Ginni Rometty, CEO and President of IBM, addressed a Security Summit in New York City in 2015 where she referred to data as the phenomenon of our time. She went on to describe data as the world’s newest natural resource and a transformational entity that creates competitive advantages for those who understand how to cultivate it. She then concluded that because of the heightened prominence of data, “cyber crime, by definition, is the greatest threat to every profession, every industry and every company in the world.”
Cybercrime Affects Businesses of all Shapes and Sizes
How do you know if your business is at risk to cyber crime? If your business stores data that cyber criminals want, then your business is at risk. Hackers don’t necessarily target businesses with the most valuable data. According to the Department of Homeland Security, the majority of cybercriminals are indiscriminate and simply probe business networks and defenses to find vulnerable attack surfaces that they can exploit. They target these vulnerable systems whether they belong to a Fortune 500 company or are a locally-owned small town retailer. While data breach incidents involving the largest of businesses such as Yahoo, Target and Equifax dominate the headlines, businesses of all sizes continue to experience the wrath of today’s cyber criminal.
According to Verizon’s 2018 Data Breach Investigations Report, 58 percent of all cyber attacks targeted small business last year. The principle is the same as it is in the school playground – bullies pick on those least able to defend themselves. SMB organizations are simply easier to penetrate and exploit. According to a Congressional report in 2017, approximately 14 million businesses were hacked over a 12 month period. At the same time however, a 2017 survey showed that 87 percent of small business owners don’t think they are at risk. This is unfortunate, as 60 percent of small companies are unable to sustain their businesses more than six months after a cyber attack according to the U.S. National Cyber Security Alliance (NCSA). As troubling as this statistic may be, it may only get worse with time. According to the Ponemon 2017 State of Cybersecurity in SMBs, 60 percent of small businesses are getting more severe and more sophisticated.
Expect the Unexpected
Every organization thinks a cyber attack won’t happen to them, until it does one day, and the costs to deal with its aftermath are overwhelming, especially for SMBs. In June of 2016, Athens Orthopedic (AOC) located in Georgia suffered a breach at the hands of a hacking group called The Dark Overlord. The cyber criminals obtained 300,000 patient records in the breach and demanded a dollar per record for their return. The breach occurred through a VPN connection using the log-in credentials of a third party healthcare vendor. Two other customers of the vendor were also compromised. The FBI and the Georgia Bureau of Investigation were brought it. The manager of AOC issued a letter to patients two months later informing them that the company lacked the funds to provide credit monitoring, a service often provided by large corporations during a breach. Two law firms began a class action suit and a third party security audit firm was brought in to access AOC’s security that cost well over $100,000.
Another example of a smaller business being targeted is the data breach incurred by Jason’s Deli at the start 2018. The restaurant chain has 275 locations and was notified by payment processors that payment card information that had been acquired from Jason’s Deli records was being sold on the Dark Web. The company was unaware of any breach. An internal investigation showed that nearly 2 million cards may have been involved. The Jason’s Deli Breach shows that a single phone call can dramatically impact your organization.
The Need for Cyber Liability Insurance
There are a number of key elements a company needs in order to have sustained success. It needs a product or service that customers are willing to pay for as well as a comprehensive strategy to reach those customers. A company can have the greatest product in the world, yet fail overnight due to an unforeseen disaster or event. That is why it needs insurance to protect itself from risk. Traditionally this has entailed professional liability insurance, property insurance, worker’s compensation insurance and vehicle insurance. If your company is connected to the digital world today and hosts personal data, you need cyber liability insurance as well. In the same way that you purchase insurance to protect your company against the cost of malpractice or negligence in your company’s services, you need cyber liability insurance to help you in the recovery from a cyber attack.
Because it only takes a single improperly secured device within your enterprise or an unprotected edge device,it is impossible to eliminate cyber risk. In the same way that home owners buy fire insurance because it is impossible to fully protect against, C-Level executives and small business owners alike are recognizing the need for cyber liability insurance. The U.S. Market for cyber insurance grew 32 percent year over year in 2017 to $1.8 billion and the number of cyber claims increased in 2017 to 9,017 from 5,955 in 2016. Forecasts show that the global cyber insurance market is expected to grow to $14 billion in 2022.
Cyber insurance isn’t just about protecting against the liability costs concerning the compromise of your hosted data. If you are a managed services provider, you can be liable for data breaches incurred by your customers if neglect can be proven and general liability policies are usually not enough in these circumstances. If you are a company looking to partner with a MSP, you should only do business with those firms that are fully protected by an ample policy.
Key Issues and Risks
The costs of a data breach are expansive beyond just the cost of cleanup. Long term damage to a company’s brand is a real risk today. Furthermore, in an environment in which companies use mergers and acquisitions (M&A) in order to increase their competitiveness and increase market share, a company can unknowingly be purchasing hidden liability costs as well. A survey of 3,182 worldwide M&A dealmakers found that deal values can decrease significantly if the target company experienced a data breach. It is critical to understand the significance of the risk profile of a targeted company and how its inherent vulnerabilities can have a negative bearing on company valuation and the long term success of the deal. Mergers and acquisitions are but one of a growing list of contributing factors however when it comes to the increasing impact of cyber attacks on companies today.
- Unlike fifteen years ago, enterprise devices no longer reside securely within the walled parameters of the fortified enterprise at all times. Users and devices come and go, exposing information residing on unencrypted mobile devices and USB sticks.
- The cloud now creates complicated hybrid environments within data centers in which security must be enforced across large geographical distances. Companies now must “trust” the security efforts of their cloud providers.
- The proliferation of IoT could be reiterated as the Internet of Threats as these devices are often built without regards to security. Many of these devices lack even basic authentication requirements and those that do are usually saddled with credential checks that are easily guessable and rarely changed, making them easy for brute force attacks. Many devices are plagued with services and protocols that are easily exploited by cyber attackers.
- Professional hackers are now utilizing AI and machine learning to improve their ability to crack password by analyzing society trends. Malware creators are now integrating machine learning to generate malware strains that can learn overtime how to evade current malware detection methodologies.
Duty of Care/CIS RAM Can Help Insure Your Preparedness
For most of us, insurance is a “just in case” purchase. We buy it, hoping to never have to use it. Insurance is all about protecting yourself against risk. When we negotiate an insurance policy with an insurance provider,the provider makes sure that it understands the possible risks to your business in order to price a policy correctly. It is equally important that all businesses, regardless of industry, conduct a proper risk assessment to identify the risks inherent to their organization. A risk assessment allows you to gain visibility and insight into the current state of your security posture. Once the potential cyber security threats relevant to your organization at hand are identified, you can then prioritize them according to their impact and likelihood. This is important because every cyber threat cannot be protected against and nothing is completely safe. Should your organization undergo the traumatic experience of a data breach, you will not be judged by the amount of security you could chose to afford, only on the right amount of security justified by your situation.
Information risks vary from one organization to the next, which can make the process of determining an organization’s expected “duty of care” intimidating, if not overwhelming for those who don’t practice cyber security on a professional basis. Fortunately, there is a risk assessment method, CIS RAM, available through CIS® (Center for Internet Security). CIS RAM provides a set of principles and practices to balance your security, compliance, and obligations in protecting the assets from cyber attacks. For those new to CIS RAM, partnering with a dedicated cyber security firm such as HALOCK Security Labs, who co-authored CIS RAM, can help oversee the process of determining your risk criteria in order to meet your standard of due care. Creating a strategy using CIS RAM provides a prioritized approach to achieve good cyber security hygiene throughout your organization. This is essential in protecting your data, users and devices, and your organization’s reputation. Cyber liability insurance is an integral part of the safety liability blanket today, but it isn’t enough by itself. Cyber insurance, backed by a well-designed underlying security strategy will help ensure that your business is in it for the long term, regardless of what new cyber risks are unveiled.