A recent study revealed that organizations with fewer than 1,000 employees make up 85 percent of hackers "targets of opportunity"—where victims are selected because they display a weakness the attacker can exploit.

As big companies boost their security measures and become more difficult to attack, Timothy J. Streck, vice president of commercial product development at Nationwide Mutual Insurance Co., says that people intent on infiltrating corporate networks will "turn to less sophisticated networks of small-business owners."

Unlike large enterprises, where IT experts are in place to thwart breaches, many small to medium-sized businesses get by with very little technical expertise.

"A lot of it has to do with common negligence," says Josh Baker, marketing and e-commerce director at small business-focused BOLT Insurance Agency in Farmington, Conn.

Baker says that training on practices such as secure data storage and appropriate disposal of information often is lacking, "Many small businesses have absolutely no internal policies regarding common security."

And that's no joke. Statistics show that a whopping 96 percent of breach victims who are subject to the Payment Card Industry Data Security Standard (PCI DSS) admit they haven't achieved compliance.

Recognizing the Exposures

The classic hacker, hunkered over a keyboard in a darkened room, isn't the only threat. Now small to medium-sized businesses have smartphones and tablets to worry about.

"Mobile devices today can carry an exorbitant amount of information," Streck says. "It's quite common to have all of that data in one place, on a device that could be stolen or lost."

USB drives and other pocket-sized storage gadgets also make concerns about potential data exposures very real.

Brian McGinley, senior vice president of data risk management at IDentity Theft 911 in Scottsdale, Ariz., says attacks aren't necessarily high-end hacking attacks. Many breaches result from simple errors and negligence. Small businesses of all kinds frequently throw data and devices away without ensuring that sensitive information has been deleted.

"We often find very sensitive data in dumpsters," says McGinley.

Other trends include rogue employees who use data access privileges for nefarious purposes and companies that fail to protect their systems against attack.

The Cost to Businesses – Devastating and Expensive

The consequences of cyber exposure are sometimes enough to close the doors of a small or medium-sized business for good. Even if a company survives, Baker says the aftermath could do lasting damage to its reputation.

One post about the breach on Facebook could spread news of a company's troubles far and wide, scaring both existing and potential customers.

"In this age of social media, it's not easy to keep something private." says Baker. "[Customers] may perceive that your company isn't safe to do business with."

McGinley warns that regulatory and remediation requirements might also lead to onerous financial obligations.

"For example, if a business is victimized and it impacts individuals, there are laws in 46 states that require you to make notification to customers that are impacted," he explains.

Remediation efforts – which in addition to notifying affected customers, can also include providing them with credit monitoring services – cost money. There also could be significant monetary penalties for failing to comply with various regulations, such as the protection of personally identifiable data (PID), personal health information (PHI), and PCI DSS.

Tips for Agents on Overcoming Client Pushback

Many small and medium-sized businesses don't recognize the risks they face and the need for cyber liability coverage. Savvy agents can help break down those barriers:

  • Examine the type of data that's potentially at risk: "It's worth talking about the types of information as a small business owner they keep on hand that's personally identifiable to their customers," Streck says. Many of these businesses simply don't recognize the truly sensitive nature of much of their data.
  • Evaluate technical resources: Will they be able to identify the point of exposure and fix it? Most insurance policies help with preventing a breach, as well as what to do when one occurs. "We can help them determine the next steps, their requirements for notification, and any additional best practices they should adopt," McGinley says.
  • Remind them of the financial implications: Baker believes large companies may be able to survive the costs of a data breach, but "for the small business, the financial losses and the loss of business or reputation associated with that is a lot harder to weather, which makes it even more vital to have the insurance."
  • Provide case studies and anecdotal evidence of the dangers: "Information is readily available through the Internet, and you can pull up real-life cases of where folks have been impacted by a data breach," Streck says.
  • Highlight the need for cyber liability coverage as part of a larger insurance suite: "As a small business owner, you do a lot of things to protect your customers," Baker says. Whether a business is large or small, customers expect their data to be secure no matter what.

Matt Cullina, is the chief executive officer of IDentity Theft 911, a consultative provider of identity and data risk management, resolution and education services. Cullina has 15 years of insurance industry management, claims and product development experience. Prior to his role at IDentity Theft 911, Cullina spearheaded MetLife Auto & Home Insurance Co.'s personal product development initiatives, managed claims litigation and served as a corporate witness for Travelers Insurance and the Fireman's Fund Insurance Co. He can be reached at mcullina@idt911.com.

IDentity Theft 911 serves 13 million households across the country and provides fraud products for a range of organizations, including Fortune 500 companies, insurance companies, corporate benefit providers, banks and credit unions and membership organizations. IDentity Theft 911 is based in Scottsdale, Ariz. and has locations in New York City, Rhode Island and Canada.