We are constantly bombarded with stories in the news that describe multiple industry segments that have been affected by cyber criminals – from healthcare and medical facilities to educational institutions, financial services and retailers among others.
A large percentage of small businesses suffer at least one cyber-attack in a 12- month period.
The bottom-line is that organizations of all sizes are at risk of having their valuable data – about customers, employees, operations – compromised and or ransomed by a malicious actor.
A large percentage of small businesses suffer at least one cyber-attack in a 12- month period. Of those, greater than 40 percent can expect two, three, or even four attacks in the same year. A simple internet search for what concerns small business the most will reveal that small business owners rank a cyber-attack as one of the top two concerns for the continuity of their business. A majority of small businesses surveyed indicate they are concerned or very concerned about cyber risk, yet the vast majority haven’t taken any basic steps to address it.
Small businesses have to weigh many factors to maintain focus on their enterprises, their employees and their products or services. While this focus is intended to result in growing their operations and generating revenue, it does not always lead to proactive steps that minimize their exposure to cyber risk. While many companies are increasingly beefing up their cyber security measures and purchasing Cyber Liability insurance, too many others have made a calculated decision to go uninsured – or perhaps they mistakenly believe they have cover through their fidelity or general liability policies.
One of the greatest challenges in objectively managing risk is that people tend to underestimate certain threats while overestimating others.
Let’s look at three common reasons why business owners don’t invest in cyber preparedness: “I’m too small”, “it won’t happen to me”, “it won’t be that disruptive”.
One of the greatest challenges in objectively managing risk is that people tend to underestimate certain threats while overestimating others. Let’s look at three common reasons why business owners don’t invest in cyber preparedness: “I’m too small,” “it won’t happen to me,” “it won’t be that disruptive.”
Decisions rooted in the belief of low probability are ill advised.
All of these statements are rooted in the dual belief of low probability and low impact. The facts simply don’t support that premise. It’s human nature to block out things that are not understood or that are not controllable.
Decisions rooted in the belief of low probability are ill advised. In today’s internet connected society low probability cyber events do not exist. It’s in our nature to block out things that we do not understand or that we feel we cannot control. Good business leaders are able to hire individuals that can view risk management objectively. Often these risk managers create a simple probability to impact heat map to guide and prioritize their recommendations.
Managing Cyber Risk
There are 4 basic tenets to risk management that can be applied to a broad range of circumstances. Even the smallest organization can benefit from an objective approach to risk mitigation.
Transact business off-line and manually. Keep paper-base ledgers and customer records. Cash only.
Create a backup routine. Establish routines for strong passwords, software updates/patches, phishing awareness, proper USB use. Facilitate a company culture of personal responsibility and education. Create a response plan.
Go without insurance and budget for all the hard costs; prolonged systems outage, lost sales, slow or no ability to respond, regulations and fines. Also include the soft costs which will bring a decreased trust and changed perception of your organizational strength. Long-term costs include reputational harm. Not only do current employees pay a cost in reputation, but prospective employees are less likely to apply for a job. Suppliers may change their financial terms.
The most common example of risk transfer is insurance. When an individual or entity purchases cyber insurance, they are insuring against property and or financial loss.
Tips for Selling Cyber Insurance
First, explain to your insureds how important it is to champion a solid cyber culture. Building in best practices, and including agenda items like 'cyber tip of the week' for weekly meetings will create muscle memory in a company's culture. At the same time, it is important to support your force of already cyber aware team members as their safe cyber practices will be infectious to the rest of the organization.
Secondly, insureds should take a renewed interest, or at least a fresh look at their employee cyber awareness as more employees than ever are going back and forth from home to office. Their cyber readiness needs to span multiple devices and locations as well.
There are 4 behaviors insureds can implement today that will significantly lower their cyber risks:
- Log-off your computer every time you step away
- Use multi-factor authentication on work and personal devices
- Strengthen your passwords
- Verify your backups on a regular basis
Lastly, even with the best cyber security culture, an employee will inevitably click on a bad email link or navigate to a website that's insecure. When this happens, a strong cyber culture is important, as aware employees will notify their management so the problem can be rapidly addressed.
Cyber insurance adds a further layer of security to this which insureds need. From paying for professional support during the initial response, to reimbursing their customers for damages, a cyber policy means being around another year, or having to close up shop. And with most businesses experiencing at least one cyber security incident a year, cyber insurance is a solid hedge against the bad actors of the world.
How to quickly and easily get a Cyber Risk Evaluation
Historically, the process of seeking a Cyber Risk quote was a real pain. The applications were long, complicated and needed the input of your IT/network vendor to be accurately completed. Now, major providers are able to provide a quote with your basic business information and revenue projections. And prices are falling dramatically. Your insureds will likely be pleasantly surprised with the affordability of your coverage.
Special thank you to the author of the article, Kerry Wakely. Kerry is an advisor of ReFocus AI, an enterprise AI-powered sales plugin for insurance professionals. He is a Cyber Liability expert for all types of businesses and can design coverage to meet specific exposures. Please give him a call at 657.215.5059 or email him firstname.lastname@example.org to find out how he can help you create or improve a cyber-resistant program.