Although businesses today are becoming more aware and familiar with the increasing need to protect their IT (Information Technology) systems and data there remains a common misconception among small and medium businesses that they are not a target because they either are too small to notice, or they do not possess any non-public personal information that a bad actor would want to steal and sell on the dark web. The fact is that attacks are increasing in frequency and sophistication. With the increase, a growing contingent of entities is now joining to pressure businesses to increase their security posture. The following list includes the top examples
1. Bad Actors
As notated above, cyberattacks are increasing in frequency and sophistication. Bad Actors are executing more phishing attempts to compromise credentials, compromise business email accounts, and launch ransomware attacks. The likelihood of when an attack will occur continues to increase and the time between attempts is shrinking. In the 2020 Ponemon Institute, Cybersecurity in the Remote Work Era: A Global Risk Report several concerning statistics were presented including.
- 56% of respondents faced credential theft attacks
- 48% of respondents experienced phishing/social engineering attacks
- 58% of workers now work remote compared to 22% pre-Covid-19.
- Respondents rated their security at 44% effectiveness compared to 71% pre-Covid-19
- 42% of respondents say their organizations have no understanding how to protect against cyberattacks due to remote working.
2. Insurance Carriers
Cyber insurance is often used as a backstop, recovery method to provide resources for the resolution to cyberattacks and allow businesses to resume providing goods and services. Insurance often provides for incident response, cleaning up the incident, ransomware negotiation and payment, forensics, victim notification, legal defense, and government fines. With the current increase in cybercrime and the related losses many insurance companies are putting in place recommendations and requirements related to IT. These often come in terms of an IT risk assessment survey at the time of a new or renewed policy. There are trends where companies are not insurable or being renewed based on the surveys submitted and claims have been denied or limited based on a company not adhering to cybersecurity guidelines.
While not common in the business-to-consumer (B2C) space, there are increases in requirements from customers in the business-to-business space (B2B).
Threats to supply chain delivery in terms of goods and services, protection of intellectual property, and protection of customer IT systems that are tied to vendors are the drivers of these requirements. Customers want to know that there is stability in their supply chain and minimal risk to their business due to a cyber incident. Like insurance carriers, large customers are presenting IT risk assessment surveys as part of their contracting process or a regularly scheduled review. Often in the B2B space there are additional requirements for collaboration on incident response plans as well as proof of an annual security risk assessment including vulnerability scanning.
As cyber incidents continue to rise in frequency and complexity, we expect more B2B customers will look to use assessments and incident response plans to understand their risk in doing business with their vendors.
4. Government and Industry Regulation
Recent news events regarding Colonial Pipeline and JBS Meat are bringing about an increased interest by the federal government to become more involved in cybersecurity. These attacks on the supply chain along with attacks on government IT systems including schools, utilities, US Treasury, US Congress and the Internal Revenue Service are leading to increased oversight.
All fifty states currently have privacy and cyber security laws in place that companies must follow. These trends will continue to expand in the coming years.
Industry groups are also increasingly publishing cybersecurity standards to their members and in certain instances enforcing them. PCI (Payment Card Industry), FINRA (Financial Industry Regulatory Authority), ALTA (American Land Title Authority), ABA (American Bar Association) are just several examples of industries that are publishing cybersecurity guidelines for members and including the topic in annual conferences and newsletters.
Unfortunately, personal, or secondhand experience with a cyber incident is often the wakeup call but at this point it may be too late based on severity.
In conclusion, the first step is recognizing that this can happen regardless of company size or industry, and it is no longer an issue of “if,” but “when.” Each of the above items can cause an organization to adopt a cybersecurity plan but it is best to act prior to an incident. Start by understanding trends and threats of bad actors, researching government, or industry requirements, have a conversation with your agent about what insurance covers, more importantly does not cover and what could cause a claim to be denied, and talk with customers about concerns they have with your security posture. Implementing a cybersecurity plan like most goals is met by taking small, incremental steps.
Scott Cooper is the President of Tower 23 IT, an IT outsource solution for small to medium businesses specializing in protecting client health and financial data to meet privacy, compliance and security requirements in the healthcare, legal, financial, real estate, and insurance industries. Scott can be reached at scottc@Tower23IT.com or 858.877.6219.