Cyber threats have changed and attacks are not just levied against large corporations like Target, TJ Maxx, Sony, or government infrastructure like the Colonial Pipeline. There is a level of prestige in successfully hacking an enterprise level company or government infrastructure; however, the monetization and economics have been reduced. Black market prices for novel credit card numbers is a fraction of what it used to be.
Cyber crime has shifted to high volume, high probability of success, but smaller rewards. Latest data from Accenture shows 43% of attacks are aimed at small businesses with more than 50% of small businesses suffering a breach within the last 12 months. This is an annual increase of 424%, with ransomware being the most common attack. The average ransom is over $70,000. While this number seems low, this represents over 2x the average annual income in the home countries where many hacker’s reside.
The damage to small businesses is staggering. Nearly 60% of hacked companies close their businesses within 6-months. This shows the financial and reputational damage a company may sustain if not adequately prepared. Companies do not question the purchase of General Liability Insurance, Worker’s Compensation, or Fire Insurance but they do not purchase Cyber Insurance even though it has a greater probability of an insurable event than all other policies combined.
We have surveyed hundreds of small business owners and a frequent comment is a lack of understanding around cyber vulnerabilities. These owners want to learn more about cyber vulnerabilities and how it can impact their business. Common questions are: Is my company at risk; how do I know my company has cyber security vulnerabilities; who can help me identify risk?
A starting point is to simply review a cyber insurance application. The questions contained in the application are indicative of a lack of network controls where the insurance industry has experienced the most claims or breach events. Ask yourself some of these questions that are contained in a majority of applications:
If you answered “no” to any of the above, your business might be at higher risk than believed. Further, your business might be uninsurable as these are viewed as necessary cyber controls for a carrier to offer a quotation. Many of our clients first focus on cyber resilience and then pursue insurance.
You can begin by asking your IT vendor why they haven’t been encrypting data in transit and at rest, why they don’t have training of employees on phishing, and if they have daily backups that are stored off-site, off network, and enable recovery in a reasonable amount of time.
The process of purchasing cyber insurance is somewhat similar to purchasing life insurance. An applicant first completes an application from which the carrier can determine past and present hygiene and determine statistically the potential for future habits. The life insurer may then require a risk assessment of health by means of a blood test and EKG.
The process of purchasing cyber insurance involves the completion of an application that attempts to understand the applicant’s current level of cyber health, and whether a company is cyber risk resilient and its potential to adapt to, and avoid future risk (good health habits). Some carriers then provide the applicant with a free cyber risk assessment - like a blood test and EKG.
The cyber risk assessment is a process where the carriers evaluate the applicant's public facing digital assets. These include the hardware and software used to run things like the applicant’s website and email.
Every time you visit a website, your computer performs a digital handshake with the web server of the page you are viewing. The computers on both sides need to determine the language being used and translate appropriately so what you view isn’t gibberish. A cyber risk assessment is doing the same thing - a digital handshake that identifies the hardware and software being used by a company. But the assessor determines if the hardware is obsolete, the software unpatched, and if any known vulnerabilities exist.
Hardware and software is evaluated and benchmarked against similar companies. Any known vulnerability is identified and a link is provided to learn more about the deficiency and corrective solutions. The report often provides actionable recommendations that the applicant can administer themselves with little or no money to implement.
Is this a complete cyber security solution? Of course not. These evaluations don’t get behind a firewall. Sophisticated cyber security solutions work behind the firewall to protect sensitive data and report on intrusions. But for small businesses without an internal cyber security team the carrier evaluations are an important first step.