Skip to main content
Web Content Viewer (JSR 286)
CNA Blog — From the Experts
From insurance trends to risk control to corporate social responsibility, CNA’s leaders know their business and are proud to use their expertise to help organizations succeed.

CNA Blog — From the Experts

Published Tuesday, May 7, 2024

Three Cyber Risk Factors Small Business Owners Should Know

As cyberattacks continue to grow more frequent and severe, businesses of all sizes and types are under threat from ransomware, social engineering and data theft. Small- and medium-sized businesses can be especially vulnerable – partly because they may underestimate their risk from cybercrime. Staying up to date on the latest cyber trends and tactics help all businesses defend against cyber threats. Here are three important risk factors to keep in mind:


  1. Smaller businesses are more at risk for sophisticated cyberattacks.
    Social engineering cyberattacks, including phishing emails, disproportionately target small businesses. A 2022 study by cloud-first security solutions vendor Barracuda found that the average small business employee will receive 350% more social engineering attacks than an employee of a larger enterprise.

    Artificial intelligence has made cyberattacks even more efficient and sophisticated. Phishing emails crafted by AI, for example, have higher open rates than manually crafted phishing emails.
  2. Smaller companies often lack proper cybersecurity resources.
    A survey by the U.S. Small Business Administration revealed that 88% of small business owners felt their business was vulnerable to cyberattack. They may have good reason to feel that way, as smaller businesses are often more attractive to cybercriminals because they lack security resources and expertise. Many small businesses do not perform employee phishing tests, for example, and may lack incident response plans and appropriate offline backup storage.

  3. Many business owners are responsible for cloud security – even if they outsource their IT.
    Outsourcing IT resources may help a small business address cybersecurity, but it doesn’t necessarily mean outsourcing liability for data breaches, even if the data in question is stored in the cloud.

    Business owners should review their contract with their cloud service providers or IT vendors to determine their potential risk. Businesses usually own most or all the liability for data in the cloud, and if cloud service providers own any of that liability, their costs are usually very limited.


Address cyber risk with resources that small businesses need.

Improve small business defense against cyberattacks by investing in CNA’s cyber insurance products. Our market-leading insurance products and risk control resources are built on nearly two decades of cyber insurance expertise. And now we’ve made it simpler than ever for small business leaders to apply for a quote.


We provide the tools and resources needed to understand exposures and potential losses. If there is ever a data breach, our skilled Claims professionals will work with policyholders to keep everyone’s business running.



Designed to maximize simplicity, Epack 3 is a first-of-its-kind, modular insurance policy for cyber, media, technology and professional liability. Tailored to businesses with less than $100 million in revenue, the shortened form for our Ransomware Supplement makes it easier to apply for a quote. We also simplified the process to quote Miscellaneous Professional Liability, Technology E&O and Media Liability.


CNA Cyberprep

CNA CyberPrep was developed in partnership with leading cybersecurity specialists and is designed to help policyholders identify, mitigate and respond to cyber threats.


This proactive program of cyber risk services is modeled on industry-leading cybersecurity frameworks for standards, guidelines and best practices, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and is rooted in strong relationships with cybersecurity professionals.


To learn more about how CNA can help companies mitigate cyber risk, visit our Cyber Insurance page.
The information, examples and suggestions presented in this material have been developed from sources believed to be reliable, but they should not be construed as legal or other professional advice. CNA accepts no responsibility for the accuracy or completeness of this material and recommends the consultation with competent legal counsel and/or other professional advisors before applying this material in any particular factual situations. This material is for illustrative purposes and is not intended to constitute a contract. Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice. “CNA” is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the “CNA” trademark in connection with insurance underwriting and claims activities. Copyright © 2024 CNA. All rights reserved.




One or more of the CNA companies provide the products and/or services described. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.
One or more of the CNA companies provide the products and/or services described. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.
/web/guest/cna/from-the-experts/authorbio/blogdetails IndividualBlogDetails Z6_40KKTL4U2REB90AH8FND8R00T6 /CNA /ListofAuthors /AuthorDetails /IndividualBlogDetails