The Most Common Cyber Risk Myths Debunked

The COVID-19 pandemic has forced many small business owners to move online, whether this means having employees work remotely or opening an online store to continue operations. According to Statistics Canada, 40 per cent of Canadians were working from home when lockdowns were enforced in early 2020, compared to less than 10 per cent in 2018. Although this may drive productivity and result in increased sales for your business, you may be more vulnerable to a cyber attack as hackers look to steal valuable information.

To better understand how small business owners perceive their cyber risks, we partnered with Leger, a Canadian market research and analytics company, to conduct a survey of 422 businesses representing different industries in September 2020. We found that only 29 per cent of businesses believe they are at a high risk of a cyber-attack and only 15 per cent have implemented preventative IT and employee training. When it comes to investing in cyber risk or data breach insurance, only 15 per cent of small businesses have done so.

What can your business do to reduce the risk of a cyber attack and how can insurance help? To answer these questions and help you navigate the world of cybercrime, we look at some of the most common cyber risk myths and debunk them with statistics and examples. Learn more about how your cyber risks myths have evolved during the COVID-19 pandemic in our cyber risk guide.

Myth #1: Data doesn’t need to be backed up regularly.
When you back up your data, you create a copy that can be recovered in the event of a cyber attack. Proper back up storage involves saving your information to a separate system, such as an external drive or USB stick.

Only 15 per cent of small businesses we surveyed had implemented preventative IT and employee training.
If your business falls victim to ransomware, which locks you out of your own data,= the hackers responsible may attempt to ransom it back to you. If you happened to back up all your information a day before the cyber attack, your business would be in a better position to recover.

However, if you last performed a backup one month ago, there’s a greater chance that you’ll be locked out of important data, making it much harder for your business to resume operations. Ideally, your backed-up data is recent enough that you don’t even need to pay the ransom to get your locked data back. Instead, you can simply proceed with your backup version.

Myth #2: Customer data only needs to be protected if it’s related to financial information.
Most cyber breaches involve accessing and stealing data that’s vulnerable and exposed, whether they’re files, documents, or other sensitive information. This could be your information or your customers. Examples of types of data that could be stolen from you include:

1. Financial information, such as credit card or bank details
2. Confidential business information, such as login credentials and passwords
3. Personal health records, such as medication requirements
4. Sensitive personal information, such as addresses and phone numbers
5. Intellectual property, such as copyrighted materials, patents, and trademarks
6. Even though businesses may be more likely to protect customer data of a financial nature, the reality is that all customer data is worth protecting equally. This is because hackers and other criminals don’t need financial information to seriously damage a person’s finances.

Most cyber breaches involve accessing and stealing data that’s vulnerable and exposed, whether they’re files, documents, or other sensitive information.
If a cybercriminal obtains credit card information, how long is their window of opportunity to use it for illegal activity? While it could take a month or two for customers and companies to realize a card was compromised, the card can be cancelled quickly. However, what if that same hacker was able to gain access to names, emails, and home addresses, then checked online sources such as social media sites to gather enough personal information to commit identity theft? That kind of crime can take victims years to recover from.

Scenarios like the one above highlight some of the reasons that businesses have been hit with class-action lawsuits after their data was breached, even though none of the compromised information was finance related.

Myth #3: A class-action lawsuit is the biggest risk to a business whose customer information has been hacked.
If your customer data gets leaked to the public and the customers impacted decide not to file a class action suit, does that mean the business is in the clear? The answer, unfortunately, is absolutely not.

Cyber attacks, even without class action or other lawsuits, can severely damage a company’s reputation. Existing and potential customers may distance themselves from the hacked business as a precaution. Enlisting reputation-management professionals to handle the crisis can be a significant cost. Recovering your compromised data from the cyber criminals and restoring it to your systems isn’t something you’ll want to do alone, and will require the assistance of IT professionals. Since it may take a while to get your business back up and running after a cyberattack, the amount of potential revenue lost during that process can quickly add up.

In short, lawsuits are a risk to businesses that have undergone a cyber attack but they aren’t necessarily the only one, as other risks can be quite problematic as well.

Only 11 per cent of small to medium sized businesses have purchased cyber risk or data breach insurance.

Myth #4: A business that stores electronic data isn’t better off with cyber insurance.
Many small business owners believe they don’t need cyber risk or data breach insurance, or they haven’t thought about purchasing this coverage.

The reason cyber insurance is worth thinking about and getting is because it can help a business with every scenario mentioned above. If you forget to back up your data or have your information stolen, insurance can help you recover and get back to business as quickly as possible. If you need to hire a reputation-management professional after your business gets hacked, insurance can help you cover the costs. If you can’t operate while getting your business back up and running following a cyberattack, business interruption insurance can be included in your policy. Even if you end up facing litigation as a result of your customer data being leaked, insurance can help with the legal fees.

This blog was originally published by Trushield Insurance. Trushield Insurance is a partner of the Canadian Chamber’s Business Protection Program, through this partnership Trushield offers insurance for chamber network small businesses. This blog is provided for information only and is not a substitute for professional advice. We make no representations or warranties regarding the accuracy or completeness of the information and will not be responsible for any loss arising out of reliance on the information.