Experts: Small businesses in cybersecurity crisis as AI-driven attacks escalate

Small businesses in the Caribbean face a mounting cybersecurity crisis as AI-powered cyber attacks, including ransomware and phishing scams, become increasingly sophisticated, according to local and regional experts.

At a recent webinar sponsored by CIBC Caribbean on Navigating Insurance Market Risks and Cybersecurity Threats, experts highlighted the urgent need for small enterprises to bolster their digital defences and consider comprehensive insurance coverage to mitigate potential financial ruin.

“Small businesses are often seen as easier targets by cybercriminals because they don’t have the same level of security infrastructure as larger companies,” said Derick Burton, director of information security at CIBC Caribbean. “With limited budgets and resources, these businesses struggle to implement advanced cybersecurity measures, making them more vulnerable to attacks.”

Burton pointed to the rise of AI-driven phishing techniques as a significant threat.

“Phishing used to be easily identifiable with poorly written emails. But AI tools like ChatGPT have enabled hackers to create more convincing, targeted campaigns. This makes it harder for small businesses to distinguish between legitimate communications and fraudulent ones,” he said.

These weaknesses in cybersecurity are not merely technical challenges but could pose existential threats to small businesses. A single cyber attack, the experts warned, can result in severe financial losses, legal liabilities, and even lead to business closures.

Maya Wiltshire, area president of Gallagher Insurance Brokers for Barbados, Trinidad, and the Eastern Caribbean, cautioned: “Legal liabilities are a huge concern for small businesses, especially when sensitive customer data is compromised. Data protection regulations are becoming stricter, and businesses that fail to comply can face fines or even lawsuits from affected customers.”

Wiltshire stressed that the aftermath of a cyber breach extends beyond financial loss: “It’s not just about the data loss or the ransom payment. There’s also the reputational damage, which can lead to the loss of customers. And if you’re found to have failed in your regulatory obligations, the financial penalties can be crippling.”

Chief Operating Officer at CG United Insurance, Randy Graham said that while cyber insurance can act as a safety net, the coverage landscape is becoming increasingly complex.

“Rising premiums and potential coverage gaps are a growing issue. Small businesses must carefully review their policies to ensure they are adequately covered. Not all policies are created equal, and some may exclude certain risks, such as vendor-related breaches or human errors,” Graham warned.

In a hard insurance market—where insurers are becoming more selective due to rising claims and higher risks—small businesses are facing a delicate balance between affordability and adequate protection. Dean Romney, president of Guardian General Insurance, painted a stark picture of the evolving insurance market: “For small businesses, the rising cost of cyber insurance can be prohibitive. They’re being asked to pay more for coverage, but they’re also at risk of not being covered for every possible scenario.”

Despite the rising costs, insurance companies are pushing businesses towards better security practices. Many insurers now require businesses to adopt stronger cybersecurity measures as a condition for coverage.

“Cyber insurance isn’t just about recovering from an attack; it’s about prevention,” explained Burton. “Businesses that invest in better cybersecurity practices not only reduce their risk of an attack but may also lower their insurance premiums. It’s in the best interest of both the insurer and the business to ensure that security measures are in place.”

He emphasised that prevention is critical, noting that the intersection of people, processes, and technology is where the battle against cybercrime will be won or lost.

“It’s not just about having the right technology; you need to train your people and ensure your processes are sound. A failure in any one of these areas can lead to disaster,” he said, adding that basic cyber hygiene, including regular software updates and strong password management, should be non-negotiable for businesses of any size.

Wiltshire urged small businesses to act quickly and proactively, stressing that they cannot afford to ignore cybersecurity.

“They need to be proactive,” he said. “By investing in both preventive measures and the right insurance coverage, they can protect themselves from the financial and operational fallout of a cyber attack.”

Insurers are also calling for urgent action.

“The risks are only going to increase,” said Graham, who is also president of the General Insurance Association of Barbados. “Cybercriminals are getting smarter, and the cost of doing nothing could be catastrophic.”