Preparing Business Defenses: How World Events Impact Us
It’s easy to watch world affairs and think they’re happening half a world away, so they don’t directly apply to business at home.
But world events carry potential security ramifications and impact how we do business. We can no longer passively observe world affairs, and taking a bury-your-head-in-the-sand approach is short-sighted, especially when it comes to business security and the burgeoning cybersecurity threat.
Cyber-attacks are continually increasing, and everyone with an Internet connection is a possible victim. It’s no longer a matter of if an attack will happen; it’s a question of when a bad actor will target a company.
Cyber-attacks make headlines when they involve high-profile companies, but it’s the “lower-profile” attacks companies need to consider. Even when cyber-attacks don’t make the headlines, they can still pose a significant problem for businesses of all types and sizes. Unfortunately, in the absence of regular headlines, many companies don’t keep this threat top of mind.
Let’s remember that bad actors have already targeted organizations in our country and worldwide.
According to the FBI, there are more than 4,000 ransomware attacks every day in the United States. But most of these don’t garner any headlines.
These attacks did not slow down amid the COVID-19 pandemic. It doesn’t appear they will subside any time soon.
The Identity Theft Resource Center’s (ITRC) 2021 Annual Data Breach Report revealed that ransomware-related data breaches doubled each of the last two years. At the current rate, in 2022, ransomware attacks could surpass phishing as the number one root cause of data compromises.
Companies are increasingly acting to protect themselves. But they can do more to safeguard their companies’ operations: they should be securing cyber insurance.
Why do companies need cyber insurance?
Many cybersecurity experts have predicted that bad actors could launch cyberattacks worldwide, especially in the United States. While their specific targets are anyone’s guess, no one should leave their safety to chance.
Many companies make the mistake of thinking bad actors won’t target them. They might think they have a small staff or lack broad name recognition and can fly under the radar.
However, previous cyber-attacks have shown that hackers may start small. They will often use an initial breach — targeting a company that doesn’t take its security as seriously as it should — as a jumping-off point to reach larger and higher profile targets.
Unfortunately, no one is fully protected. Every customer has a weakness somewhere, and bad actors will find and exploit those weaknesses.
According to Hiscox, an international specialist insurer, roughly a quarter (23%) of small businesses suffered at least one cyberattack in the past year. The average financial cost to a small business was more than $25,000.
The cyber insurance industry has grown in recent years. According to Insurance Business, what was a $7.8 billion industry in 2020 could grow to $20 billion by 2025.
While companies carry general liability and other more specialized insurance policies, many companies may not realize that those policies exclude cyber risks.
However, considering the increased risks, many traditional insurance policies exclude cyber risks. Companies need a separate policy to safeguard against a possible cyber-attack or breach.
How does cyber insurance differ from regular insurance?
As ransom attacks and cyber security threats have intensified, insurance companies have changed their approach.
While cyber insurance protects businesses from Internet-based and information technology infrastructure and activity risks, providers typically exclude these risks from traditional commercial general liability policies, or they may not be defined in traditional insurance products.
As a result, insurance providers have developed cyber-specific policies, but many companies will not just offer such a policy outright. Typically, companies must meet specific criteria to be eligible for coverage, and policyholders must maintain their eligibility annually.
Additionally, there may be specific dates when companies can renew their policies. While dates may vary from one insurance provider to another, key renewal dates for cyber insurance may include July 1 and August 1.
How can a company start the process?
Whether e-commerce, retail, state and local governments or professional services, every business needs cyber insurance. Many organizations may have IT professionals on staff, but they don’t necessarily have cyber security experts.
Increasingly, companies are aware of cyber risks as news accounts regularly highlight high-profile cyber-attacks. Unfortunately, many companies don’t realize how vulnerable they are until it is too late.
Companies must heed the warnings, stay abreast of the risks and proactively prepare.
The good news is that many are acting. About a third of U.S. companies have a standalone cyber insurance policy, according to the Hiscox Cyber Readiness Report 2021.
Insurance companies will require companies to secure a third-party assessment — a risk assessment or a cybersecurity gap assessment — to ensure they do the basic “block and tackling” tactics.
Insurance providers may not cover all companies. They could deny coverage to companies that do not meet minimum standards to prepare for and defend against cyber threats. The specific standards may vary slightly by provider.
Cyber insurance coverage may include data destruction, extortion, theft, hacking and denial of service attacks. But the coverage extends beyond recovering a company’s infrastructure and could protect organizations against litigation and other liabilities.
Coverage could also indemnify companies for losses that others caused to suffer from defamation or a failure to safeguard data. Other coverage benefits may include reimbursement for security audits, criminal rewards and investigation expenses.
The first step is to take action.
Many government agencies and industry associations have issued security frameworks, including the National Institute of Standards and Technology (NIST). These frameworks often include industry-specific standards, including the payment card industry (PCI), the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Increasingly, more companies are worried about computers and their IT hardware, but it’s not their primary focus. These protocols can be confusing, and many companies don’t know where to start the process, so they don’t act.
However, inaction is probably the biggest mistake a company can make.
Companies do not need to go it alone; they should partner with an expert who can help identify vulnerabilities and ensure their actions are effective and comprehensive. Companies can act to better position themselves to prepare for a cyberattack.
Credible third-party companies can conduct such an assessment and also offer many of the services that insurance companies want. These assessments may make companies eligible for cheaper premiums as an added benefit.
Companies serious about their organizational security should consider implementing multi-factor authentication (MFA), encrypted backups and endpoint detection and response (EDR), especially as hybrid work becomes the norm. But perhaps more than anything else, they should conduct regular security training awareness.
Nearly 90% of successful breaches are caused by human error. User training is essential to educate teams on the proper cyber hygiene and how to identify possible cyberattacks that they may encounter via email or on the web.
Companies should employ continuous training techniques to ensure cyber best practices stay top of mind, rather than training employees once or twice per year.
Acting does not require everyone to be a cybersecurity expert. They must start with the basics, such as a ransomware training program.
Conducting a gap assessment is an excellent way for companies to understand where to begin. Cybersecurity renewals are essential and require a third party to validate a company’s approach.
Many of the requirements for cybersecurity are best practices for business.
The world continues to become an even more dangerous place. Those who want to do harm will continue to evolve their methods, putting the incumbency on every business to evolve their approach to prepare for the unseen dangers similarly.
No one has a crystal ball to determine when or where an attack might happen. Luckily, every business has the power to control the most critical element of a cyber-attack: preparing their defense.
Acting is no longer a “nice-to-have.” Preparing defenses is a business imperative, and it needs to happen now.
What are you waiting for?
The post Preparing Business Defenses: How World Events Impact Us appeared first on ReadWrite.