Cyber insurance is becoming increasingly important as companies rely more on digital systems and as cyberattacks, ransomware attacks, and data breaches become more prevalent. Many companies manage sensitive data, including credit card information, customer names and addresses, Social Security numbers, or other confidential information. If your company is affected by a cyberattack, you could find yourself dealing with costly lawsuits, data restoration expenses, and regulatory fines.
To determine the best cyber insurance companies, AdvisorSmith considered a number of factors, including financial strength ratings from AM Best and Standard & Poor’s, customer satisfaction data from several J.D. Power studies, complaint ratings from the National Association of Insurance Commissioners, available features and options, and availability of information and ease of use of the insurers’ websites. We scored insurers out of a total of five points and only included those companies that scored 4.0 or higher.
The Best Cyber Insurance Companies
Rank | Company | AdvisorSmith Rating |
---|---|---|
1 | Hiscox | 4.9 / 5.0 |
2 | Chubb | 4.8 / 5.0 |
3 | The Hartford | 4.7 / 5.0 |
4 | AIG | 4.7 / 5.0 |
5 | CNA | 4.6 / 5.0 |
6 | Arch | 4.5 / 5.0 |
7 | Hanover | 4.5 / 5.0 |
8 | Intact | 4.4 / 5.0 |
9 | Beazley | 4.3 / 5.0 |
10 | Axis | 4.3 / 5.0 |
*Not all insurance companies provide coverage in all states.
Get a quote on Cyber Insurance
More on the Best Cyber Insurers
AdvisorSmith found and rated the top commercial cyber insurance companies on a five-point scale, based on financial strength, customer satisfaction, ease-of-use, and a number of other factors. While many insurers were evaluated, only those with a score of over 4.5 are listed below.
4.9 / 5.0
Hiscox received A ratings from both AM Best and Standard & Poor’s. Hiscox’s cyber liability insurance is designed for small businesses and includes coverage for common costs resulting from cybercrimes, including breaches, extortion, and social engineering fraud. Insureds can upgrade their coverage to include digital media coverage for copyright infringement, invasion of privacy, and other claims that arise from your website or social media presence.
Pros | Cons |
---|---|
|
|
AdvisorSmith Rating For Hiscox
- Overall rating: [2.5] / 5 stars
- Coverage options: [4] / 5 stars
- Cost: [2] / 5 stars
- Ratings and complaints: [2.5] / 5 stars
- Digital experience: [3] / 5 stars
- Customer service: [1] / 5 stars (20% of overall rating)
» Read our Hiscox Commercial Review.
4.8 / 5.0
Chubb has an A++ rating from AM Best and an AA rating from Standard & Poor’s, indicating excellent financial strength. The company has offered cyber liability insurance since 1998 and offers several customizable cyber liability programs for businesses of all sizes and from all industries, including those industries that have a high frequency of cyber incidents. Chubb offers risk management information and assessments, along with a variety of services to minimize risk and mitigate losses.
Pros | Cons |
---|---|
|
|
AdvisorSmith Rating For Chubb
- Overall rating: [4] / 5 stars
- Coverage options: [4.5] / 5 stars
- Cost: [3] / 5 stars
- Ratings and complaints: [4] / 5 stars
- Digital experience: [3.5] / 5 stars
- Customer service: [4.5] / 5 stars
» Read our Chubb Commercial Review.
4.7 / 5.0
The Hartford has been given an A+ rating by both AM Best and Standard & Poor’s. The insurer offers two cyber policies: data breach insurance for small businesses and cyber liability insurance for larger businesses. Data breach policies can also be customized with business income and extra expense coverage, prior acts coverage, and extortion coverage. The Hartford’s Cyber Center provides information on how to avoid incidents and maintain online safety. The Hartford also offers online quoting.
Pros | Cons |
---|---|
|
|
AdvisorSmith Rating For The Hartford
- Overall rating: [3.2] / 5 stars
- Coverage options: [4] / 5 stars
- Cost: [3] / 5 stars
- Ratings and complaints: [3]/ 5 stars
- Digital experience: [4] / 5 stars
- Customer service: [2] / 5 stars
» Learn more from The Hartford.
» Read The Hartford Commercial Review.
4.7 / 5.0
AIG has an A rating from AM Best and an A+ from Standard & Poor’s. The company offers data, analytics, and detailed threat scoring and analysis to help insureds understand and deal with their cyber risks. Additional loss prevention services can provide protection from ransomware, phishing attempts, and other threats. AIG also offers a 24/7 claims hotline.
4.6 / 5.0
CNA received an A rating from AM Best and an A+ from Standard & Poor’s. CNA’s cyber insurance products are available to businesses of all sizes. CNA’s CyberPrep cyber risk program is available to all policyholders and is designed to help insureds identify, mitigate, and respond to cyber threats. An online portal provides resources and tools to help policyholders learn about cybersecurity and prepare for incidents.
Pros | Cons |
---|---|
|
|
CNA Commercial Insurance Rating
- Overall rating: [3.2] / 5 stars
- Coverage options: [5] / 5 stars
- Cost: [3] / 5 stars
- Ratings and complaints: [2]/ 5 stars
- Digital experience: [4] / 5 stars
- Customer service: [2] / 5 stars
» Read our CNA Commercial Review.
Brokers for Cyber Insurance
Because cyber insurance is a specialized coverage that can vary widely depending on your business’s individual needs, it’s common for companies to obtain coverage through a broker. A broker can help you find the most cost-effective and complete coverage from an appropriate insurer. Below, we’ve highlighted a few of the top brokers that offer cyber insurance.
Embroker is backed by Munich Re, a financially strong insurer with an A+ rating from AM Best and an AA- rating from Standard & Poor’s. Embroker offers online quotes and claims, in addition to assistance that is available 24/7 via live chat, email, or phone. Embroker also provides a personal account manager who can help with insurance needs.
Embroker Pros and Cons
As with any insurance provider, it’s essential to weigh the pros and cons of Embroker:
Pros | Cons |
---|---|
|
|
AdvisorSmith Rating for Embroker
- Overall rating: [4.8] / 5 stars
- Coverage options: [5] / 5 stars
- Cost: [5] / 5 stars
- Ratings and complaints: [4.5] / 5 stars
- Digital experience: [4.5] / 5 stars
- Customer service: [5] / 5 stars
» Read our Embroker Commercial Review.
CoverageSmith is a leading online broker specializing in insurance for small businesses. The company provides a modern, tech-enabled solution for businesses, allowing them to quickly get the insurance they need, completely online, from some of the most trusted insurance carriers in the world, including Chubb, The Hartford, AIG, and CNA.
» Learn more from CoverageSmith.
CoverWallet is an online broker backed by Aon, an insurer with an A rating from AM Best. The company provides online quotes, assessments to help you understand what types of insurance your business needs, and online claims processes. CoverWallet also provides information and reading material on cyber liability. It may be possible to manage your pre-existing insurance policies through CoverWallet.
Pros | Cons |
---|---|
|
|
AdvisorSmith Rating For CoverWallet
- Overall rating: [3.4] / 5 stars
- Coverage options: [4] / 5 stars
- Cost: [3] / 5 stars
- Ratings and complaints: [3]/ 5 stars
- Digital experience: [4] / 5 stars
- Customer service: [3] / 5 stars
» Learn more from CoverWallet.
» Read our CoverWallet Commercial Review.
How much does cyber insurance cost?
The average cost of cyber insurance in the U.S. in 2020 was $1,485 per year, but premiums have been increasing in 2021 due to a rise in cyberattacks. The costs of insuring your business against data breaches and hacking attacks varies based upon the nature and size of your business, as well as the state in which your business is located. Below, we list the average cost of cyber insurance in each state, along with the difference between the state average and the national average.
State | Average Cost of Cyber Insurance | Difference from National Average |
---|---|---|
Alaska | $1,532.89 | 3.23% |
Alabama | $1,539.40 | 3.67% |
Arkansas | $1,646.50 | 10.88% |
Arizona | $1,581.50 | 6.50% |
California | $1,430.18 | -3.69% |
Colorado | $1,521.67 | 2.47% |
Connecticut | $1,593.62 | 7.32% |
District of Columbia | $1,539.25 | 3.66% |
Delaware | $1,446.47 | -2.59% |
Florida | $1,529.82 | 3.02% |
Georgia | $1,450.54 | -2.32% |
Hawaii | $1,519.46 | 2.32% |
Iowa | $1,505.73 | 1.40% |
Idaho | $1,483.70 | -0.08% |
Illinois | $1,434.59 | -3.39% |
Indiana | $1,484.06 | -0.06% |
Kansas | $1,501.38 | 1.11% |
Kentucky | $1,587.10 | 6.88% |
Louisiana | $1,623.94 | 9.36% |
Massachusetts | $1,380.59 | -7.03% |
Maryland | $1,471.18 | -0.93% |
Maine | $1,467.39 | -1.18% |
Michigan | $1,339.33 | -9.81% |
Minnesota | $1,708.11 | 15.03% |
Missouri | $1,509.00 | 1.62% |
Mississippi | $1,472.55 | -0.84% |
Montana | $1,478.29 | -0.45% |
North Carolina | $1,421.49 | -4.27% |
North Dakota | $1,464.42 | -1.38% |
Nebraska | $1,485.64 | 0.05% |
New Hampshire | $1,431.99 | -3.57% |
New Jersey | $1,615.25 | 8.77% |
New Mexico | $1,355.36 | -8.73% |
Nevada | $1,507.55 | 1.52% |
New York | $1,616.70 | 8.87% |
Ohio | $1,553.68 | 4.63% |
Oklahoma | $1,513.03 | 1.89% |
Oregon | $1,462.50 | -1.51% |
Pennsylvania | $1,466.49 | -1.24% |
Rhode Island | $1,541.58 | 3.81% |
South Carolina | $1,398.83 | -5.80% |
South Dakota | $1,489.45 | 0.30% |
Tennessee | $1,500.20 | 1.03% |
Texas | $1,459.22 | -1.73% |
Utah | $1,515.10 | 2.03% |
Virginia | $1,467.83 | -1.15% |
Vermont | $1,457.70 | -1.83% |
Washington | $1,449.80 | -2.37% |
Wisconsin | $1,523.03 | 2.56% |
West Virginia | $1,629.64 | 9.74% |
Wyoming | $1,426.89 | -3.91% |
Besides the location of your business, a number of other factors can greatly affect the premiums that you pay for cyber insurance. Insurance companies will take into account the nature of your business, the number of sensitive employee and customer records you store, whether your business stores credit card and banking information on your customers, and the types of security defenses your company has undertaken. Additionally, if your company has a history of cyber insurance claims, or if it has been attacked or hacked in the past, your premiums may be higher.
What does cyber insurance cover?
Cyber insurance covers financial losses from data breaches, hacking, viruses, denial of service attacks, and other similar cyber events. Cyber insurance has two major components: third-party liability coverage and first-party coverage.
First-party coverage protects your company when you incur expenses from a data breach or when your company is hacked. You may choose to purchase either or both types of coverage.
Third-party coverage provides protection when a customer, vendor, partner, or other party sues you for allowing a data breach to happen.
First-Party Coverage
First-party coverage provides protection against the financial losses your business incurs due to a data breach, hack, or other cyber event.
Data Breach
First-party coverage can provide for the costs of responding to and recovering from a data breach. These costs can include:
- Notifying your customers or employees affected by the breach
- Providing credit monitoring services to those affected
- Hiring technical consultants or lawyers
- Advertising and public relations costs
Data Recovery
If your company’s electronic data is lost, damaged, or corrupted due to a hack, virus, or denial of service attack, you can be covered under first-party coverage. This coverage also extends to data belonging to others stored on your systems.
First-party coverage will reimburse your company for the costs to restore or recover the lost or damaged data, as well as the costs to hire consultants to help you restore or repair your data.
Business Interruption
Business interruption coverage is also available on many cyber insurance policies. A typical business income insurance policy that is attached to a commercial property policy only covers perils that cause physical damage. Usually, commercial property coverages do not provide coverage for electronic data.
If the loss or destruction of data leads to a disruption in your ability to do business, this coverage can pay for the loss of business income your business experiences.
Cyberextortion
First-party coverage can also cover cyberextortion. If your business is threatened with damage to your computer systems or networks unless you pay a ransom, this insurance can provide coverage.
First-party coverage can also provide coverage for the money you spend to respond to the extortion demand, in addition to any ransom you pay. The insurer’s consent is usually required before you pay these expenses.
Third-Party Liability Coverage
The third-party liability coverage provided by cyber insurance provides protection against lawsuits filed by clients or others against your business as a result of a breach of their security or privacy. These lawsuits can accuse your business of failing to adequately protect data you possess that belongs to customers, employees, vendors, or others.
Some of the claims and costs that third-party liability may cover include:
- Legal expenses
- Network security claims
- Privacy claims
- Employee privacy liability
- Regulatory fines
What are the most frequent cyber insurance claims?
Businesses have faced an increasing number of cyberattacks in recent years, particularly from common cyberattacks such as ransomware and social engineering fraud. The most frequent causes of cyber insurance claims are hacking, ransomware, phishing, and employee negligence. Having cyber insurance can protect your business against the financial consequences of some of these attacks.
Hacking claims account for some of the most common cyber insurance claims. If a hacker breaks into your company’s computer network and steals data, your company may be liable for a variety of costs to recover from and mitigate the damage from the hack. These costs may include forensic services to determine the cause and extent of the hack, legal costs to defend against third-party lawsuits related to the hack, notification and credit monitoring services for affected individuals, public relations costs, and regulatory fines and penalties.
Ransomware attacks occur when malicious software is installed on your company’s systems and your company’s data or critical software is threatened unless you pay a ransom. In these cases, cyber insurance can pay for the costs of the ransom so that your company’s data or systems can be recovered. Many cyber liability policies provide very limited coverage for ransomware or cyber extortion attacks, with coverage sublimits as low as $25,000, even when the cyber liability policy has a much higher total limit.
Phishing attacks induce your employees to disclose passwords or other login credentials to hackers. These attacks can happen when employees click on malicious links embedded in emails or on the web. They can also occur over the phone when your employees are tricked into disclosing passwords or other sensitive information. With phishing attacks, criminals can log into your company’s systems and steal data or conduct unauthorized financial transactions.
Employee negligence claims can arise from something as simple as an employee losing a laptop that contains sensitive customer or employee data. In the case of employee negligence, your company could be liable for lawsuits related to lost data, notifying affected individuals and providing them with credit monitoring services, public relations costs, and fines and penalties.
Methodology
In order to determine the best cyber insurance companies, AdvisorSmith reviewed several factors before coming to a conclusion. Factors that were evaluated by AdvisorSmith include the insurer’s financial strength, customer satisfaction, policy options, and ease-of-use. By assessing these important factors we were able to determine the best cyber insurance companies and coverage to meet your individual business needs.
Financial Strength
The best cyber insurance companies are those that have the financial strength to pay out claims in the event of a data breach or cyber attack. In order to determine an insurer’s financial strength, AdvisorSmith reviewed their rating from A.M. Best and Standard & Poor’s. These are two of the most reputable financial rating agencies in the industry.
Customer Satisfaction
Customer satisfaction is another important factor that we considered when determining the best cyber insurance companies. In order to assess customer satisfaction, we review data from J.D. Power’s U.S. Small Business Insurance Study. This study surveys customers of small businesses across the country and rates insurers on a number of important factors including claims satisfaction, price, and customer service. Additionally, we considered complaint ratings from the National Association of Insurance Commissioners (NAIC) to determine customer satisfaction.
Policy Options
When determining the best cyber insurance companies, we also assess the policy options that each insurer offers. Cyber insurance policies can vary greatly in terms of the coverage they provide. It is important to choose an insurer that offers a policy that meets your specific business needs.
Ease-of-use
Finally, we also considered the user-friendliness of each insurer’s website and policy application process. In today’s digital age, it is important to choose an insurer that makes it easy to obtain a quote and purchase a policy online.
Using our own proprietary scoring algorithm, we weighted each factor based upon what we believe to be important for small and midsize business owners. Our algorithm outputted a score out of five total points. While we considered a number of insurers, we only included in this article those companies that scored 4.0 or higher.
The AdvisorSmith rankings are based upon our editorial team’s quantitative and qualitative analysis, and they are intended to serve only as a guide for our readers. We encourage our readers to conduct their own research when selecting an insurer, shop and compare quotes, and make a decision based on their own unique business needs.
AdvisorSmith is in no way compensated for any of our reviews.
Expert Commentary
AdvisorSmith spoke with the following experts to provide critical insight on cyber insurance for business owners.
More Experts
Q. Where do you see the cyber insurance market trending, and what are the main insurability challenges?
Tom: Over the past year, the cyber insurance industry has recognized the increase in cyber risk. Therefore, many organizations are finding their cyber insurance rates increasing, sometimes at dramatic rates of 200% or more. The cost of a breach averaged $3.86 million in 2020, according to the Ponemon Institute’s Cost of a Data Breach Report.
Insurance companies are now performing more extensive cyber risk analysis of organizations before offering insurance and even could deny insurance if they feel the organization has too much cyber risk exposure. The challenge is that the insurance carriers may not do a thorough analysis, and it could weigh negatively in favor of the organization or could be negative towards the organization.
Say for instance the company has made investments in cybersecurity, had their controls independently validated, and scored exceptional in an external penetration test, the insurance company could still rate them as high risk thus pricing the insurance high and perhaps unaffordable.
Yair: We do see a major tsunami of ransomware attacks, and most of it is coming from nation states or cybercriminals within those nation states, so it is very hard for federal, state, and local law enforcement involved with cyber to deal with it as they don’t have much jurisdiction over these areas of the world.
When it comes to the cyber insurance market, many organizations and also local government entities are using cyber insurance in an attempt to protect themselves, especially from ransomware. However, many cyber insurance policies in recent years also require more effort from their clients to be more in compliant with national standards such as the NIST Cybersecurity Framework, the Cybersecurity Maturity Model Certification (CMMC), or the European’s General Data Protection Regulation (GDPR), which may cause some challenges for organizations if their cybersecurity posture is not up to par with some national or international standards.
So, when it comes to cyber insurability, the requirements from the insurance companies should focus also on faulty business processes that cause some of the vulnerabilities. For example, a real estate company that is doing transactions with thousands of customers daily has been asking their customers to share Personally Identifiable Information (PII) including tax returns and pay stubs over regular unencrypted emails. Such practices are compromising the integrity of both the customers and the company.
Andrew: I don’t foresee an end to ransomware attacks anytime soon, so I see the overall demand for cyber insurance increasing. The main challenges I see right now are that insurers have no process to ensure their clients maintain an ongoing minimum security posture.
The current model has clients answering questions on a checklist or submitting a data spreadsheet to the insurer. The best-case scenario is that this data is a snapshot in time and doesn’t represent their ongoing security posture. Worst-case scenario is that the client misrepresents their security posture in an attempt to get insured.
Long-term, I envision a scenario whereby cybersecurity insurers create a standard their clients must meet and a required process of ongoing monitoring to ensure that the client stays compliant with that standard.
Bilge: Cyber insurance is an emerging market, and it is in its infancy compared to the many other insurance types. Cyber insurance has many uncertainties and unknowns that may prevent the market from growing. Cloud adoptions bring standardization to IT infrastructures of insureds that might be a positive factor for the proliferation of the cyber insurance market; however, it is not sufficient for insurers to fully understand the cybersecurity posture of a small business.
According to the OECD’s report titled Enhancing the Role of Insurance in Cyber Risk Management, the quantification of a cyber breach is the biggest concern among cyber insurers. The main challenges for quantifying cyber breaches are the lack of historical data on cyber incidents, the changing nature of the cyber risk/threat environment, and the limited access to corporate security information necessary for underwriting. All of these factors make cyber risks difficult to understand for the cyber insurance sector.
At this point, it is vital to close the gap between the insurers and cyber experts. The collaboration and cooperation between cyber experts and insurers will help mature and grow the cyber insurance sector, which will finally help faster and less expensive insurance premiums. Insurers need to understand the characteristics of cyberspace, cyber threats, and vulnerabilities; then, based on that knowledge, they should correctly assess a company’s cybersecurity posture/maturity. After making these assessments correctly, they will have the right amount of appetite and confidence to insure their clients.
At this point, four types of cyber companies can tremendously help cyber insurers overcome the market challenges and maturing the cyber insurance market. Those are (1) cyber risk scoring companies, (2) cyber threat intelligence companies, (3) enterprise risk management companies, and (4) cloud security posture management companies. One can call these companies “intermediaries” in the context of cyber insurance. They can play an essential role between the cyber insurance sector and customers.
Bruce: Trends in the cyber insurance market are recognizing the impact of ransomware attacks. As the cyber insurance market has matured with the ability to gather the actuarial data on cyberattacks, risk is calculated to determine the premiums for cybersecurity policies. Cybersecuirty insurance also recognizes rate calculation determined by risk reduction measures of security controls that are implemented. A general perspective of organizations is that cyber insurance alievates the need to implement proper security controls.
With the increase in cyberattacks, specifically ransomware, cyber insurance companies realize the increase in organizations that file claims on cyber policies. The cyber insurance industry is recognizing that the pricing models may not have identified the increase in claims, causing many cyber insurance companies to re-evaluate the pricing model, with some reconsidering the offering of cybersecurity insurance all together.
Q. Should small businesses be concerned about cyber risk?
Tom: The challenge that many organizations face is how they will determine if the cost of cyber insurance is worth the cost of the increased rates. When you look at the cost of a breach, I believe it is, but some organizations may not be able to afford the new premiums. However, a breach to a small organization could bankrupt it, while a larger organization could absorb the cost of the breach.
I don’t think many small businesses understand how costly a breach is and how much it could impact their ability to stay open. While the focus so far has been on large companies, it is only a matter of time before hackers turn their attention to small businesses.
Yair: Absolutely! It is unfortunate that small business owners assume that they are not going to be the next target of cybercriminals. Research provides strong evidence that over the past two years, smaller companies are easier targets for cybercriminals as the efforts to successfully penetrate their business is significantly lower, and the payout, especially when it comes to ransomware, is quicker as it is mainly done based on impulse of a single key decision maker or the company owner rather than an established highly professional team. So rather than trying to hack one large company and negotiate $1M in ransom, these cybercriminals are breaching 100 smaller companies asking for $10K each and make faster return on investment for the adversaries.
Here at NSU’s Center for Information Protection, Education, and Research (CIPhER), which has been designated by the National Security Agency (NSA) as a National Center of Academic Excellence (CAE) in Cyber Defense since 2005, we’ve been conducting ongoing research on small business cybersecurity. Our Master students in our cybersecurity programs conduct risk assessment projects at small organizations (we publish with fictitious company names to protect their identity) where we see repeatedly smaller organizations are ill prepared for cyber incidents and just unaware of the risks associated with any of their operations that are online.
These operations don’t have to be sophisticated web-based or cloud-based operations, even their use of a cellphone and access to an email account where they do their business opens them up to massive cyber risks, as is documented yearly by the FBI’s Internet Crime Complaint Center (IC3). Some posters from the work of our graduating students can be found via: https://infosec.nova.edu/current-student-research/masters-students/index.html where our students develop a full project to address the top identified cyber threats to a small organization either from the technical perspective or the managerial perspective.
Andrew: The short answer is “yes.” The more relevant questions to consider are: to what degree should small businesses be concerned with cyber risk, and do they understand their particular threat landscape? For example, law firms have a different set of cyber risk concerns than real estate firms do. Not all small businesses face the same threats, so it’s essential to have a nuanced conversation specific to the particular small business.
Bilge: All businesses, whether small or large, should be concerned about cyber threats. According to Verizon’s 2021 Data Breach Investigations Report (DBIR), there is not much difference between small and large businesses in terms of both numbers and patterns of security breaches. As a matter of fact, small businesses should be more concerned about cyberattacks because some peculiarities of small businesses can make them more vulnerable than large enterprises.
First of all, most small businesses are usually on a tight budget; they typically can’t include cybersecurity talent in their workforce, contrary to large businesses that generally have dedicated cybersecurity units and professionals working full-time in these units. The fact is that small business are usually in a false illusion of security. Some businesses assume that cyber threats will not be interested in their networks because they don’t have anything worth stealing other than a static website. The lack of security awareness is a general problem for small businesses; this is common across all organizational layers of small businesses, from the owner to the operational level.
Another false assumption is quite common for small businesses that migrate their IT infrastructure to a public cloud service. They usually assume that cloud service providers will provide all necessary security measures.
Last but not least, cyberattackers frequently use small business networks as a passageway to the enterprise networks. Supply-chain attacks are one of the most rewarding attacks for cybercriminals. That was the case for the 2013 Target breach in that cybercriminals first penetrated the network of Target’s HVAC supplier.
Bruce: Everyone should be concerned about cyber risk, specifically small businesses. Small businesses are easy targets because they do not have the resources for extensive cybersecurity controls. However, small businesses rely heavily on technology to operate efficiently, including utilizing the internet. Any business that uses the internet and web services is exposed to threats worldwide, no matter the business size.
Q. How can a business effectively organize and manage cyber risk?
Tom: One of the great things about cybersecurity is that there are a variety of frameworks that you can use to protect your business effectively. The NIST Cybersecurity Framework can be used by any organization to assess and develop best practices around cybersecurity. There are dozens of others as well, some more complex than others but all with fundamentally the same concepts.
Businesses should also hire expertise to support their cybersecurity program. Whether they hire dedicated staff or hire an outside consulting firm, there are opportunities to bring in highly skilled staff to help your organization combat the risks around cybersecurity.
To be successful however, you have to have buy-in at the top. The owners, board members, and executives all need to understand the risk and take an active role in understanding how it could impact their business. You also need to educate your staff by providing cybersecurity training and awareness. They are the most important asset in protecting an organization from a cyber attack.
Yair: The majority of the small business owners or key decision makers are just unaware of how much they can improve the cybersecurity posture of their company with very little investment. For example, taking the time to educate their employees about proper cyber hygiene, which there are many YouTube videos about, aside from taking a few minutes of work, doesn’t cost much for the company.
Also, being aware of phishing emails and what they can do to mitigate them, or the multi-billion dollar scam—Business Email Compromise (BEC) (see the FBI’s report: https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/business-email-compromise).
Other measures should include implementing information security policies and also compliance programs to enforce such policies. Even if it’s a very small company with just a handful of employees, creating the cybersecurity awareness culture in the organization can go a long way in mitigating some cyberattacks such as phishing or ransomware.
Just the same as businesses investing in their legal or accounting support, they must invest into cybersecurity support. While there are many actions that small business owners and key decision makers can take on their own, there are still many other actions that they must consult with cybersecurity professionals on. The same way one would go and consult a specialized MD on a medical issue that they have, they need to also consider making the effort—ahead of a cyber incident—to discuss the risks to their organizations, understand the impact of such risks to their organization, and then develop a proper set of actions to mitigate such cyber risks.
Andrew: Small firms have to start by understanding that they are a potential victim of a cyberattack, regardless of size. Too many small firms think they are “too small” to be attacked when the data shows they are not. Once they accept this reality, they should move on to doing the basics—asset management and classification, policy development, technical controls, data backup and restoration planning and testing, and employee training and awareness.
Bilge: As opposed to the 80s, 90s, and early 00s, company networks today don’t have virtual perimeters. It is crucial to invest in a UTM box with integrated antivirus, intrusion detection and prevention, content filtering, e-mail filtering, and VPN solutions; however, it is a small portion of cybersecurity in today’s ultra-connected world. BYOD is the new Business as Usual (BAU) today; working from home has also become a new BAU setup because of the COVID-19 pandemic. All of these necessitate companies to have state-of-the-art endpoint security measures more than ever before. Endpoint security is not as easy as perimeter security because of its distributed nature, the diversity of endpoint devices, and end user’s freedom expectations. It requires fundamental shifts in security mindsets such as they should consider adopting zero trust architecture, also known as perimeterless security. More specifically, each small business should have a security action plan for mobile devices, such as how they will update mobile devices, whether they will use mobile device management software, whether they will use VPN solutions, and whether they consider adopting new concepts like SASE (Secure Access Service Edge).
The adoption of public cloud infrastructures is quite common among small businesses today. It brings a higher security standard compared to the on-prem infrastructures of older days. However, small business owners and IT administrators should be aware that using a public cloud service does not mean that they also outsourced cybersecurity. They should be acquainted with the shared responsibility model; the responsibility of securing a company’s computing environment in the cloud is shared between the Cloud Service Provider (CSP) and the business itself.
The cloud model sets the general baseline for the responsibilities of both parties. In an Infrastructure as a Service (IaaS) model, the CSP provides underlying infrastructure, including virtual servers, network devices, and storage. The client is responsible for using up-to-date and securely configured operating systems and applications running on them. In the Platform as a Service (PaaS) model, securing operating systems and COTS applications has been transferred to the CSP. The client is responsible for the security of the applications it has developed. In the Software as a Service (SaaS) model, most responsibility belongs to the CSP; the client is still responsible for the security of the SaaS product. In short, the cloud customers always have security responsibilities, especially in the IaaS deployments; the client is responsible for most security as if the servers are on-premises.
Below is a list of cybersecurity best practices for small businesses:
- Provide appropriate security training for all employees, including computer users, IT staff, and managers. Security training should be more like a security awareness session for computer users, but it should be more in-depth and technical for the IT team.
- Set policies and associated action plans for mobile devices; specifically analyze the new posture caused by the COVID-19 pandemic.
- Using vulnerable (out-of-date) software is the number one reason for ransomware attacks. Always use up-to-date endpoint devices. Always use the most up-to-date versions of operating systems (Windows, IOS, Android) and Internet browsers across the company networks. Web browsers are the prominent entry points to the Internet; always use the updated web browsers across the business networks. Never forget to update the firmware of IoT devices—such as webcams, access control systems—that resides in the network.
- Physical security is always essential, even in the era of ubiquitous computing. Wi-Fi security can be considered an essential and usually ignored part of physical security. Use strong Wi-Fi authentication and encryption protocols and strong passphrases to eliminate hack attempts of nearby cybercriminals.
- Strong passwords are important; however, never rely on the passwords. Always use multi-factor authentication whenever it is applicable.
- Access control is at the heart of cybersecurity; it is also essential to implement zero trust. Adapt an access control policy; never use shared accounts, define user groups and roles, never use default allow rules, never grant full access to all data.
- Adopt a data backup plan and backup your essential information and systems to respond timely and effectively in business contingencies.
There are many layers of cybersecurity, including but not limited to technical, organizational, administrative, physical layers. Security guidelines and standards might be a lighthouse for most small businesses. From the standardization and certification perspective, Cybersecurity Maturity Model Certification (CMMC) might be a valuable guide for small businesses to grow to certain levels of cyber maturity. Although CMMC targets the Controlled Unclassified Information (CUI) for Department of Defense contractors, it has the potential of becoming prevalent for enforcing security standards for small businesses in the U.S.
Bruce: Any business that effectively manages cyber risk will start with an assessment of the technology environment. Many small businesses cannot afford to conduct extensive assessment. Small businesses rely on their internet provider to implement the necessary security controls that protect the organization from bad actors, malware, and other malicious activity.
Small business owners need to understand what security controls or protections their Internet Service Providers (ISP) have implemented. With the understanding of cybersecurity protection that the ISP provides, small business owners can determine what additional cybersecurity controls need to be implemented to ensure the organization’s security.