Cybersecurity Insights – Best Practices for Small Businesses

The news always reports when the big companies come under attack, in 2024, it was Ticketmaster where a breach exposed personal and payment information of over 560 million customers. AT&T followed soon after with multiple breaches affecting over 110 million compromising customers names, phone numbers, and addresses. Shortly after, a ransomware attack on United Health Group (Change Healthcare subsidiary) impacted 190 million people in what was called the worst healthcare breach in U.S. history.(1)

Jump forward to 2025, PowerSchool, an online student database used across the country, and right here on Delmarva, made the news with a breach that exposed student records and Social Security numbers. August 2025 was a busy month, with Googles’ breach of exposed business customer data, leading to warnings for its 2.5 billion Gmail users due to the potential for follow-up social engineering attacks, along with the Air-France-KLM breach reported, and the TransUnion Credit reporting company experiencing a data breach all in one month. (1)

Cyberattacks are becoming more frequent and complex, and businesses of all sizes and industries are potential targets. The truth is, cybercriminals are going after small businesses more and more since they contain much of the same types of sensitive information as larger enterprises but often have weaker cybersecurity defenses. Verizon’s Data Breach Investigations Report found that 43% of all cyberattacks target small businesses, and 60% of those victims go out of business within six months of the attack. (2)

Even if a small business survives a cyberattack, there can still be devastating consequences, such as high costs, reputational damage and unanticipated downtime. A Small Business Administration survey found that 88% of small business owners feel their business is vulnerable to a cyberattack. (3)

To best combat these risks, it is important for small business owners to be aware of common cyberthreats they may face, including:

• Phishing—Phishing is a type of cyberattack that utilizes deceptive emails or other electronic communication to manipulate recipients into sharing sensitive information, clicking on malicious links or opening harmful attachments. While emails are the most common delivery method for phishing attempts, cybercriminals may also use text messages, social media messages, fake or misleading websites, voicemails 

• Business email compromise (BEC)—A BEC scam entails a cybercriminal impersonating a seemingly legitimate source—such as a senior-level employee, supplier, vendor, business partner or other organization—via email. The cybercriminal uses these emails to gain the trust of their target, tricking the victim into believing they are communicating with a genuine sender. From there, the cybercriminal convinces their target to wire money, share sensitive information (e.g., customer and employee data, proprietary knowledge or trade secrets) or engage in other compromising activities.

• Malware—Malware is a general term that describes viruses, worms, Trojan horses, spyware, adware, rootkits and other unwanted software or programs. Once a malware program has gained access to a device, it can disrupt normal computing operations, collect information and control system resources. 

• Insider threats—Workers with access to sensitive information, including contractors who have access to the company’s network, may be aware of existing security weaknesses and can exploit them more easily than an outsider. 

• Password attacks—Using weak or easily guessed passwords or using the same password for multiple accounts can result in compromised data. Over 70% of employees working at small businesses have had their passwords stolen or compromised, according to data from the Ponemon Institute. 

To limit the risk of cyberattacks, small business owners should implement the following cybersecurity best practices:

• Employee education—Employees are the most significant cybersecurity vulnerability to any organization, including small businesses. Workforce cybersecurity education is essential to teach employees to identify phishing attacks, social engineering and other cyberthreats.

• Security software—A network firewall can prevent unauthorized users from accessing company websites, email servers and other sources of information accessed through the internet. In addition, high-quality antivirus software can perform automatic device scans to detect and remove malicious software and provide protection from various online threats and security breaches. 

• Multifactor authentication (MFA)—Important accounts, including email, social media and banking apps, should require MFA to limit the opportunity for cybercriminals to steal data.

• Data backups—Essential files should be backed up in a separate location, such as on an external hard drive or in the cloud. As cyberthreats become more frequent and severe, small businesses should take protective measures to secure all company, personal and financial information. 

The Value of Cyber Insurance

As cyberattacks become more frequent and costly, it’s critical for organizations to maximize their financial protection against related losses by purchasing sufficient insurance coverage. Also known as cyber liability insurance, cyber coverage can help pay for a range of expenses that may result from cyber incidents—including (but not limited to) data breaches, ransomware attacks and phishing scams.

Specific cyber insurance offerings differ between carriers and organizations’ coverage needs may vary based on their particular exposures. In any case, cyber insurance agreements typically fall into two categories: first-party coverage and third-party coverage. It’s best for policyholders to have a clear understanding of both categories of coverage in order to comprehend the key protections offered by their cyber insurance.

First-party Coverage 

First-party cyber insurance can offer financial protection for losses that an organization directly sustains from a cyber incident. Losses covered by first-party coverage include:

• Incident response costs—Can help pay the costs associated with responding to a cyber incident. These costs may include utilizing IT forensics to investigate the breach, restoring damaged systems, notifying affected customers and setting up call center services. 

• Legal costs—Can help pay for legal counsel to assist with any notification or regulatory obligations resulting from a cyber incident.

• Data recovery costs—Can help recover expenses related to reconstituting data that may have been deleted or corrupted during a cyber incident. 

• Business interruption loss—Can help reimburse lost profits or additional costs incurred due to the unavailability of IT systems or critical data amid a cyber incident.

• Cyber extortion—Can help pay costs associated with hiring extortion response specialists to evaluate recovery options and negotiate ransom payment demands (if applicable) during a cyber incident.

• Reputational damage—Can help pay for crisis management and public relations services related to a cyber incident.

Third-party Coverage  

Third-party cyber insurance can provide financial protection for claims made, fines incurred or legal action taken against an organization due to a cyber incident. Types of third-party coverage include:

• Data privacy liability—Can help recover the costs of dealing with third parties who had their information compromised during a cyber incident. These costs may include handling third-party lawsuits or legal disputes, offer credit-watch services and provide additional compensation. 

• Regulatory defense—Can help pay fines, penalties and other defense costs related to regulatory action or privacy law violations stemming from a cyber incident. 

• Multimedia liability—This coverage can help reimburse defense costs and civil damages resulting from defamation, libel, slander and negligence allegations associated with the publication of content in electronic or print media. Multimedia liability coverage can also offer protection amid copyright, trademark or intellectual property infringement incidents.

For more small business insights and risk management guidance, contact our Commercial Department today.

Don’t Become a Statistic!

You may not think that you need Cyber Liability Insurance, but if you run a business, collect payments (whether it’s with Square or another payment platform), have a Client Management System that holds Personally Identifiable Information (PII); you could be at risk.  From Accountants to Veterinarians to Salon Owners and even small business retailers, you are more at risk because just having a name, phone number, email and/ or address is considered PII, plus you take payments.  

According to the latest industry research, more than half of small businesses close their doors within just six months of experiencing a cyberattack. (3) You are less likely to have cybersecurity guard rails in place, and have trained staff, and small businesses in particular find it more challenging to recover from cyber losses.  With these findings in mind, it’s evident that organizations simply can’t afford to ignore the importance of cybersecurity and the need for protection.

References

(1) American Hospital Association

(2) Allianz

(3) Zywave