With the average data breach in 2018 costing $3.86 million dollars, according to IBM, it's little wonder that companies are starting to opt for this form of protection. Thus far, most buyers have been medium to large scale firms - that is, the ones with the most to lose.
However, some companies are beginning to pitch cyber insurance to smaller operations. But is it really worth it for a SMB? Let's dig in.
Of course, the first question when it comes to getting insurance (of any type) is "What are the risk factors?" There's little point purchasing a policy against something that's unlikely to affect you, like getting flood insurance in Nevada.
When it comes to cyber-crime, there's lots of data, and lots of differing interpretations of that data. However, one key factor is that it seems cyber-criminals do preferentially target medium-large businesses. Those are the businesses that A) are likely to have reasonably large amounts of customer data, but B) may not have sufficient IT staff or security measures in place. Companies with something like 500-1000 employees are probably at the highest risk.
In addition, medical companies and organizations are at particular risk. Medical databases are basically the motherlode for data thieves. In addition, since many medical operations are on tight budgets, they often have insufficient network security or untrained staff.
So, without even getting further into the topic, if you are a mid-sized medical organization, you definitely want cyber insurance.
For everyone else, though... it's questionable. The big issue at the moment is that policy offerings are far from standardized. Since cyber-crime is such a new and evolving threat, every insurance company which offers cyber insurance policies is doing so differently.
Additionally, few policies out there are truly comprehensive. They will usually have very tight restrictions on the type of crimes covered, the types of damages paid for, or both. On top of that, they tend to have extremely strict requirements on your own standards and policies, and failure to comply with those requirements can lead to having the claim denied.
And then you're out the cost of the breach AND the cost of insurance.
If you feel your company is genuinely a target for cyber-criminals, or you handle particularly high-value data, there may be value in talking about getting a cyber insurance policy. However, be prepared to do a lot of research and negotiate with plenty of sales reps before you sign up.
For everyone else, though, that money might be better-spent shoring up your own defenses. Have you ever conducted a live network penetration test? Hiring a group to directly test your system security, and report on any problems found, could easily be a more productive use of your money.
To learn more about how you can affordably test and beef up your network security, just contact Hummingbird Networks.