Data breaches can occur on a large and small scale, but most people are probably familiar with the more prominent incidents. Every employer faces the reality that they could be the target of a network security breach. A cybersecurity breach can jeopardize credibility and cost small businesses without cyber insurance thousands of dollars (or more) in damages and impact customer service, productivity and reputation.
A data breach occurs when sensitive information is accessed by cybercriminals who find the means to bypass network security from a remote location. They may steal personal and sensitive information like:
Cybersecurity, or information security, refers to the measures taken to protect a computer or computer system against unauthorized access from a hacker. A robust cybersecurity policy protects secure, critical or sensitive data and prevents it from falling into the hands of malicious third parties.
Every October since 2004 is designated as National Cybersecurity Awareness Month. Cybersecurity awareness has continued to grow, reaching consumers, small and mid-sized businesses, large corporations, educational institutions and young people across the United States.
E-COMP has a vested interest in cybersecurity, internally for our employees and externally, to help our agents and insureds understand the data breach risks. E-COMP’s Cyber Liability Program provides coverage for certain losses incurred from a cyberattack, and we are committed to evolving our policies as new cyber threats emerge.
Below are cybersecurity risks that can wreak havoc on a business:
Cyber attacks threaten businesses every day, often resulting in damages up to hundreds of thousands of dollars or more. A cyber attack is a deliberate assault on a computer system or network that uses malicious code to make unwanted modifications or steal data. Some of the most common examples of cyber attacks include the following:
Cybercriminals commit their crimes through social engineering scams – the act of deceiving or manipulating someone into divulging confidential or personal information to use for fraudulent purposes. Social engineering scams come in many forms, including phishing scams sent via email to collect sensitive data, baiting scams that infect a computer with malware after the user downloads free music or movies, caller ID spoofing and more.
Malware, or “malicious software,” is a type of cyber attack that installs dangerous software on a user’s computer after clicking a harmful link or opening an email attachment. The malware essentially locks down the computer, blocking access to files and other vital components of the network, and obtains sensitive information.
One common form of malware is ransomware, which blocks access to the system until a sum of money is paid or another action is completed. Other types of malware include Trojan horses, malicious programs designed to look like typical software that tricks users into installing it. A malicious script is planted into an insecure website that will redirect the user to a site controller by the hacker.
A Structured Query Language (SQL) injection is a cyber attack that involves a hacker “injecting” malicious code into a service that uses SQL, forcing it to expose information it would normally not display, including customer details, user lists and other confidential company data.
A denial-of-service (DoS) attack occurs when hackers overload a system’s resources and cause it to become unresponsive to service requests. In other words, these attacks can shut down the system and make it inaccessible to authorized users. A distributed denial-of-service (DDoS) attack also targets the system’s resources, but the source comes from a larger amount of host machines, all infected and under the control of the cybercriminal. DoS and DDoS attacks can completely debilitate a website, especially when working in partnership with botnets.
A botnet uses bots, or robots, and exists across a network of devices comprising personal computers and other devices. Botnets drive various types of cyber attacks that can be used to steal personal information and passwords, spread spam and deliver viruses. They’re cheap and effective for cybercriminals to utilize, and as mentioned above, can also facilitate a DoS attack, flooding a webpage with traffic to ensure the site goes offline.
A data breach can also occur due to simple mistakes by employees. The Identity Theft Resource Center found that in 2019, 705 million non-sensitive records were compromised due to a data breach, while cyber attacks exposed over 164 million sensitive records. Non-sensitive data such as usernames or passwords could lead to additional exposure.
There are warning signs for a data breach that you can watch out for, including:
Regardless of how big or small your business is, if your data, important documents or customer information is exposed, recovering from the aftermath could be difficult. In addition to knowing the warning signs, there are ways that businesses can prevent data breaches or cyber attacks.
It’s more important than ever that all businesses understand how to recognize the early warning signs of a data breach, the steps they can take to help prevent them, and how to protect themselves from certain losses incurred from a cyberattack. Below are some data breach prevention tips to keep in mind:
Additionally, businesses should prepare for a cybersecurity attack by creating a comprehensive data breach response plan. A data breach response plan, also known as a security breach response plan or a cyber incident response plan, helps businesses appropriately respond to a cybersecurity attack by providing the necessary steps to respond in a straightforward, documented manner. While the details can and should be customized to the organization, there are certain things every security breach response plan generally includes.
On its most basic level, data privacy is the consumers’ understanding of their rights as to how their personal information is collected, used, stored and shared. The use of personal identifiable information (PII) must be explained to consumers simply and transparently, and in most cases, consumers must give their consent before their personal information is provided.
Personal identifiable information is data relating to an identified or identifiable natural person, such as an ID number, location data, online identifier (like an IP or MAC address) or other specific factors. It also includes unique identifying data such as a Social Security number, driver’s license number, financial accounts, email addresses, login credentials and passwords, addresses, phone numbers and birth date.
The European Union enacted the General Data Protection Regulation (GDPR), a comprehensive data privacy protection program, in 2018. The GDPR has been a model for privacy laws in the United States.
GDPR
The protection of PII is the core of the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR, enacted in 2018, explicitly directs organizations to protect the personal information of all “data subjects” of the European Union. The protection of the PII data (and penalties associated with a data breach of it) are rights held by the data subject and enforceable inside and outside the European Union.
Any small business which processes the personal data of individuals within the EU is subject to the GDPR, no matter where the company has its headquarters. The GDPR provisions state that the laws apply to people within the EU, but not necessarily to EU citizens. This means that any company using the data of EU subjects, even if this company is stationed outside the EU, will need to comply with new ways of protecting data related to identifying information, IP address, cookies, health, genetic or biometric data, racial or ethnic data and sexual orientation.
California Consumer Privacy Act (CCPA)
The U.S. does not yet have an extensive federal data privacy law similar to the GDPR. Currently, it is up to individual states to develop personal data legislation. California was the first state to implement a law in January 2020, known as the California Consumer Privacy Act (CCPA).
The CCPA gives California residents an assortment of new privacy rights, starting with the right to be informed about what kinds of personal data companies have collected and why it is being used. The law stipulates that consumers have the right to:
The CCPA excludes publicly available information via federal state or local government records and medical or health information collected by an organization governed by California’s Confidentiality of Medical Information Act or HIPAA.
Remote work is growing, especially since many workers switched to remote work during the pandemic, with some workers retaining a hybrid schedule moving forward. Remote employees can present a higher and ongoing cyber risk to their businesses for the following reasons:
According to Small Business Trends, 48% of cyber attacks were due to a negligent employee or contractor. Cybersecurity training for employees should be an ongoing process. It is vitally important that everyone in the company, especially those who work outside the office, is up-to-date on all security policies. Businesses should consider doing more to ensure all employees are consistently updated about any potential security vulnerabilities – and how to recognize and avoid them.
Employees often access company networks using Wi-Fi from popular or public locations (such as a coffee shop), making them more susceptible to the risk of an online attack. Most public Wi-Fi networks do not require authentication, which means the connections are not encrypted. Unencrypted networks could make it easy for malicious actors to steal data or access credentials.
Using work devices to visit social media pages, answer personal emails or shop online are examples of a remote worker’s risky behavior. Allowing non-employees like friends or family members to borrow devices for personal use is another example. This presents a risk of not monitoring the websites or files they access, potentially putting your company data at stake.
Physical security of company-issued devices can also be a cybersecurity risk. This could be as simple as leaving a device out in the open at home or in an unlocked car.
Cyber insurance, also knowns as cyber liability insurance, provides coverage for certain losses incurred from data breaches and can help protect your company from a range of cyber attacks. The extent of cyber coverage will vary depending on the industry, the type of business and their specific needs. At a minimum, cyber insurance helps companies comply with state regulations that require a business to notify customers of a data breach involving personally identifiable information.
Many businesses may not realize they need cyber insurance, or may not understand it. From large corporations to school districts, organizations are hit by cyber attacks on a daily basis. Agents can help educate their insured about known risks, how cyber losses are compensated and what coverages are available. Businesses may think their other policies – property, liability, business interruption – cover cyber-related incidents, but often policies do not explicitly include or exclude cyber coverage, leaving it in a grey area. The best way a business can protect itself is to have a cyber liability insurance policy.
The cyber insurance market has been growing as more businesses understand the need for protection from financial and reputational losses dues to security breaches and cyber attacks. With more businesses feeling the effects of data breaches and cyber attacks, the value of cyber insurance’s market share is expected to continue climbing. According to MarketsandMarkets™, the cyber insurance market is projected to continue to grow from $7.8 billion in 2020 to $20.4 billion by 2025, with an annual growth rate of 21.2%.
Cybersecurity Tips for Employees
How Multifactor Authentication Can Help Protect Against Cyber Threats
Insurance services provided by E-COMP NOW! Insurance Services and its licensed agents and affiliates. The information contained within these materials are confidential and not to be distributed. Descriptions are general in nature only. Please refer to the terms and conditions of policies offered or purchased. Insurance products are subject to application and underwriting requirements. Pricing depends on a variety of factors including policyholder location. Not all discounts available in all states. Not all products available in all states. Use of and access to this information, site or any of the links contained within this site does not create a relationship between the user and E-COMP. © 2025 E-COMP, Inc. All Rights Reserved.
