Summary: C
yber attacks can impact a business in many ways from loss of business and personal data to productivity to reputation. Having cyber insurance coverage is important to protect your business, however, so is having a strong cybersecurity risk management program. Sally Li, Vice President of Cyber at AmTrust shares five ways to manage your business's cyber risk.
Sally Li, Vice President of Cyber at AmTrust Financial Cyber insurance is an essential part of any business’s approach to managing risk, but a cyber risk management strategy goes beyond just having insurance. Commercial life has rapidly evolved to become more reliant on digital operations to automate activities, expand distribution, improve responsiveness, and make products and services more easily accessible. The benefits of a digital economy also create new risks.
Cyber incidents and attacks on businesses’ networks can bring operations to a halt, interfere with supply chain and vendor relationships, put critical business data and customer information at risk, result in stolen funds, give rise to fines and legal liability, and have a potentially catastrophic impact on reputations and future business prospects. With many companies transitioning to a remote or hybrid operational model due to the COVID-19 pandemic, cyber-related risks to their business are also increasing.
Manage Threats and Risks to Your Cybersecurity
Here are five considerations in managing your business’s cyber risk.
Engage with a Service Provider
Companies use a variety of third-party providers for web hosting, data hosting, e-commerce, email and firewalls, to name a few. Whether they are application-specific service providers (ASPs) or offer a broader range of services such as Managed Service Providers (MSPs) or Managed Security Service Providers (MSSPs), these providers should understand how their clients do business and the associated cyber risk. Their service and product offerings should include an integrated, right-sized approach to cyber security that responds to their clients’ practical needs. As a small business owner, you can’t be expected to understand every aspect of your business’s cyber risk or how to deal with it, so you need partners who understand the technology that you use, how you use it, and what needs to be done to make your business more secure. If you rely on others to provide and manage your technology, you should also consider them security partners. Small business owners don’t have to be cybersecurity experts, but you need to have knowledgeable partners who will help you understand it.
There are basic and simple technologies that a small business can put in place to increase its cyber security preparedness. For example, you should make sure that you have a regular conversation with your MSP around security. The discussion can include simple measures such as:
Multi-factor Authentication: To access a system or an account, a user must provide two or more verification factors (multi-factor authentication or ‘MFA’), which reduces the likelihood that a remote attacker can gain unauthorized access. An example of this is remote employees using a unique VPN to log in to their work network. Using MFA for email accounts can be essential to reducing business email compromises and minimizing the chance for successful misdirected funds events.
Patching: It is imperative to patch as soon as possible. A weekly patching schedule can greatly reduce the chance of a device vulnerability being available to exploit. Perfect example would be the Microsoft Exchange Server vulnerability from 2021. To this day we see many claims come in due to exploiting an improperly patched device. Also Log4j is another zero day event that requires patching and is currently being exploited by Conti ransomware.
SSL Encrypted Websites: SSL is a protocol for web browsers that allows for authentication, encryption and decryption of data sent over the internet. This protects users on the website by ensuring that no one besides the user and the website can see or access the information being entered.
Encrypted Data: Sensitive data should be encrypted. This includes personal information, account access information, financial data or any type of confidential information. The idea behind encryption is that only people with the proper credentials have access to a decryption key or password and can read it, so if an unauthorized user or hacker gains access to encrypted data, they would not be able to read it. Encrypting sensitive data at rest is a great way to reduce risk and potentially keep a company from needing to notify clients if their data was inaccessible to a hacker during a breach event.
Email Authentication: Domain-based Message Authorization Reporting & Conformance (DMARC) is an email authentication, policy and reporting protocol that helps protect your business against fraudulent email and can help give others confidence that the emails you send are legitimate. This configuration is free and can be done by a reputable technology service provider. DMARC is usually used in conjunction with DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF), which are tools that can be deployed to protect against spam or phishing attacks.
Properly Configured Remote Desktop Protocol: It is common for businesses to allow employees to connect to their work environment remotely, and the technical standard that allows for remote connectivity is called Remote Desktop Protocol (RDP). Businesses benefit from RDP in that it allows employees flexibility in how and where they can work, but if not properly configured, unauthorized users can also access the environment. And in fact, RDP is one of the most common ways for bad actors to access businesses’ IT environments. Because RDP is so widely used to attack companies, its proper configuration should be high on the list for any business that wants to protect itself against cyber threats. As with DMARC/DKIM/SPF for email security, RDP can easily be configured by any reputable technology provider.
Employee Cybersecurity Education and Training
Cyber risk is not just a technology risk. At its core, it is an operational risk; therefore,
employee cybersecurity education and training are critical. Businesses should consider offering ongoing training to ensure all employees are consistently updated about potential risks and how to recognize and avoid them. Employees should be aware of common cyber dangers such as
phishing attacks, malware and
ransomware, how they are likely to be delivered, and simple practices and behaviors that can reduce the likelihood that they will present a serious problem for your networks and systems. Even requiring employees to
create complex passwords (i.e., not ‘p@ssw0rd’ or ‘john1234 ‘), regularly changing them in random ways, and encouraging the use of reputable third-party password generators to assist with randomness and complexity can greatly enhance your business’s cyber security.
Identify Processes That Are Essential to Conducting Business
It is vital for small business owners to fully understand how their organization operates and the everyday risks and vulnerabilities they may face. For example, businesses owners should be able to recognize key activities and processes done online and through technology that are essential to conducting their business, such as:
- Online connectivity with customers
- Connectivity to key suppliers
- Point of sale (POS) capabilities
- Accounting/billing
- Logistics (shipping, scheduling, etc.)
Bad things often happen when you least expect them. Larger organizations devote significant resources to planning for when bad cyber things happen, including taking regular inventory of data, software and hardware assets; conducting business impact analyses to understand how the business may be impacted in the
event of a cyber incident; and creating and regularly testing incident response plans and disaster recovery plans. Small businesses have fewer resources, but they should regularly ask themselves the following questions:
- What are the consequences if one of the systems you rely on falls victim to a cyber attack or is disabled?
- Does your company have a backup plan to continue operating when specific systems are down?
- What are the procedures to get the infrastructure back up and running again?
- Who are your key partners in preventing, responding to and recovering from a cyber incident?
Create a Data Breach Policy
Based on the type of analysis described above, businesses should also have a plan or
data breach policy to allow for continued operations and recovery of functions within a predetermined period after an incident. Just as the coronavirus shutdowns in March 2020 forced many businesses to quickly establish plans for
operating remotely, cyber incident response and recovery plans should be created in partnership with employees, MSPs and other key vendors and stakeholders. These plans should be reviewed regularly to ensure that they are current.
A
business continuity plan should go along with a data breach or cyber incident response plan, which helps businesses appropriately respond to a cybersecurity attack by providing the necessary steps in a straightforward, documented manner. Make sure to work with your key partners to customize the details in the data breach policy to your organization and systems.
Purchase Cyber Insurance
Cyber insurance is a must-have based on your business’s risk insecurities. It is another component of your incident response plan and an important part of your business’s success. Your insurer should be a crucial part of your incident response plan and should be involved early on after an incident occurs. Cyber insurance helps protect small businesses from some of the costs associated with various cybersecurity attacks, but perhaps more importantly, your insurer can be a valuable partner in helping you navigate what is almost always a stressful and unfamiliar situation. Common services covered under cyber insurance policies include digital forensics, data recreation, legal analysis for regulatory, federal, or contractual obligations, notification of affected individuals, credit monitoring, public relations and risk mitigation resources.
Every company has to deal with cyber risk, but these are examples of simple things any small business can do to lessen the likelihood of a cyber incident severely impacting their operations and data.
About AmTrust Financial Services
AmTrust Financial Services is a niche specialty property and casualty insurance company with nearly 6,000 employees worldwide. We have grown to become an industry-leading insurance provider, focusing on
small business insurance solutions including Workers’ Compensation, BOP, Package, Cyber and EPLI. We are a
top warranty writer in the United States, and help international businesses manage a number of risks such as Medical Malpractice, Professional Indemnity, Property, Legal and Health. AmTrust currently has a Financial Strength Rating of “A-” (Excellent) with a Stable outlook and a Financial Size of “XV” by AM Best.
Sally Li is VP, Head of Cyber Underwriting at AmTrust. She leads the commercial underwriting and growth efforts for large risk accounts. She was previously a VP at Marsh, specializing in providing cyber solutions for financial institution clients. This material is for informational purposes only and is not legal or business advice. Neither AmTrust Financial Services, Inc. nor any of its subsidiaries or affiliates represents or warrants that the information contained herein is appropriate or suitable for any specific business or legal purpose. Readers seeking resolution of specific questions should consult their business and/or legal advisors. Coverages may vary by location. Contact your local RSM for more information.