What is Social Engineering Fraud? As a Des Moines business insurance professional, I frequently...
Small business owners often believe they're flying under the radar of cybercriminals, but the reality paints a different picture. More than half of cyber claims filed in 2024 originated from companies with under $150 million in annual revenue, according to research from Chubb's 2025 report "Navigating the Cyber Claims Landscape." Even more concerning, 28% of these claims impacted businesses with less than $25 million in revenue.
The assumption that smaller operations make less attractive targets is a dangerous misconception. In fact, these organizations face disproportionately higher risks. Cybercriminals specifically target smaller companies because they often lack dedicated IT departments and sophisticated security infrastructure. When you're managing payroll, client relationships, and daily operations without extensive technical staff, cybersecurity often takes a backseat—and attackers know it.
The numbers from Microsoft tell an equally troubling story. One in three small and middle market businesses has fallen victim to a cyberattack. These incidents aren't minor inconveniences—they carry an average price tag of more than $250,000, with some cases reaching $7 million. For a company operating on slim margins, that kind of financial hit can be devastating. Research shows that 60% of small businesses that experience a cyberattack close their doors within six months.
Ransomware Dominates the Threat Landscape
If you think ransomware is just a problem for major corporations, think again. Ransomware attacks have become the single greatest driver of cyber insurance claims, accounting for nearly 72% of cyber claims dollars between 2023 and 2024, according to Chubb's data. The University of Maryland's Francis King Carey School of Law found that 82% of ransomware attacks specifically target small to medium-sized businesses.
These attacks work by encrypting your data and holding it hostage until you pay a ransom. The financial consequences extend beyond the ransom payment itself. Your business faces downtime that halts operations, data recovery efforts that consume resources, and potential liability costs if customer information gets compromised. About 75% of small and medium businesses report they couldn't continue operating if hit with ransomware, and 51% of those who face these attacks end up paying.
Third-party litigation stemming from ransomware incidents jumped approximately 75% in 2024 compared to the 2020-2021 average. This means even after recovering from an attack, businesses face legal battles that drain resources and damage reputations.
When Software Updates Go Wrong
Not every cyber disaster involves a malicious hacker. Sometimes the threat comes from unexpected sources, like faulty software updates. The CrowdStrike outage in July 2024 demonstrated how vulnerable businesses are to non-malicious cyber events. A single problematic software update triggered global disruption, causing insured losses estimated between $400 million and $1.5 billion.
Airlines, hospitals, and financial institutions made headlines, but smaller businesses suffered equally—sometimes more severely. Any computer running Microsoft Windows that received the corrupted update crashed and couldn't restart without significant technical intervention. Retailers, medical offices, restaurants, and other smaller organizations found themselves locked out of payment systems, shipping data, and other mission-critical information.
The difference between large enterprises and smaller businesses became painfully clear during this crisis. Many smaller companies lacked IT departments or technical staff who could work directly with Microsoft and CrowdStrike to resolve issues quickly. For them, the outage and associated business interruption lasted considerably longer.
The Privacy Law Maze
Privacy regulations represent another growing minefield for businesses. The proportion of third-party claims related to privacy liability more than doubled in 2023-2024 compared to 2020-2022, based on Chubb's data. Laws like Illinois' Biometric Information Privacy Act, the Video Privacy Protection Act, and various state wiretapping statutes have created new avenues for litigation.
Currently, 20 states have or will soon have privacy laws that create liability for businesses collecting and storing personal information. What catches many business owners off guard is that these laws apply to the state where a plaintiff resides, not where your business is located. If you have customers in California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Florida, Montana, Oregon, Delaware, New Hampshire, New Jersey, Kentucky, Nebraska, Minnesota, Maryland, or Rhode Island, you're potentially exposed to these regulations regardless of where you operate.
The penalties are substantial. The Video Privacy Protection Act allows statutory damages up to $2,500 per violation for unauthorized disclosure of personal information and viewing history. Most smaller businesses don't have legal experts on staff who can track this rapidly expanding body of law and maintain compliance. When violations occur, the financial penalties, lawsuits, and reputational damage can overwhelm a business that lacks the resources of larger competitors.
Building Cyber Resilience Through Practical Actions
The good news is that effective cyber protection doesn't require massive budgets or technical expertise. Several straightforward strategies can significantly strengthen your businesses defenses.
Adopt Multi-Factor Authentication: Multi-factor authentication (MFA) can block 99.9% of automated attacks on accounts, according to Microsoft. This security measure requires users to verify their identity through multiple methods—typically something they know (like a password) plus something they have (like a smartphone) or something they are (like a fingerprint). Even if a password gets compromised through a phishing attack, MFA prevents unauthorized access because attackers lack the additional verification factors.
Embrace Zero-Trust Security: Traditional security models assume that anyone inside your network is trustworthy. Zero-trust architecture flips this assumption by requiring strict identity verification for everyone seeking network access, regardless of their location or position within the organization. For smaller businesses, this means implementing least-privilege access—giving employees only the minimum access needed for their specific tasks—and using network microsegmentation to limit potential damage if credentials get compromised.
Practice Consistent Cyber Hygiene: Strong security controls and resilience capabilities help businesses mitigate cyber threats. Regular employee training is essential because many attacks don't rely on sophisticated malware but instead use social engineering tactics. Training employees to recognize phishing emails, use strong passwords, enable multi-factor authentication, identify and report scams, and keep software updated creates a human firewall that complements technical protections.
Develop an Incident Response Plan: Having a solid incident response plan makes the difference between a manageable incident and a catastrophe. This plan should outline how your team reacts to specific types of incidents, define roles and responsibilities, establish communication protocols, and include procedures for data backup and recovery. Rehearsing the plan through tabletop exercises prepares your team to execute under pressure. Organizations outside the U.S. that have invested in business continuity and incident response plans have seen decreases in both the frequency and severity of cyber incidents, according to Chubb's research.
The Safety Net of Cyber Insurance
While strong security practices form your first line of defense, cyber insurance provides an essential safety net. Average recovery costs from cyberattacks run around $120,000 for small businesses, with many incidents ranging from $120,000 to $1.24 million depending on severity. These figures include direct financial losses, downtime, legal fees, and long-term reputational damage.
Cyber insurance policies typically cover both first-party and third-party claims. First-party coverage addresses immediate impacts like data breach response, notification costs, credit monitoring for affected customers, business interruption, data recovery and restoration, cyber extortion and ransomware payments, and crisis management support. Third-party coverage handles legal and regulatory liabilities, including legal defense costs, settlements or judgments, regulatory fines and penalties, and liability for data privacy violations.
For small businesses, cyber insurance premiums average about $145 per month or $1,740 annually—a modest investment compared to potential losses. Several factors influence premium costs, including company size, industry-specific cyber threats, amount and type of data handled, number of employees, claims history, and coverage limits.
Specialized Support for Smaller Iowa Businesses
Recognizing the unique challenges smaller organizations face, insurance providers have developed tailored solutions. Chubb's Cyber Stack, designed specifically for businesses with 100 or fewer employees, connects clients with dedicated cyber risk advisors and provides tools for crafting effective management and response strategies. Services included at no additional cost for the first year for new customers—representing up to $28,000 in savings—include cyber awareness training, vulnerability security alerts, password management, and incident response planning.
The Chubb Cyber Index provides access to proprietary claims data on cyber threats, which is particularly valuable for smaller businesses. It allows organizations to benchmark risk profiles against peers, examine peer purchasing insights, and use a cyber risk calculator to understand potential exposures and costs.
Frequently Asked Questions
How much does a cyber incident typically cost a small business?
Average costs range from $120,000 to $1.24 million, depending on the incident's severity and industry. Some cases reach as high as $7 million. These figures include direct losses, downtime, legal fees, data recovery, and reputational damage.
What percentage of cyberattacks target small businesses?
Research shows that 43% of cyberattacks target small businesses, and 82% of ransomware attacks specifically target small to medium-sized businesses. About 61% of small and medium businesses experienced at least one cyberattack in 2021.
Can small businesses survive a ransomware attack?
Statistics reveal that 75% of small and medium businesses say they couldn't continue operating if hit with ransomware. Additionally, 60% of small businesses that suffer a cyberattack close within six months.
Is cyber insurance expensive for small businesses?
Cyber insurance premiums for small businesses average about $145 per month or $1,740 annually. This is considerably less expensive than the average cost of recovering from a cyberattack, which runs around $120,000 or higher.
What's the most effective way to prevent cyber incidents?
Multi-factor authentication stands out as one of the most effective protections, blocking 99.9% of automated attacks according to Microsoft. Combining MFA with regular employee training, strong password policies, software updates, and an incident response plan creates comprehensive protection.
Protect Your Business with Comprehensive Iowa Insurance Coverage
Cyber threats aren't going away—in fact, they're becoming more sophisticated and more frequent. The financial and operational consequences of a cyberattack can devastate a business, particularly one without extensive resources or technical staff. But you don't have to face these risks alone.
At DSMIG, we specialize in helping businesses develop comprehensive risk management strategies that include cyber insurance coverage tailored to your specific needs. We understand the unique challenges you face and can connect you with insurance solutions that provide both financial protection and access to expert incident response services. Don't wait until after an attack to discover that your current insurance doesn't cover cyber incidents. Contact DSMIG today to review your coverage options and ensure your business has the protection it needs to weather any cyber storm.
