Cyber Liability Insurance Essentials for Small and Medium-Sized Enterprises
For as long as organizations have existed to grow crops, move goods or produce items there have been insurance firms to help these markets survive cyclical events. As we’ve moved to digitize our economies, a trend that hugely accelerated during the pandemic, this age-old industry has come to the fore. It’s been fascinating to see this most traditional of industries being thrust into the center of one of the most relevant business topics of our era — cybersecurity risk. In this blog we explore how small and medium-sized enterprises (SMEs) in particular can mitigate these risks to get a manageable insurance cover, so they can focus on making their business thrive in today’s uncertain times.
The pandemic gave rise to unimaginable amounts of change to applications and user workflows in a remarkably short space of time. So much so that McKinsey research indicates that this acceleration was 20-25x pre-pandemic levels. When you accelerate change to this degree and move your workforce to an entirely new dynamic of hybrid work, it is inevitable that fast workarounds may not be as secure as they could be.
As a result, organizations have been exposed to significant risks as threat actors have stepped up their game in response to the massive increase in opportunity. This has been borne out by the explosion in cyber attacks and resulting payouts from insurers, even to the extent that AXA France has signaled that they will not be paying out for ransomware attacks. A move that is not all that surprising when you hear that in 2021, businesses suffered 50% more cyberattacks than in 2020.
In my conversations with insurers, many have been playing multiple roles; helping companies put basic controls in place, insuring them against loss and assisting them to recover should the worst happen. As they are at the financial heart of this problem, insurers have run some extremely insightful analysis of exactly which losses cause the most financial harm and therefore where to place cyber investments.
The consensus from the insurers I have spoken to is that the largest area of focus needs to be around hybrid work with effective security for Remote Desktop Protocol (RDP), as attacks in this area have been a great source of loss for them and their clients. This point is further backed up in reports that RDP attacks grew by 768% in 2020.
So what can SMEs do to protect themselves, especially when they might not have extensive IT resources in place?
Many SMEs have a decent handle on the basics, but most struggle with ensuring that they patch consistently and that users are who they say they are. One of the most important steps they can take to safeguard their businesses is to employ multi-factor authentication (MFA). In short, MFA gives organizations the ability to ensure that users trying to access applications and devices are who they say they are and not anyone else. They can also enable full visibility into the attributes and behaviors of the devices that access your applications via an inventory. Unsurprisingly, we are seeing more and more MFA requirements in cyber liability insurance policies as it has such a significant impact in reducing the chance of financial loss.
“I’d say multi-factor authentication is what’s going to mostly determine your ability to purchase cyber insurance.” —Cole Haney, Assistant Vice President, Professional and Cyber Practice, Hays Companies
But not all MFA solutions are created equal. And many are not created with the needs of SMEs in mind. So what should these kinds of firms look to have in place to keep those premiums manageable?
Without extensive time or resources to expend on complex implementation, SMEs need an easy to deploy and use cloud-based MFA solution that integrates with their existing infrastructure. Authentication methods should also be flexible enough to fit into any SME’s workflow requirements, whether that is push notifications, tokens, or biometrics.
Along with MFA, demonstrating security awareness and behaviors across the business can help mitigate risk and help lower cyber liability insurance premiums. With a self-remediation facility, SMEs can keep overview of device security hygiene while empowering users to take control of their own security concerns. A strong health app that checks for firewall, encryption, and up-to-date operating systems can help build strong security habits that paint a positive picture for insurers.
Logically, issuance of corporate-owned devices may seem to be a safe way to demonstrate control over a firm’s IT security. However, this is simply not feasible for SMEs who need to rely on a ‘bring your own device’ (BYOD) policy. Additionally, many of these firms depend on temporary workers. According to SME Today, ‘with a greater reluctance among candidates to seek new roles due to uncertainty and concerns over job security, the gig economy (temporary workers and independent contractors) will only continue to rise’. This is why it is crucial SMEs have access controls and complete visibility into endpoint security across all devices, whether personal or corporate-owned, no matter the length of time they are needed for.
Finally, it is crucial that SMEs demonstrate their cybersecurity coverage grows as they do to avoid future penalties. Their solution needs to scale to meet the companies' security needs, and have the ability to add users and devices at any time. It should feature MFA capabilities that can pair with single sign-on to create a consistent login workflow across all applications and syncs with directories to ensure policies stay current even as the user base changes.
As we move forward, we will see the insurance market develop such that the best premiums will be on offer to those companies with a series of basic security controls in place and undoubtedly MFA will be among them. Organizations that have embraced these steps will be making themselves more resilient, reducing their chance of loss and ensuring that they’ll be well supported by their insurance partner should the worst come to pass. Duo can help organizations comply with insurance requirements through MFA, device trust, and establishing least-privileges access policies.