Australian small businesses are reporting cybersecurity breaches at nearly twice the rate of their counterparts in the US but are still proving slow to embrace cybersecurity insurance policies, a small-business security expert has warned as new research suggests SMBs are leaving themselves substantially exposed to damages from unchecked breaches.
Symantec’s Cyber Security Survey included 1023 Australian business owners and operators and found that fully 19 percent – nearly 1 in 5 – had experienced some sort of cyber attack. This was almost twice the frequency of a similar survey of US SMBs by small-business online community Manta, which found that 1 in 10 had experienced a data breach despite 97 percent believing that they weren’t at risk of experiencing such a breach.
Released as National Cyber Security Awareness Month rolls to a close, such figures suggest that small businesses remain largely unprotected against cyber attacks and unaware of the real threat those attacks present, Mark Gorrie, territory manager for Symantec’s SMB-focused Norton business unit, told CSO Australia.
“I’m sure the takeup rate of traditional insurance policies like fire and theft would be very high across most businesses and have very low claim rates,” he said. “A lot of these people still look at the threat as a traditional virus that might attack one PC in their business, which they can get wiped and fixed again. The idea of a larger breach doesn’t really get thought about.”
Size of the company was closely correlated with the likelihood of having cyber insurance: while 14 percent of small businesses overall had policies, just 5 percent of microbusinesses (those with 1 to 5 employees – who paid on average $2222 for a year of cover) – were covered.
By contrast, 30 percent of small businesses with 6 to 20 employees said they had cybersecurity insurance policies – which average around $3272 for such companies – in place.
Some 28 percent said they had purchased such insurance to protect against cyber attacks, 18 percent to guard against theft or loss of data, and 5 percent as a precautionary measure. Significantly, the policies were already being relied upon: of those with insurance, 19 percent said they had made a claim.
Australia’s cybersecurity insurance market has been slow to pick up by world standards, something that Symantec recently moved to address by partnering with Berkshire Hathaway Specialty Insurance Company to release an Australian cybersecurity policy that gives covered businesses rapid access to Symantec security specialists.
“We look at cyber insurance as another layer in the overall protection strategy,” Gorrie says. “Security software is very much a layered approach given how complicated the threat environment is: there are layers to the technology, and insurance is really another layer over the top.”
Consulting giant CSC – which just released a new white paper on the topic – is among the organisations pushing Australian businesses to get more proactive about cyber insurance.
Speaking in the wake of the release of the Symantec figures, CSC industry general manager for insurance Dr Michael Neary noted that cyber insurance “is now a board level discussion”.
“Cyber risk has materialised as one of the top challenges faced by companies worldwide,” he continued. “Many organisations believe they are covered for a cyber attack under the terms of their current insurance policies when, in fact, those traditional policies are somewhat ambiguous and therefore potentially inadequate when it comes to mitigating cyber risk.”
With the figures providing further evidence that breaches are indeed victimising Australian businesses, Gorrie believes the risk of a very real financial exposure – which will be exacerbated when Australia joins other comparable countries by passing pending breach-notification legislation into law – is likely to push many SMB owners to give evolving cyber-insurance policies another look.
Some 19 percent of the respondents said they were likely to purchase cyber insurance in 2017, including 11 percent of microbusinesses and 33 percent of small businesses. Yet as breach notification requirements kick in – and with them, the threat of penalties for noncompliance and the costs involved in activities such as notifying all customers of the breach – Gorrie believes those figures will continue to climb.
Industry has a role to play in increasing small-business awareness of the value of cyber insurance: “Insurers need to re-engage with clients and explain to them where they are currently exposed in terms of their coverage,” said Neary, noting that insurers should work through three key phases including threat intelligence gathering, risk assessment, and training.
“This could be achieved through a dedicated education campaign, which would help promote discussion and raise awareness of the potential threat of losses incurred as a result of insufficient cyber insurance coverage.”
Gorrie agrees: “There are a lot of opportunities for those insurance companies to raise awareness of this,” he added. “It’s evident that [security software vendors] are only part of the solution now. There is a real cost to business to respond to cybersecurity events – and if insurance companies can articulate what those costs are, the cost of a cyber insurance policy is relatively good value.”