Small and medium size businesses (SMBs) like to prepare for business downturns and other contingencies that can affect their profits. Where the cost justifies the benefits in view of the assessed risks, they can procure insurance to ward off losses associated with the worst of those contingencies. Many SMBs, however, do not know how to assess their cybersecurity risks, leading them to ignore those risks and to expose themselves to potentially ruinous losses and liabilities.

An SMB can evaluate its cybersecurity by asking a few simple questions.

First, does the SMB have a cybersecurity action plan?  An SMB that has not developed a protocol for responding to a cyberattack will be more likely to make wrong decisions that open it to greater liabilities as the cyberattack progresses. A good action plan will include, at a minimum, antivirus and firewall protections to minimize damage, data encryption strategies and password guidelines, employee cybersecurity education, and the identities and duties and responsibilities of team members who are assigned to respond when an attack is noticed. SMBs might have one or two pieces of a plan, but those pieces might be more of an afterthought than integral part of the SMB’s overall operations.

Next, is the SMB aware of how often small businesses are targeted by hackers? In 2016, more than 40 percent of all cyberattacks worldwide targeted businesses that had fewer than 250 employees. An SMB that believes it is not a likely target for a hacker will likely not be cyber secure because its owners will be less likely to take precautions against a threat that is not perceived to be very large. SMBs are tempting targets for hackers because they maintain unprotected digital files that include large amounts of personal and financial information about customers, and provide a stepping stone into larger companies that they do business with.

Further, how would the business fare against a white hat hacker? Not all hacking is malicious. White hat hackers offer their services to test a client’s network for weaknesses and gaps that would entice cyberattackers, often using the same tools and techniques used by those attackers.  An SMB that is afraid of what a white hat hacker would uncover is not cyber secure.

Do employees understand their role in an SMB’s cybersecurity plan? The universal belief is that employees in all size businesses are the weakest link in any cybersecurity structure. If the SMB’s employees are using weak passwords or they are not changing passwords regularly, if they use company workstations to open attachments in emails from unfamiliar sources, or if they use unsecured public Wi-Fi hot spots to conduct company business while away from the office, they are demonstrating poor knowledge of how they are exposing the SMB to greater cybersecurity risks. An SMB should conduct regular cybersecurity education with its employees to elevate its cybersecurity profile.

Lastly, could the SMB survive and recover from a successful cyberattack? The generally-accepted statistic is that 60 percent of SMB’s are no longer in business within six months after they experience a cyberattack. A cyberattack can cause tens or hundreds of thousands of dollars in direct damages and lost business, while exposing the SMB to third-party liability from customers whose personal and financial data might have been compromised because of the attack. Few SMBs are sufficiently capitalized to pay these costs and liabilities and to move forward as an ongoing concern.

In this event, a cyber risks insurance policy can be the difference between staying in business and closing shop. The risks of an SMB’s being a target of a cyberattack are very high, and the potential losses in almost every case are ruinous. A straightforward cost-benefit analysis will verify the value of cyber risks insurance for every SMB.