There are more than 4,000 cyber-attacks each year aimed at small- to mid-sized businesses, many of which are exposed because they haven’t given cyber security a high enough priority, according to Stephanie Christensen, who heads up cyber and intellectual property crimes in California’s central district for the U.S. Attorney’s Office.
“The number or cyber attacks aimed at small-sized businesses is huge, because small businesses are seen as a soft target,” Christensen said.
She was speaking on Friday to an audience of mostly small- to mid-sized business owners, insurance professionals and others at an educational symposium called “Cyber: Prepare, Prevent, Mitigate, Restore.”
The symposium was hosted by the Travelers Institute, the public policy division of The Travelers Companies Inc., in collaboration with the RAND Institute for Civil Justice and The Sullivan Group.
The event was held at the Santa Monica offices of the RAND Corp., a nonprofit think tank.
The symposium focused on the current threat landscape for small- and mid-sized organizations and offered strategies for preparing for and responding to a cyber incident.
Christensen delivered the event’s keynote address.
That was followed by a panel discussion, “Tackling Evolving Cyber Threats,” moderated by Joan Woodward, president of the Travelers Institute and executive vice president of public policy at Travelers.
The panelists were Gerald J. Sullivan, chairman of the national insurance wholesale brokerage Gerald J. Sullivan & Associates, Lillian Ablon, an information scientist for RAND, Tim Francis, enterprise lead for cyber insurance at Travelers, and Will Rasmussen, director of the Brunswick Group.
Ablon cited RAND research showing that cyber attackers are getting more sophisticated, better coordinated and more numerous.
“Attackers are really outpacing defenders,” she said.
Among the topics Francis touched on was ransomware, which is often when hackers take a company’s data and offer to return it for a fee.
“There are times in which we, working with our vendors, will pay some of it,” he said. “Ransomware is now the single most common event we see with our insureds.”
According to Francis, every claim is unique and he said Travelers always works with its customers to get the best outcome.
He also said that research from the Travelers Institute shows it takes 266 days on average from an event to the realization by a company that it was hacked.
Sullivan introduced data from Federal Bureau of Investigation Internet Crime Complaint Center’s 2016 Internet Crime Report, which showed cyber losses nationwide grew from $1 billion in 2015 to $1.4 billion in 2016.
The top crime type was non-payment/non-delivery, followed by personal data breach, the report shows. California topped the list with a reported 39,547 victims and a total loss of more than $255 million.
Sullivan noted that, according to the FBI, many cases do not get reported.
“This is a lot bigger problem than I think most people realize,” he said.
Sullivan also emphasized the importance of partnering with a firm that can offer quick and useful help once a cyber attack has occurred, such taking a company through the steps of what to do after an attack, and where to go to report it.
He called such experts “the unhackers.”
Despite all the publicity cyber attacks get, there’s a tremendous need for more education and more information in this area, he said.
Sullivan, who deals with retail insurance agents, said the top question he gets from clients when discussing cyber insurance is: “Why does my client have to buy it?”
Rasmussen offered a few best practice suggestions, which include creating a crisis public relations plan.
He said the plan should define the roles people in the organization will play and everyone’s responsibilities, as well as a “playbook” to take a company through the first 48 hours after an attack, and how to deal with media questions.
“You should be able to mitigate as much as the reputational damage as you can,” he said.
Either some affected companies are doing a good job of handling the PR after a data breach, or there’s a low bar of expectation from consumers who have had their data stolen or affected, Ablon said.
According to a consumer poll conducted by RAND, 77 percent of respondents said they were happy with the way the breach was handled and only 11 percent said they stopped doing business with that company.
However, some companies haven’t done so well at getting the word out customers affected by a breach as soon as possible.
According to the RAND poll, 44 percent of respondents learned about the breach from a source other than the affected company.
Francis that in the early days of offering risk management to clients in regard to cyber events the focus was on prevention, but as these events have become so prevalent, that focus has shifted somewhat.
“It’s more about what are you going to do if an event takes place,” he said.
Often these cyber events occur to outdated systems that should have been updated to prevent the attack.
According to Francis, the majority of hacks they have seen at Travelers were directed at a system vulnerability for which a patch was available for more than year.
The Travelers Institute has held its “Cyber: Prepare, Prevent, Mitigate, Restore” educational series across the country since 2016, and it expanded the series to Canada this year.