Unlike traditional business risks such as fire and workers’ compensation, the cyber risk landscape continues to evolve. As with any relationship, agents must first establish trust and address risks honestly, educate and provide practical and usable recommendations to insured’s to minimize risk. To do so, agents must expand information security knowledge. Those who don’t, risk of losing business to competing agents as well as being dis-intermediated by holistic solutions sold direct by a growing number of savvy and well capitalized on-line insurance and security providers.
To many SME’s and their agents, the terms “cybersecurity” and “cyber insurance” trigger equal amounts of anxiety and confusion. Simply put, smaller insureds don’t actually know what the names of the tools they need and don’t know the proper, technical words that are going to lead them to an effective solution.
In our experience, most SME’s are not confident about the security of their networks. They are not sure what their biggest cyber risk is and are confused by the current information security landscape. Most know of other businesses that lost money and data due to attacks targeted at employees resulting ransomware and wire transfer fraud. These executives want to know what are the most cost effective things they can do to mitigate risks to cyber attacks.
The Latest Scary Stuff
As many cyber security experts will admit, the cyber security industry is broken.
Despite astounding market growth for security software and services, the increased
frequency of attacks is equally astonishing.
- In 2017, the cyber security market was worth over $120 billion (up from
$77 billion in 2015) yet incidences of successful hacks continue to rise.1
- Ransomware attacks saw a 350% increase in 20182.
- Only 10% of small businesses surveyed had a separate budget for cyber
- Cisco’s 2018 SMB Cybersecurity Report found that 53% of midmarket
companies in 26 countries experienced a breach.
- Over 40 percent of companies have sensitive files that are unprotected
and open to every employee.4
- Most research suggests that more than 90 percent of successful hacks and
data breaches stem from phishing scam emails crafted to lure their
recipients to click a link, open a document or forward information to an
- According to the results of a survey by Barkly (now AlertLogic) of 60
companies that were hit by successful ransomware attacks over the past
12 months, 77 of respondents said the attacks bypassed email-filtering
solutions, 95% bypassed firewalls and 52% bypassed antimalware
- Cryptojacking is the unauthorized use (via malware) of computer
resources used to mine cryptocurrency. This exploit can result in utility
fraud leaving insureds with higher utility and other computing costs.
Cryptojacking is one of the fastest growing cyber security threats in 2018,
with 25% of all businesses already falling victim cryptomining exploits2
- 68% of U.S. businesses have not purchased any form of cyber liability or
Easy & Cost-Effective Security Solutions For Your Insureds
Most small to middle market business executives assume that if they spend $40 per
employee for a firewall, patch, install the latest antivirus, and use the cloud, they
have a padlock on the doors that keeps the bad guys out. All are great foundational
tools but they are not designed to stop evolving criminal attacks. Using email,
attackers easily bypass these technologies altogether when users are victimized by
email fraud, credential theft and vendor risk. In our experience, the most costeffective cyber risk management tools that will prevent loss are easy, cheap (if not
free) and readily available.
Limit User Administrative Privileges
According to Verizon5, email fraud accounts for more than 93% of enterprise attacks which result from phishing scams or fake emails designed to lure recipients to click an infected link or document or forward information to a fake sender. Over 60 companies that were hit by successful ransomware attacks over the past 12 months, 77 of respondents said the attacks bypassed email-filtering solutions, 95% bypassed firewalls and 52% bypassed antimalware solutions.2
In our experience, the most effective form of training is the use of phishing simulations. Phishing security tests provide an indication of how many employees are susceptible to email social engineering attacks. A well-designed phish-testing program trains employees how to spot a phony email and are proven successful in reducing risks of successful ransomware attack. When combined with typical user training, the results are stunning.
Leading training vendor KnowBe4 conducted a study6 of 6,000,000 users in 11,000 organizations encompassing almost 250,000 tests. Across several industry verticals, initial baseline click rates ranged from 25%-35% for SME’s under 1000 employees. At 90 days, rates ranged from 10%-17% and at 12 months rates dropped to 1.5% to 3.2%
Phase one is establishing an initial baseline. A phishing test template is designed based on the employer’s unique environment and a landing page (often a training site) is created for users after they click. The users are provided a summary of what was missed and the employer is provided charts indicating “phish-prone” rate. Most vendors also provide a comparison to others in the subject industry vertical. Additional tests are sent out randomly during the course of the following 12 months.
These programs are simple and easy to implement. Several vendors offer free phishing simulation service for companies with up to 100 employees including online registration, monthly phishing exploits, and detailed analytics to isolate opportunities for improvement. For advanced versions, pricing runs from $5 to $15 per seat per year.
Multi-Factor Authentication (MFA)
Multi-factor authentication strengthens access security by requiring two or more factors to verify users identity. These factors can include something you know (username and password) plus something you have (smartphone) to approve authentication requests. Most of us are familiar with the process of getting a code texted to your phone to login into banking and other applications. This tool is highly affective against phishing and other forms of social engineering as well as password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials. Without the code, malicious actors are not able to gain access to your system.
Versions of MFA are available free with Office 365 & Google Suite (make sure your insured’s turn it on!). Expect to pay up to $6 per user per month for advanced versions.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC acts to provide greater assurance on the identity of the sender of an email message and gives email domain owners the ability to protect their domain from unauthorized use often referred to as email spoofing. Once DMARC is turned on for the insureds domain, only emails that pass the authentication will be trusted and delivered. Emails that fail the check are quarantined or rejected.
DMARC is free but you may need the webhost or email administrator to assist enabling since DMARC is not turned on by default.
Business Vendors: Get a Pre-Nuptial
- Description of the PHI/PII and confirmation of authorized user access.
- Minimum required security controls including basics such as the use of firewalls, anti-virus, patching and encryption. Vendors need also be compliant with relevant regulatory and industry requirements such as HIPAA and PCI-DSS when applicable
- Security audit clause so the organization has the right to audit security controls periodically.
- Incident reporting requirements for the stating under what circumstances and means a security event is reported to the contacting organization.
- Insurance requirement for a stand-alone cyber policy that includes first and third party coverage parts. The contract should require additional insured status (when possible) and provide a minimum limit of $1M.
About the Author
Jeffrey founded Cyber Risk Underwriters to offer tech-backed cyber insurance and related products distributed to insurance agents, cyber security providers and “InfoSec” investors.
Prior to joining Cyber Risk Underwriters, Jeffrey enjoyed over 25 years of success providing complex P&C insurance and risk financing design, brokerage and relationship management expertise for complex risks including technology, healthcare, private equity, and real estate.
Cyber Risk Underwriters maintains offices in Atlanta Georgia, Park City Utah and Huntington Beach California.
Cyber Risk Underwriters
1 Cybersecurity Market Size Will Reach $300 Billion by 2024
2 Cyber Security Ventures 2019 Cyber Security Almanac
3 The National Center for The Middle Market, “Cybersecurity and the Middle Market, The Importance of Cybersecurity and
How Middle Market Companies Manage Cyber Risks,” 2016.
4 Varonis 2018 global data risk report
5 Verizon’s 2018 Data Breach Investigation Report
6 2018 Phishing By Industry Benchmarking Report