cyberattack could leave you financially responsible for consumer losses and significantly impair your business operations for days or even weeks. In this article, we explain the different types of cyber risks and what you can do to reduce them.
What is cyber risk?
Cyber risk is the threat of data loss, property destruction or ransom demands resulting from a hack of your company’s IT systems. Cyberattacks can result in a financial loss or disruption to your business. They can also harm your brand’s reputation if consumers don’t feel their information is secure with your organization.
Cyber risks can lead to computer system failure and the unauthorized use of information. If an unauthorized person gains access to your computer system and databases, they can halt your operations or steal your information unless you pay a ransom. This is why you need to have the right cybersecurity.
Any business that transmits sensitive information between computers on a network connected to the internet is at risk of a cyberattack. One way to limit potential damage is to have a policy of
data minimization – keeping only the data you need and allowing staff to access only the data they need to do their job. Then, if someone does hack into your network, they’ll be limited to seeing only what the user whose credentials have been compromised can see.
What are the types of cyber risks?
Cyber risks are not limited to external threats from bad actors. A business must also deal with internal threats that can compromise data or systems.
Internal cyber risks
While most employers want to believe their employees are trustworthy, there are several types of internal risks you might face. These could come from either a current staffer or a former one who has access to your IT systems and can use that access in an adversarial way. These risks could also arise as a result of a lack of awareness and poor training.
These are some common internal cyber risks to be aware of:
- Employee sabotage and theft: Employee fraud and disruption can be committed by a current or former employee who accesses your systems to obtain information to harm the company. Some information may be used to poach employees, while other information could damage your business if it’s disclosed in public forums.
- Unauthorized access: Staffers could obtain access to systems they shouldn’t have access to. They may change the permissions of others or deactivate network security tools.
- Unsafe business practices: When network servers are left in unlocked rooms or users are not properly logging off devices, businesses are left vulnerable to attack.
- Accidental loss or disclosure: Team members may unwittingly disclose sensitive information. This could be by accidentally adding an unauthorized person to a confidential email chain or leaving a company laptop at a coffee shop.
- BYOD (bring your own device): Many businesses would not dream of allowing staff to bring in their own devices to connect to the company network because of the security risks involved, but other organizations are OK with it. Beware, your network is doubly at risk if you allow this: First, poor security on the team member’s device might give hackers another way into your system. Second, any malware on the device may be transferred to your network. These are often referred to as “end-point attacks.
Conducting
background checks on potential new hires can reduce your internal cyber risks.
External cyber risks
The other serious threats businesses face come from external cyberattacks, where bad actors attempt to steal data or compromise operations. If you’re subject to such an attack, it can be hard to tell exactly how your defenses have been breached. It can also take weeks or months before you realize you’ve been attacked.
These are the most common external cyber risks:
- Password theft: Despite decades of warnings, many people, including system administrators, still use easy-to-guess passwords. Passwords can also be stolen via phishing attacks and malware like keyloggers.
- Phishing schemes: Nefarious individuals send fraudulent messages that convince unsuspecting employees to click on links within them and disclose personal or proprietary information, such as passwords and payment details. Phishing attacks can also happen on the phone with, for example, hackers pretending to be from a company’s IT department and asking one of your employees for their network access credentials. [Read related article: How Companies Are Detecting Spear Phishing Attacks Using Machine Learning]
- Malware attacks:These are viruses that attack your IT systems and can potentially execute unauthorized actions. Standard examples include keyloggers that transmit individual users’ keystrokes back to hackers. Malware is often downloaded during a “drive-by attack,” which involves the automatic download of malware to a person’s device when they visit an infected website.
- Zero-day exploit: No matter how well programmed, every app, website and piece of software has vulnerabilities. Zero-day exploits are hacks that cyber criminals discover and software developers currently don’t know exist.
- Inadequate patch management: When software developers become aware of vulnerabilities, they release patches to fix them. However, your company is protected only if you download and install the patches.
- SQL injection: Login pages, search boxes and feedback forms on websites use SQL. So do some HTTP headers and cookies. One way for cyberattackers to get into your system is to insert malicious SQL queries into a form that can later be used to manipulate or destroy a company database.
- Formjacking: These are similar to SQL injection, but instead of targeting the forms on a site, they inject malicious JavaScript code into online forms on legitimate websites to grab sensitive details like personal and financial data.
- Traffic interception: It’s possible for cybercriminals to intercept and monitor data that’s sent over a computer network. They can capture a wide range of information, from personal details to login credentials.
- “Man in the middle” attacks: Similar to traffic interception, this is when a hacker fools a user into logging on to their network. For example, if a member of your team is in a public area, like a coffee shop, and attempts to connect to the shop’s free Wi-Fi, they may actually be logging on to a bogus network set up by a bad actor.
- IoT (Internet of Things) attacks: Fridges, printers, security cameras and more now connect via Wi-Fi to computer networks. Often, the security on these devices is low because companies don’t see why a hacker would target them. The reason they do is because they can use them as funnels to gain access to your wider network.
- Malvertising:This is a type of malware that redirects users to malicious websites. Code is deployed on a publisher’s website that mines data about users for further ad targeting.
- Cross-site attacks: These attacks take advantage of vulnerabilities in web apps to run malicious scripts in users’ browsers. For example, if you allow customers to talk to each other via an online forum, a hacker might insert bad code into a forum post that then triggers an action in the browser of another customer using the forum. They can hijack user accounts with this approach, including users with admin privileges.
- Water hole attacks: Water hole attackers go after commonly used resources shared by specific groups of users. For instance, many people in your company may log in to a social media network like LinkedIn or a vendor portal. Cyberattackers can insert malicious scripts into these sites, infecting your users’ computers when they next visit them.
- DDoS attacks:A distributed denial-of-service (DDoS) attack disrupts the normal traffic to a website. This is a type of malware where a botnet overwhelms your website and prevents consumers from using it.
- Cryptojacking: This is when a hacker uses your computing resources, usually via malware, to mine for cryptocurrency. This can damage your PC hardware, slow down your network and substantially increase your electric bill.
- Ransomware: A type of cyber extortion, this kind of malware locks up system operations and renders websites and networks unusable until a ransom is paid. This offense is becoming more common, as many cyber insurance carriers find that paying the ransom is less expensive than remediating the attack. [Learn how to protect your business from ransomware.]
- Trojan virus: Trojan viruses disguise themselves as legitimate programs. When installed, they can create backdoors to download other malware or steal information.
- Supply-chain attacks: Companies sometimes require clients to place orders with them or send invoices for work done via a custom app that’s updated regularly for various reasons. In a supply-chain attack, hackers target this type of program so hundreds or thousands of businesses and clients may end up downloading the infected app when a new update is rolled out.
These threats to companies of all sizes are very real. In 2023, MGM Resorts fell victim to a ransomware attack that started to cause problems with its computer systems. This resulted in guests being unable to get into their rooms and gaming floor malfunctions. In the end, the consequences of the attack cost MGM $100 million, although the company is confident the incident will ultimately be covered by their cyber security insurance – a protection we explain below.
Conducting a
cyber risk assessment and consulting an IT professional can help you understand your business's vulnerability to a cyberattack.
What is the financial impact of cyber risks?
The potential financial impacts of cyber risks on a company are huge. Even a minor attack can force a business to pay for lost or stolen data records, with an average cost of $150 per stolen record. According to research by IBM, the average cost of a data breach in the United States in 2023 was $4.45 million.
Even if the financial consequences are not as high for a small business, smaller companies still need to brace themselves for lost revenue due to a compromised operating system being shut down for days or weeks. Plus, even after a business restores all systems, consumers may be wary of working with a company that recently experienced a data breach or cyberattack, afraid that their personally identifiable information (PII) is not safe. That, too, will impact your bottom line.
How to reduce your company’s cyber risks
Creating a robust cybersecurity plan for your small business will reduce the risk of cyberattacks and thus the risk of financial and reputational losses. While you can’t prevent every cybercrime, you can do a lot to ensure your business is not harmed. Here are 13 ways to reduce your company’s cyber risk:
- Update your computer systems, apps and other programs regularly.When you don’t update, gaps begin to form that allow things like malware to infiltrate your system. Make sure your antivirus security is up to date, and regularly update your operating system to prevent these gaps from forming.
- Replace software that’s no longer being updated. If an app or software you’re using is no longer being updated, talk to your team about switching to a new product. Having deprecated software on your server and devices is a significant security threat.
- Protect outbound data.Most business owners protect themselves only from data coming in. You should also protect outgoing data with encryption and other tools to prevent the accidental release of sensitive data by employees.
- Train your employees.Make sure your employees understand what cybersecurity risks exist and how to be on the lookout for them. This is especially true for things like phishing schemes that may be received by gullible workers who haven’t been trained not to click on suspicious links.
- Develop strong passwords. Create complex passwords that cannot be guessed. Make sure your system administrator’s password is different from the server’s password. You don’t want to make it easier for hackers to gain access to the entire server. You may also want to consider using a reputable app to manage users’ passwords across the business.
- Encrypt data.When sending or storing data, encrypt it. This means data isn’t saved in a normal text format, making it harder to be misused. As more companies use off-site servers, cloud encryption is particularly important, as the transmission of data between your network and your cloud provider is another potential attack vector.
- Limit login attempts. Hackers will use bots to work on cracking passwords indefinitely. You can stop them by limiting the number of login attempts allowed to access your data or server systems.
- Use dual-factor authentication. This is similar to the technology where banks and credit card companies text you a four- or six-digit code to verify your identity when you make a purchase online. You can set up your computer system so that whenever a colleague logs in, they have to provide an additional form of verification, such as a unique numerical code.
- Implement a kill switch. A kill switch allows an IT professional to shut down all access to servers or pull websites offline when a threat is detected. This gives you time to address the threat before it can do any damage.
- Don’t store credit card information. Don’t risk a hacker collecting your customers’ credit card data. Never store this sensitive information in any database you maintain, and enact strict policies so your employees never do it either.
- Back up your data regularly. Take the time to conduct regular data backups. This will make restoration much easier if you do fall victim to a cyberattack.
- Establish a connected asset register. Regardless of whether you allow staff to use their own devices, consider setting up a register of permitted devices. This means no unauthorized (unregistered) device can log in to your network. You’ll also be able to use the registry to quickly restrict access so former employees and contractors can no longer gain entry.
- Set up a separate public network. Particularly in the leisure and hospitality sectors, customers today expect you to provide free Wi-Fi access. Offering it can give you a competitive advantage, but you should provide it over a separate network that doesn’t use the business Wi-Fi your team uses to manage sensitive data. [Find out how to set up business Wi-Fi.]
SMB budgets for cybersecurity vary in complexity and cost depending on the types of risks individual companies face. If you don’t have an IT department or are not confident with IT as an owner, you should call in a cybersecurity expert to advise you on creating a cybersecurity plan, setting an appropriate budget and rolling out protections.
How cyber liability insurance can help
Since you can’t predict if and when a cyberattack will occur, it makes sense to have cyber liability insurance. A cyber insurance policy can pay for financial losses and expenses stemming from:
- Business interruption
- Ransom demands
- Attack investigations
- Hiring a PR firm to deal with the public fallout
- Regulatory fines
- Customer notification costs (which can range from $0.50 to $5 per person)
- Customer credit monitoring (which can range from $10 to $30 per person)
- Legal defense and any judgments or settlements
On top of paying for losses and damages, many insurers will help businesses remediate their losses as quickly as possible. This means they use their internal teams to help halt the progress of viruses and malware, with the goal of minimizing the ultimate costs to both your business and them.
An insurer will want to carry out a
cyber insurance risk assessment on your business to see in which areas you’re most vulnerable prior to quoting you a premium.
Can you be penalized for cyberattacks?
The Federal Trade Commission is tasked with protecting America’s consumers, and it’s every business owner’s responsibility to make sure their consumer data is protected. If it isn’t, you may be held liable and face the risk of fines and, in egregious cases, jail time.
The FTC recommends business owners assess the types of consumer information they collect and keep, keep only what is necessary, and lock that data, either electronically or physically. When the information is no longer needed, you should discard it by shredding it or using a data-deletion service.
However, it isn’t just FTC fines that a business may have to deal with in the event of a data breach. You could face these additional penalties.
- Fair and Accurate Credit Transaction Act (FACTA) fines of up to $2,500 per violation at the federal level and up to $1,000 at the state level
- Civil penalties of up to $3,500 per violation
- HIPAA penalties of up to $50,000 per violation for erroneous disclosures and up to $50,000 plus one year in prison for criminal wrongful disclosures
These are just a few of the penalties businesses could face after a cyberattack. Most small companies can’t afford these types of fines, nor can they afford to lose an estimated 20 to 30 percent of their customer base from the fallout of a data breach. Keeping consumer data private and having insurance to help protect against financial losses are critical in the digital age.
Who commits cybercrimes?
Cybercriminals come from various backgrounds. Some cybercrimes are committed by former employees looking to get revenge on a business that fired them. You can prevent this type of crime by revoking system access as soon as an employee is terminated.
Sometimes, attacks come from industry rivals trying to steal your commercial secrets or find information to portray your business in a negative light. There are also activist organizations that believe they are helping society by hacking and harming certain companies.
Some security risks simply arise from careless mistakes made by employees, especially those who work for businesses that haven’t implemented the right security policies and training. Still, the majority of cybercrimes are committed by those who intend to profit from hacking by selling data on the dark web, demanding a large ransom or funneling credit card transactions to a third-party account they control.
Kimberlee Leonard contributed to this article.