Risk exposure to cyber-attacks is increasing due to several factors, such as economic unrest, war and simply just malicious actors.
Russia’s aggression against Ukraine has brought with it a more significant threat to the computer networks of companies in the United States. U.S.-based organizations have been experiencing increasing attacks from hackers looking to steal data; operating either as rogue criminal organizations or in league with state-sponsored intelligence operations in North Korea, China, and other rogue regimes. Ironically, Ukraine has long been known to be home to some of the most lethal hacking organizations globally. Russia is now looking to disrupt the U.S. economy in any way it can, including hacking businesses and other organizations’ computer security.
The attack’s intent is also changing – from stealing data to sell, to ransoming data to, now, just simply destroying your data because they can.
Previously, businesses had to contend with the possibility of data being stolen and sold on the dark web or to criminal organizations which would use the stolen data to open new credit accounts, buy things, and resell them for cash or keep them. That has now evolved into hackers simply blocking companies’ access to their data and holding it for ransom in what has been labeled ransomware attacks. Even more concerning is the threat of infiltrators not interested in monetary gain but simply the destruction of data to harm the organization attacked.
The target isn’t just fortune 500 companies, defense contractors, and utilities – it’s small to mid-size businesses.
Previously hackers went after large businesses because they had the most valuable data to steal in terms of the sheer volume of the credit card numbers and other information that could be converted for money-making purposes. As those targets have become more hardened with the advent of better cyber-security software and best practices, the threat has moved to smaller businesses that do not have the same level of threat protection and hence are soft targets.
“Fighting cyber-crime is just like fighting terrorism in a way,” said Greg Scasny, chief technology officer with Blueshift Cybersecurity, Inc. “The security systems and those who manage them have to be right all the time to protect the company or other organization, and the hackers only have to get lucky once, and the damage is done.”
The rules are changing – the Federal Trade Commission (FTC) is adding to a business’ responsibilities for protecting consumer data.
The updated new Final Safeguards Rule (the “Final Rule”) is the FTC’s latest measure against increasing cyberattacks, containing new requirements and definitions for institutions to develop, implement and maintain comprehensive security systems to secure consumer information. In the same announcement, the FTC also released a notice of proposed rulemaking (NPRM) that would require certain cybersecurity events to be reported to the FTC. More recently, the FTC also implemented similar rules concerning companies that keep health-related information.
Business liability for damage is also expanding at a time when the threat is growing.
“It used to be that if you had a security breach, you would notify your customers, tell them to monitor their credit sources and get back to you if they noticed any unusual activity. It’s no longer that simple and it is going to be significantly more costly.” said, James Kennedy, chief executive officer of Kennedy Intelligent Data (KID) a strategic partner with Blueshift. “The new measures make the company responsible for hiring a lawyer to report the breach to the FTC, FBI and other agencies; issuing not just emails but certified letters and other means of communications to all customers whose data may have been compromised and even paying for credit monitoring services for those customers.”
Kennedy continued, “Those costs can multiply quickly and be easily in the tens of thousands and even hundreds of thousands of dollars for a business such as a mid-sized auto dealership or online retailer.”
Only a tiny percentage of U.S. businesses carry cyber insurance to protect against liability in case of an attack.
According to www.AdvisorSmith.com, only 17% of companies in the U.S. have cyber-attack insurance, and many of those businesses buy insurance only after they have been attacked.
Riverside-based business insurance expert Tim Kolacz with HUB International, says that number may be too high.
“I don’t know exactly what size companies they are talking about, but I would bet that less than ten percent of the companies in the U.S. have cyber insurance and that most that do are vast fortune 500 sized organizations,” he said.
Cyber insurance is getting more expensive and more complicated to get. A few years ago, the process to insure your business against cybercrime was simple. Insurance companies assessed the risk based on the amount of data you had that could be breached, and a formula gave them a number for the premium, not anymore. To qualify to be insured, an organization must meet the standard set by the insurance carrier. Defensive measures face increased scrutiny in order to get cybercrime insurance.
“It used to be even a year and a half ago that the standard was pretty low. We made sure the system had firewalls, that passwords were necessary to access sensitive parts of the network and that they must change them every ninety days –and then it was, ok, you qualify,” said Kolacz. “Now we, the insurer, go in and do stress tests on your cyber security, and if you don’t score at least eighty percent in terms of the test, you are not getting insurance.”
Businesses can also expect higher insurance premiums due to the rising threat. The increased risk is driving higher costs for insurance at the exact time requirements to get the insurance at all is also getting increasingly difficult, squeezing businesses between the two imperatives. A company needs to pay to be protected and be insured if that protection fails.
Expect a denial of claims if you don’t follow the rules.
Even if a business manages to qualify for insurance and has proper cyber-security measures in place, that doesn’t mean they still can’t face staggering losses if they don’t follow their own security program.
“If a company has a loss due to cybercrime, we are (the insurer) going to investigate how that happened, and if we find you circumvented your own rules and opened the door for the theft, you will not be covered,” Kolacz said.
What does a small to mid-sized business do?
“Organizations that have sensitive data, which is just about every business at one level or another have to protect that data – have a legal necessity to do so according to the federal government so it isn’t something they can ignore or wish away anymore,” said Kennedy. “They will have to find a solution, and that just might be finding a way to combine powerful security at an affordable price that also lowers their premiums.”
There is a solution – enterprise-level security combined with insurance will provide the protection a business needs while bringing the premiums down.
Companies like Blueshift Cybersecurity that program and manage data security programs are bringing the costs down so that smaller businesses can afford enterprise-level protection that meets the modern standard.
“We have to get businesses away from the mindset of threat protection and in the direction of threat detection and elimination, Scasny said. “The assumption now is that your security will be breached, and you need a team that is watching for those indicators, 24/7, 365 so that when a threat appears, we can identify and eliminate it before any real damage is done.”
Although the idea that a business would have a live team of cyber-protectors on the watch always ready to eliminate threats would seem dauntingly expensive because of scalability and the use of open-source cyber-defense materials, the cost is coming down radically. The price of protection depends on the number of devices used to access the system and can be surprisingly affordable in many cases.
“We have some micro-security bundles, so-called because they are designed for smaller organizations, say a company with 25 or fewer devices. We can offer them a complete cyber-security package for $2,500 a year – not a month – a year,” said Kennedy.
Businesses need to be protected from threats and insured against losses. By having the latest in security measures, a company can defend its data and lower the premiums it pays for ensuring that data at the same time.
“If a company that is looking for insurance and has this type of cyber-security in place, it could cut their premiums by thirty to fifty percent,” said Kolacz. “Which means essentially they are getting the security for free and reducing their insurance cost at the same time.”
That should be music to a business’ ears in a world shrieking with cyber-threats.