Cybersecurity insurance is becoming scarce, but there’s a lot you can do to secure your business
If your business is looking for cybersecurity insurance, you may want to read the fine print when it’s time to renew your policy.
As with so many things today, the trend is toward paying a lot more and receiving a lot less.
Cybersecurity insurance premiums have risen dramatically in recent years. At the same time, major underwriters are beginning to place limits on coverage. A major driver behind these trends is a surge in insurance payouts, particularly for ransomware attacks.
A decade ago, organizations worried mainly about fines and identity-theft monitoring if they sustained a security incident like a data breach. However, ransomware is a much different animal. In these incidents, rather than copying and stealing data, attackers encrypt it, rendering it inaccessible until their desired ransom is paid. As such, the financial impact of incidents now follows hacker economics rather than more quantifiable factors.
But these aren’t the only dynamics shaping the cybersecurity landscape. Even before the Great Resignation, industry groups sounded the alarm about employee and skills shortages—and these gaps have only widened over the past two years. In the meantime, thanks mainly to COVID-19, the workforce has become more remote. That has shifted the weak link in corporate security to the quality of home networks, which are littered with dozens of devices—from the kids’ Xbox to the Internet-connected doorbell—that all can be points of compromise.
Thankfully, there is a silver lining inside all this change. The confluence of uncertain risk, labor shortage, and diminishing coverage is shifting the organizational mindset from insurance box-checking to instituting better security practices. Here are three things you can do to better secure your business:
- Adopt a Security Awareness program. As businesses follow the movement toward cloud computing and third-party services, the good news is that they no longer have to worry about housing hardware and other resources on-premises. At the same time, they are now getting what is typically an always-on, accessible-from-anywhere environment from service providers. The downside of this shift: the very inefficiency of the old on-premises network provided a modicum of security that has now dissipated. Today, in many cases, the only thing guarding the security of your resources is how well your employees exercise basic security practices, such as adopting strong passwords, identifying phishing emails, and maintaining control over their many devices.
- Monitor your vendors. Many businesses rely heavily on third-party vendors for a range of technology services. If you’re not already doing it, you should ask your vendor for a System and Organization Controls (SOC) report, particularly what’s referred to as SOC2. In a nutshell, this document affirms the service provider is meeting a standard for security. It’s akin to a CPA’s financial audit letter and should be part of your due diligence when dealing with any vendor who will be handling your data. One of the great problems small businesses face is “vendor lock-in,” where things like domain names, websites, network, and service passwords all reside with the vendor. Instead, these “keys to the kingdom” should reside with the business owner, and when vendors need access, they should create some sort of secondary or less-privileged account or access.
- Expand your own audit. Over the years, we have seen cybersecurity assume a greater role in external audits—but that is not always the case. If your auditor isn’t checking for SOC reports or asking questions about how your data is being secured, you may want to get a new auditor. You’re likely already under a range of cybersecurity obligations due to your insurance policy, industry standards (such as those for processing credit cards), or state law. The time to find out you’re not in compliance isn’tafter you or a vendor has had an incident—it’s before, so you can ensure that you have coverage and aren’t going to be subject to a regulatory fine.
While many people might believe their business isn’t a target for cyber attackers, the reality is the bad guys are fairly indiscriminate in their tactics. Think of a bank robber trying to find a getaway car: they’re going to try every car they see until they find one with the keys in it, and then they’ll use that vehicle to carry out a larger crime. Moreover, especially in the face of something like ransomware, no matter how much your business may be worth, your data likely is worth everything to your business. Soon the only insurance available may be how well you can prepare your employees and your business to meet the cybersecurity challenge.