Woman with eye glasses with a computer reflection of data and cyber
© HSB Canada

The biggest cyber threat largely ignored by small businesses

    alt txt



    A Q&A with Zair Kamal, Treaty Product Manager and Cyber Expert for HSB Canada

    What is the biggest cyber threat largely being ignored by small businesses?

    Connected network of email reach
    © Getty Images

    I believe it’s the human element. An organization can have all the technology in place but if one person doesn’t know what to do with that technology or isn’t educated on cyber risks, the technology can become impractical.

    Take social engineering for example, and in particular, phishing attacks through emails. With 129 billion business emails exchanged every day,1 a quick and easy attack could result in large payouts to bad actors. All it takes is for one key individual to be duped into transferring money to a criminal posing as the company’s senior executive. Or it could take just one colleague to click on a phishing email’s hyperlink, accidentally downloading malware to infect an entire network.

    Apart from phishing, what are other human vulnerabilities?

    Security padlock in network space
    © Yuichiro Chino

    In addition to acts of commission, I believe there are threats arising from omission. For example, manufacturers of software programs will only provide appropriate security patches after they are made aware of those vulnerabilities.

    It’s easy for individuals to become complacent and put off taking the time required to analyze software programs and flag vulnerabilities to software companies.

    Another risk is failure to apply security patches. Depending on how an organization is set up, installing system patches could mean organizational downtime. Vulnerabilities start to emerge when businesses don’t take the time to install important patches.

    What is an effective way to manage the human side of cyber risk?

    A woman training employees
    © Getty Images

    Ninety-five percent of all cyber incidents are human-enabled, including cyber attacks, data breaches, and ransomware attacks.2

    Humans seem to be the weakest link in security and risk management. Managing the human side of cyber threats involves human-centred approaches, including diligent and frequent training and awareness programs, provided to all employees, from the front lines to senior management.

    How has remote working influenced cyber risk?

    Man using a laptop in a park
    © Getty Images

    Working remotely has become a necessity in these times and while there are many benefits, there are also heightened risks.

    While compliance to security protocols is easier in a normal office environment, individuals may become less diligent when working remotely. Examples of lax behaviour can include introducing a personal computer to a remote work network; leaving a work laptop in a car, making it a target to theft; or using an infected thumb drive.

    What if people say “I’m ok with passing on cyber protection”?

    IT specialists holding a laptop and discussing work
    © Getty Images

    Cyber risk should be looked at in the same way as property risk. A typical commercial building owner is likely to install fire alarms, smoke detectors and security cameras, as well as hire security guards, in addition to buying property insurance.

    Yes, an organization can invest in IT infrastructure with strong networks and security protocols. These will make it harder for bad actors to attack, but they will not make it invincible. An organization can never be fully secured.

    At the end of the day, it’s about risk mitigation rather than risk elimination. It’s hard to eliminate cyber risks but the right steps can help mitigate risk.

    Zair Kamal and his team focus on helping partner insurers meet the challenges of our digital world and cyber risk through coverages and risk management services tailored to small business clients.
    1 Radicati, Email Statistics Report 2015-2019
    2 Calvin Nobles, Cybersecurity Policy Fellow, University of Maryland, “Botching Human Factors in Cybersecurity in Business Organizations”, Holistica – Journal of Business and Public Administration, 2018

    This article is for informational purposes only and is not intended to convey or constitute legal advice. HSB makes no warranties or representations as to the accuracy or completeness of the content herein. Under no circumstances shall HSB or any party involved in creating or delivering this article be liable to you for any loss or damage that results from the use of the information contained herein. Except as otherwise expressly permitted by HSB in writing, no portion of this article may be reproduced, copied, or distributed in any way. This article does not modify or invalidate any of the provisions, exclusions, terms or conditions of the applicable policy and endorsements. For specific terms and conditions, please refer to the applicable insurance form.
    Posted on March 24, 2021