A range of factors, driven partly by the COVID-19 pandemic, accelerated by the work from home (WFH) trend and exacerbated by the Russia-Ukraine conflict, has caused midmarket organizations to ramp up their security defenses and protect corporate assets with cyber insurance in the event of a successful attack.
Like other insurance categories, cyber insurance offers data breach insurance that helps a company recover from data loss due to criminally encrypted data, cyber theft, a network outage, or other IT interruptions caused by ransomware, malware, or other cyber variants targeting the business.
Attacks on larger businesses and midsize organizations are increasing, resulting in significant financial losses caused by operational downtime and reduced revenues due to system outages. These attacks have also damaged reputations and resulted in rising costs due to investigations, remedies and other fees or penalties tied to compliance violations resulting from such attacks.
With cyber insurance, these businesses can protect themselves from financial losses by not having to pay reparations to criminal entities due to cyber extortion. It also allows companies to be compensated for lost business opportunities and remediation of lost or damaged digital assets.
There is no doubt cyber insurance is a must-have in today’s business climate, but it does come with a cost. The expensive premiums are often due to the high compensation required when these attacks occur. Companies in certain verticals, such as financial services and healthcare, often pay even higher premiums because of the large volume of PII (personally identifiable information) targeted by the most aggressive ransomware or cyber variant.
According to Jeff Meyers, VP of Operations for Meyers Glaros, an Indiana-based insurance firm and provider of cybersecurity insurance, “The cybersecurity threat is something that hangs over every company in America, but more recently has been impacting midsize businesses. While cybersecurity insurance is the new normal for risk-averse organizations, the monthly premiums can be tempered significantly by implementing the appropriate processes and procedures, employee training and robust security infrastructure to defend the organization.”
The first step to reducing cyber insurance premiums is to conduct a security audit assessing which digital assets and physical operations may be impacted by an attack. High value and sensitive data rank number one in these audits with financial data, customer information, employee records, intellectual property (IP) in the form of solution designs/architectures, proprietary processes, strategic plans and more. Once the audit is complete, the calculation of insurance needs can be based on this newly obtained information that determines the potential financial risk and anticipated recovery costs.
The next several steps involve soliciting a managed service provider specializing in secure solution delivery. This includes service providers capable of conducting scheduled penetration testing; business-wide password implementation, monitoring and management; end-to-end encryption of personally identifiable information (PII); deployment of zero trust infrastructure to control access to sensitive data, as well as a full suite of defensive security solutions layered across the managed IT environment.
Key solutions and processes many insurers suggest implementing to reduce premiums include:
- Strong email security: Despite popular belief, email is not a secure form of communication, and every organization should use caution when sending or verifying sensitive information by email.
- Multi-factor authentication: MFA immediately increases account security by requiring multiple forms of verification to prove your identity when signing into an application. Start with email, then apply MFA everywhere it’s available.
- Full data backups: A full data backup can mean the difference between a complete loss and a complete recovery after a ransomware attack. Develop a strategy tailored to the business.
- Secure remote access: Remote work is more necessary than ever before, which means workers are no longer in controlled work environments. Instead, they are often given access to company resources remotely. When remote access is allowed, the organization takes on additional risks.
- Regular software updates/patching: All software presents at least some risk to the organization. Cybercriminals look for vulnerabilities, which can easily be located to prevent exploits through regular software updates.
- Use of a password manager: Password managers help keep track of multiple passwords and generate new ones at random. They are essentially an encrypted vault for storing passwords that are protected by one master password. These master passwords act as ‘keys to the kingdom’ and should be heavily protected.
- Malicious software scanner: Endpoint detection and response (EDR) tools (including traditional antivirus and anti-malware software) readily identify, detect, and prevent advanced cyber threats.
- Data encryption: Encryption is a process that renders data inaccessible to bad actors who manage to steal it unless they possess the key required to access it. If your data is not encrypted and you lose a device, your organization may face a data breach and all of the legal, regulatory, and notification costs that come with it.
- Security awareness training: 60% of claims are the result of human error. This can be avoided by creating a culture of cyber risk awareness that holds everyone accountable.
- Oversight by a managed IT help desk: Insurance providers understand that attacks occur at all hours of the day and night. A 24/7/365 help desk monitors security infrastructure and can take action immediately once an attack is detected.
With the combination of secure managed IT services and the right cybersecurity insurance provider, organizations can significantly reduce the threat of serious business and financial impact caused by a successful cyberattack. With critical IT systems, data and processes in a hardened defensive position, insurance premiums can be made much more affordable while still offering all-encompassing protection against the criminal threat actor’s incessant flood of attacks. Even more important, with a secure managed services contract in place, successful attacks are made incredibly difficult for even the most experienced cyber villains — dramatically reducing the risk profile of the organization.