You’ve got your outdoor retail business. Years of passion and planning have finally paid off, and the physical – and potentially cyber – doors are now open. Your success depends not only on your ability to offer products that meet customer expectations but to connect with that same base, keep their info safe and protect your assets.
Similar to how you should lock up your storefront at night, today’s retailer needs to take all necessary steps to keep critical data secure against intruders. “Cyber liability has become a real thing,” said Rob Martin, managing director, Outdoor Sports Insurance (OSI), a Horizon Agency program that works with 2,500 shops countrywide. “In the last two years, it’s exploded. From a claims standpoint, coverage is getting more expensive because the carriers that provide it are losing money based on claims activity, frequency and severity. We’ve had many instances [of breaches] over the past year, to the point that it’s becoming more common than traditional insurance losses such as fires, thefts, collapse or any of those things.”
To maintain affordable coverage, he added, “you’re better off the more buttoned up you are.” Ironically, most small businesses have fewer resources to protect their assets than their larger competitors, even though the risk they face is potentially more devastating.
“As of Q2 2021, 75 percent of ransomware attacks targeted businesses with less than 1,000 [employees],” said OSI executive vice president, Tori Hoeschler. “The average cost of each attack to the business was $136,000. Of those without proper security measures, data backup or proper insurance, over 60 percent were out of business within six months.”
For businesses in the outdoor space, critical time can be lost when their operations are out of commission, especially if the attack goes down during the peak season. To address these concerns, OSI has outlined a series of recommended measures to help keep any mom-and-pop shop safe and profitable for years to come.
- Knowing and Managing Data
Today’s organization needs to understand not just the nature of at-risk data but the calamity that its breach would cause. Organizations need to be cognizant of the types of data that they collect and store, factoring in their own depth of resources for keeping this information safe. - Backing Up Files
All effort should be made to schedule regular – often automated – informational backups. “Today, a business is 10 times more likely to experience a cyber event than they are to have any other sort of insurance claim,” Hoeschler noted. “It’s reasonable to say that when it comes to an attack, it’s not a question of if, but when.” The executive also noted that backups and encryption should be applied to “all data on a network, even if it’s not private data.” - Training Staff to Recognize Cyber-Attack Methods
Whether your company has one employee at a cash register or thousands sprawled out across a geographically dispersed area, the concept of keeping information safe can rely on the choices that they make. “These criminals are so savvy,” said Martin. “There’s a lot of different places to access somebody’s system. It could be as simple as a
directory or the phishing emails. It happens probably once a month at our company where I get a notification of ‘Do not click on this link.’ Some of them are easy to see through and some of them are really quite well designed, where I feel like that is a legitimate request in an email for me to click on a link and look at something.” - Conducting Employee Background Checks
OSI recommends having a good grasp of exactly who sits at one’s desk. By weeding out those with a criminal or even questionable past, the organization is able to limit the risk of ill-natured attacks from within. - Limiting Critical System Access
For many small businesses, common practices such as password sharing run rampant. This dangerous policy grants anyone access who happens to get the proper login credentials, whether due to legitimate or illegitimate means. This is where concepts such as “zero trust” and MFA (multi-factor authentication) come into play. The idea is to restrict access to sensitive information exclusively to those for whom its access is inherently necessary to do their jobs, while also requiring additional validation for every user login. “The primary pushback we get from our clients when we recommend the use of MFA across their network is the cost of installing and integrating it,” said Hoeschler.
“Data suggests that email is the primary point of vulnerability for businesses. We encourage starting with MFA for emails, then stepping up integration as it becomes economically feasible.”
- Relying on Firewall and Anti-Virus Software
Smaller businesses need to invest in resources to detect, block or – in a worst-case scenario – absorb an attack. While no individual software or suite is foolproof, their use in conjunction with one another can offer a protective measure of defense. - Employing Intrusion Detection and Breach Analysis Options
OSI recommends paying for third-party network monitoring. The concept behind this software type is that it scans for active incidents that have occurred, offering remediation options. - Maintaining Security Patches
This critical measure is especially important for the small business that does not make a massive, ongoing investment in security software. By actively patching, the business gains information on the latest threats, trends and definitions and can actively scan for potential issues. - Focusing on DDoS Security
Businesses should work to promote awareness as to how to best avoid (if possible) or absorb (if necessary) a devastating distributed denial-of-service attack. These types of strikes – of which ransomware is just one example – can have devastating consequences for the small business that cannot afford downtime. - Planning for Data Breaches
In some cases, penetration is inevitable. Today’s environment needs to account for what would happen if such a breach does occur. For this reason, OSI recommends creating a formal “Incident Response Plan” that is then reviewed each year. This program should include clear, descriptive verbiage regarding protocols and policies, specific employee incident response tasks and other roles and responsibilities. One should also have a policy in place to inform the client of the integrity of any stored customer data, how this information is handled and options at their disposal should this information become compromised. - Obtaining Cyber-Risk Insurance Coverage
These types of policies, for which Outdoor Sports Insurance and other agencies offer coverage, are designed to counteract the high cost incurred as part of a data breach or extortion strike. In particular, OSI believes that it offers the right insurance program, replete with access to experienced professionals who can assist with such an otherwise stress filled occurrence.
“For the smaller companies that make up the outdoor industry, we often hear that ‘My credit card transactions are all protected through a third party’,” said Martin. “There’s an unwillingness to spend money on cyber liability. What they’re not realizing is it’s not just about protecting credit card numbers. It’s about protecting your network, business and assets.”
As an industry leader in risk management and liability mitigation, OSI focuses on providing insurance services for specialty retailers, distributors, market representatives and manufacturers. On average, its team has more than 20 years of experience in property and casualty insurance, and has assigned underwriters, claims adjusters and attorneys to service its accounts. By signing up for such a program, members also gain access to many different
resources, including release forms and waivers to keep current with state and federal regulations.
“There’s a lot of retailers out there that are really just focused on transactional exposure, versus if their network is protected, both through things such as zero trust and also through cyber liability insurance,” concluded Martin. “That’s a message that needs to go out to these folks. They need to broaden their scope as to what exposure really means in the world of cyber theft and all of the risks that they have and may not realize.”
Because in today’s digital retail world, one cannot be careful enough.
About Outdoor Sports Insurance
Outdoor Sports Insurance (outdoorsportsins.com) is one of the longest-serving insurance
brokers in the outdoor markets, working with brands and retailers across the United States who
focus on boardsports.
With 34 years of market leadership, Outdoor Sports Insurance is at the forefront of emerging
issues facing retailers, brands and outdoor professionals, ranging from global challenges like
COVID-19 risk management and cybersecurity liability, to distinct market issues like best
practices for board demos, staff training and education.
You’re encouraged to reach out to a member of the Outdoor Sports Insurance team to learn
more about putting a policy into place for your business, or just to chat about what you can do to
improve your risk management.
Outdoor Sports Insurance offers comprehensive insurance coverage on gear rentals, demos, liability,
worker’s compensation and more. They also ensure that waivers are accurate and complete, help train
staff with best practices, and provide general business protection.
Outdoor Sports Insurance will be attending Outdoor Retailer Summer Market and The Big Gear Show. To
set up an appointment to review your ADA report card or discuss risk management at either show contact
amos@palemorning.com or stop by their Outdoor Retailer booth (42001-UL) located just inside the
show’s main entrance.
To learn more about Outdoor Sports Insurance or discuss risk management for your
businesses, contact osi@horizonagency.com.
BRA note: We are very pleased to mention that Outdoor Sports Insurance is a BRA Supporting Vendor Partner. If you would like to be introduced via email to Rob and the solid team of people behind this outstanding resource, email me. – Doug Works, BRA Executive Director
If you are not yet a BRA Retail Member, you can easily opt in to either Regular (no cost) or Distinguished ($99/yr.) Membership via this super simple join form