Cyber risks are the top concern for U.S. businesses, according to the “2024 Travelers Risk Index," topping the list for the fourth time in six years. Across the country, 1 in 4 businesses reported that they have been victimized by a cyber event or data breach, the ninth increase in 10 years.

The Travelers Institute, the public policy division of Travelers, also conducted educational symposiums on cyber risk in cities across the U.S., surveying the commercial cybersecurity landscape in specific cities, including Washington, D.C., where the business environment is unique. In the nation's capital, many businesses are government vendors, which means “there is a heightened awareness," says Joan Woodward, executive vice president of policy at Travelers and president of the Travelers Institute.

“D.C. is uniquely positioned to be a target of not only bad actors in the U.S. or elsewhere but also nation-state actors, which we know are actively engaging in cyberattacks," she says. 

More than half—53%—of D.C. businesses say they have already been the victim of a cyber event, according to the Travelers survey. “We define 'cyber event' as an intentional effort by a hacker to steal or expose someone's data," Woodward explains. “This can be done through phishing ransomware while attacking a company's passwords and getting access to private information."

“The fact that more than half of D.C. businesses admit that they've experienced this speaks to the fact that it's part of a new normal for us," Woodward continues.

However, the majority of D.C. businesses are realistic about the heightened cyber risks they face. Nearly two-thirds (63%) of D.C. businesses believe their company will be the victim of a breach or attack in the future.

“They know it's coming and they want to be prepared," Woodward says. “Eighty-two percent of D.C. metro area business decision-makers completely or somewhat agree that having proper cyber insurance coverage in place is critical to the well-being of their company, our poll found."

And that sentiment is proven by the data, she points out, with nearly three-quarters of D.C. businesses reporting they have cyber insurance. “That's a high number for a metro area, higher than other places we've studied," Woodward says.

To protect their companies, 81% of D.C. business leaders require computer password updates, 80% have firewall and virus protection, 68% use multifactor authentication (MFA), 62% participate in staff training and testing regularly, and 60% perform cyber risk assessments.

Businesses across the U.S. can learn from this preparedness level. “What we worry a lot about is the small- and medium-sized businesses who think they're never going to be a target—and that's just not true," Woodward says. “Cybercriminals look for small- and medium-sized businesses who may be vulnerable, and they can tell which ones have a cybersecurity plan in place and which ones don't."

To maximize system security, Woodward emphasizes the importance of MFA; system updates; endpoint detection and response (EDR); an incident response plan; and backups. “These are things that can be put in place in the next day or two," she says. “Businesses don't have to go and hire a whole new team—they can do these internally right now."

“A cyber event can cause major operational and financial disruption to an organization," Woodward adds. “We hear about the big-name companies that have been hit, but we don't hear about the smaller companies who may actually be put out of business if they can't recover their data quickly."

AnneMarie McPherson Spears is IA news editor.