Jake was a profitable small business owner for many years. Recently however, Jake has been unable to grow his business because he was the target of a cyber-attack. He heard of these incidents in the past whenever a large company’s data breach made headline news, or when speaking with his risk advisor, but he never thought he would be a hacker’s next target. And, because he turned down cyber liability coverage, his business operations have all but froze as he navigates the complex world of data forensics, attempting to recover lost data from backups, and contacting past clients from the limited mailing lists he still has available on hand. His total cost of risk has skyrocketed from legal fees, lost production, IT support, and employee wages while he attempts to keep staff employed during this difficult time. For Jake, it was too late to consider best practices as relates to cyber risk management.
Unfortunately, Jake’s story is not uncommon. Last year, 41% of all cyber attacks were against small and medium sized business owners. That’s why we sat down with cyber specialist Javier Gonzolez, Vice President of Sales at PL Risk, to discuss tactics and strategies that you can use to protect your data from a cyber breach.
GMG Insurance: Javier, you have worked with organizations of all shapes and sizes to make sure they have the policies and procedures in place to mitigate a cyber beach event. How has the cyber landscape changed over the past few months or years?
Javier Gonzolez:
A lot has changed over the past few years. This goes from overall network security, investments personnel and training, to just overall improved “security hygiene.” Cyber liability insurance is no longer a nice to have coverage for business owners, it’s a must have coverage. You can do all the right things, or believe you’ve done all the things to protect your business, but nothing’s perfect.
From a carrier perspective, carriers have a lot more claims data, so they are adjusting their insurance premiums to be more in line with their losses. Five, six years ago, carriers were working with little available data which got everyone excited about cyber coverage. Now there are trends, data, and loss experiences. So there is smarter underwriting due to the claims and the data associated with those losses.
These losses are also allowing Carriers to drill down to the root cause the breaches, then enforce stricter underwriting guidelines for business owners. We are also seeing carriers offer coverage for premiums more in line with the losses they expect to see.
GMG: What are some common myths that you’ve come across when working with small and medium sized business owners when it comes to cyber risk management?
Javier Gonzolez:
A lot of clients say I can’t afford to have these measures in place. Well, I respond that you can’t afford not to anymore. That’s pretty apparent because many businesses nearly close down when the breach is severe enough and the data is permanently lost.
Another myth is that it “won’t happen to me.” Well, small, medium size businesses do get hacked. Their network security is less, complex. Larger organizations have the, the human and monetary capital in order to upgrade their network security making it harder for these bad actors to get into their systems and exfiltrate data or to manipulate certain parts of the system. So the easier target is the small/medium sized organizations that have not invested the time and energy to improve their network security.
There’s another myth that “I use the cloud, or I’ve got vendors who are 800-pound gorillas, and they’re going to take care of me in any event of a breach.” This can’t be farther from the truth. If you are the original receiver when collecting personal identifiable information or personal health information, and their information was compromised, you are responsible for that information regardless of what vendor or back-office administration team you are giving that information to. So, if you have your information in the cloud and that information is lost by the cloud provider, you’re still responsible notifying individuals.
GMG: What are some of the things that carriers are expecting of a small or medium sized business in terms of their protocols towards protecting data?
GMG: What are some of the things that carriers are expecting of a small or medium sized business in terms of their protocols towards protecting data? Javier Gonzolez:
When we started rocking and rolling with cyber probably close to 10 years ago, we jumped into space thinking it was going to take off really quickly, and it’s going to be a very lucrative opportunity for us. But it just wasn’t, it took a very long time for things to come full circle. In the past, call it seven or eight years ago, the application process was a 12-page application and the carriers quickly learned that it was just too much. It was too complex. Nobody was completing that. So they quickly went down to a one page questionnaire to provide a bindable quote for the right organizations.
Now you fast forward two or three, four years later, we’re back to a 12-page application, if not more. You also have multiple supplements for ransom and business interruption and things of that nature. So general underwriters are very keen on what the root cause of the loss is, what measures can be put in place by these organizations to prevent such a loss, and how to protect vulnerable, entry points. And they want to make sure you have done those things too.
There are several leading indicators that demonstrate to a carrier that the organization is serious about cyber risk management:
- They look at things like Multi factor authentication (MFA). And even with MFA, carriers what to know: Where within your environment do you have MFA? Is it for your email access? Remote access? Access to privileged accounts? Your backups? Etc.
- Endpoint Detection Response (EDR) is another one. But again, what percentage of your environment is it deployed to?
- Finally, if there is a potential breach, is someone monitoring that within the organization, or is it done externally by a third party 24/7?
These are all things you need to pay attention to as a business owner.
GMG: What final recommendations do you have for business owners to help them better manage this risk issue?
Javier Gonzolez:
I can’t think of an organization that shouldn’t have some element of cybersecurity insurance in place.
Thinking about the types of information is being scraped by hackers, it’s ranges from credit card information to just people getting locked out of their environments. And, going back to the myths we spoke about earlier, some business owners tell me, “I don’t collect a of personal identifiable information (PII). I just have my employees W2s which has their social security numbers.”
My response is, “If your systems were locked up, how much loss of business income would that be for you?”
Secondly, have dedicated staff or committee responsible for understanding cybersecurity prevention and awareness within the organization.
Third, periodically audit which vendors you rely on for your network security. Who are the vendors, what’s the software that they’re pushing for you to utilize? And how effective is it in the event of a cyber-attack?
You want to know that you are, investing in the latest cybersecurity prevention software for things like EDR and MFA
Finally, continue to invest in your network security and test it. A lot of people to say, “Look what I’ve implemented in the last six months or 12 months, because you told me I had to.” Which is great, but you also need to test it to ensure it works as expected should a breach occur.
With no signs of cyber attacks slowing against small and medium sized businesses, it’s important that you consider your own IT infostructure to insure you’re protected against any current or future threats. Consider contacting a GMG risk advisor to learn more about how you can ensure you’re your addressing this growing risk issue head on.
