By Lawrence Perret-Hall, Director at CYFOR Secure, discusses
According to research from Allianz, cyber incidents are now considered the top risk for businesses across the globe. While attacks on household names like Uber grab headlines, lower value but equally disruptive attacks are becoming increasingly commonplace for SMEs. Many small businesses are still operating under the assumption they will not be targeted by hackers despite the fact that more than a fifth (21%) of SMEs have suffered a cyber incident in the past 12 months. However, over a third (34%) have no cyber insurance cover.
Rising cyber insurance premiums do not help the situation. Insurance cover has become both more expensive and less exhaustive due to cyberattacks that have increased in severity and frequency. As a result, many organisations are simply being priced out of insurance. However, there are steps that SMEs can take in collaboration with the security industry and insurers to reduce the cost of their cyber insurance and bolster their security posture.
Insurance is an effective risk management tool, but it can often be a reactive measure. In reality, a proactive cyber strategy is crucial to minimising one of the greatest security risks: people.
Awareness training programmes and phishing simulations are effective tools for securing an organisation against attacks. Phishing is one of the most common threats, yet training staff on how to spot a malicious email is one of the easiest ways to manage cyber risk while helping to promote a culture of shared responsibility. SMEs should also establish a back-ups strategy, ensuring their data back-ups are updated regularly and spread across different locations. These relatively simple steps won’t big a huge investment, yet they can demonstrate to insurers that cybersecurity is taken seriously. An organisation proactively managing risk appetite therefore becomes a more attractive prospect to insurers, and premium prices will be reduced.
Collaborate with industry
Managed security service providers (MSSPs) offer valuable support to SMEs looking to boost their cyber hygiene, reduce insurance costs but without in-house resource to do so themselves. For example, MSSPs can help small businesses create an incident response (IR) plan. A strong IR plan that is readily deployable in the event of a cyberattack means breaches are responded to as soon as possible and disruption is minimised.
For IR plans to work effectively, MSSPs and businesses should look to collaborate from the earliest stage of their relationship. Again, proactivity is key here. Rather than engaging experts reactively, once an attack has occurred, third parties should be onboarded early in order to gain familiarity with company systems and learn its network. As a result, the response to a cyber-attack can go from hours to minutes. What’s more, MSSPs can guide smaller businesses through the cyber insurance process and ensure they have all the measures in place to demonstrate good cyber hygiene.
Embrace new solutions
Currently, quantifying risk in cyber insurance is difficult; attacks are increasing and no business is ever completely secure. However, if insurers utilise information from vulnerability scanning tools, they can receive a more accurate depiction of their customer’s security posture. These assessments enable businesses to detect and respond to weaknesses before cybercriminals have a chance to exploit them, and can also include Dark Web monitoring to detect if a business’ credentials are for sale.
This solution, often delivered by MSSPs, can also offer valuable insight into the progress of an organisation’s cyber strategy. This can be whether or not, for example, they have reduced the number of vulnerabilities across their network. With this, insurers should be able to more accurately evaluate risk, price premiums and reward good security practices with less expensive plans.
Cyberthreats will undoubtedly continue to cause chaos in 2023 and SMEs need to ensure that they have a long-term protection plan. With tighter budgets, it’s worth considering a cyber retainer to make costs much more manageable. A retainer for cybersecurity can guarantee return on investment. Any money not spent on incident response is put towards improving a company’s overall cybersecurity posture. The cost of a retainer can be planned and budgeted for, while also demonstrating a continued proactive approach to cybersecurity.
Cybercriminals are rarely indiscriminate – they will simply choose their easiest and most lucrative target. However, when SMEs work collaboratively with security experts, they can prove that they are a low-risk enterprise. In doing so, they can reduce insurance costs and, crucially, minimise the impact of a data breach.