Tag Archives: smbs

How SMBs Drive Innovation in Cyber

Large organizations have long understood the intrinsic value of customer data. Using it to formulate and execute on key business decisions, enterprises can better meet customer demand, anticipate a buyer’s propensity to purchase and stay ahead of savvy competitors. Because of the substantial amounts of resources required to successfully leverage customer data, and considering its highly confidential nature, large companies have also traditionally led the pack in implementing cyber insurance to protect this crucial business asset.

Despite having fewer human and monetary resources, small and medium-sized businesses (SMBs) have started joining in on the data-driven movement, leveraging their existing customer data to deliver superior customer experiences and, in some cases, successfully compete with large organizations. Protecting that invaluable intelligence, however, has historically been overlooked. Many SMBs assume they aren’t as much of a target as large companies are, or they simply aren’t aware that cybersecurity tools are available to them. Plus, complex buying processes and exorbitant pricing often prohibit even the most knowledgeable SMBs from adequately protecting their assets.

New and Improved SMB Habits

Thankfully, times are changing. As SMBs continue to take advantage of the business benefits that leveraging customer data can provide, they’ve caught on to the merits of defending their customer data with cybersecurity measures such as cyber insurance. In fact, it’s fair to say SMBs will drive the next wave of cyber insurance adoption.

See also: Cyber: Black Hole or Huge Opportunity?  

According to recent research conducted by my company, demand for cyber insurance has skyrocketed among the SMB market as of late, with the highest quarterly growth being 150% and averaging approximately 69% per quarter. In Q2 of 2018 alone, 30% of our commercial insurance shoppers purchased cyber coverage, up from 12% a year ago. First-time cyber insurance shoppers are also on the rise among SMBs, having experienced a quarterly growth of 34% over the last year.

Key Factors Contributing to Cyber Insurance Growth

There are a variety of reasons for SMBs’ increasing enthusiasm for cyber insurance, such as a rise in SMB-targeted cyberattacks and widespread, difficult-to-detect network vulnerabilities. However, after analyzing our digital proprietary data collected from Q1 2017 to Q3 2018, we found the following three factors equally critical in driving SMB cyber insurance adoption:

1. Compliance Requirements

Compliance requirements such as HIPAA, PCI and DCI have contributed significantly to the growth of the SMB cyber insurance marketplace. Recent data privacy regulation rulings such as GDPR and the California Consumer Privacy Act may also be pushing adoption, as the percentage of our shoppers who stated compliance requirements as a motivating factor increased 39% quarter-over-quarter.

2. Contractual Components

In the past, mandating cyber insurance for SMBs was difficult, due to the lack of affordability and accessibility. Today, digital-first insurance providers have drastically reduced distribution costs, allowing organizations to enforce cyber insurance as an essential component of third-party vendor contracts. According to our data, nearly half (46%) of SMBs buying cyber insurance are purchasing due to contractual requirements.

3. Affordable Policies

The price of SMB cyber insurance has declined substantially over the past year, primarily due to carriers’ ability to provide tailored policies designed to meet SMB-specific needs. In April 2017, our data shows the average monthly premium cost for a $1 million cyber insurance policy was $270. By June 2018, however, the average monthly premium cost for a $1 million cyber insurance policy dropped to just $77.

The Future of Cyber Insurance Adoption

Compounding factors will continue to drive the SMB cyber insurance market. From a business perspective, state and federal regulations will likely make cyber insurance a mainstream business priority, and enterprise-level contractual requirements will make cyber insurance a must-have for third-party vendors. On the consumer side, customers will continue to take an increasingly active role in their personal cybersecurity, demanding SMBs effectively secure their personal data through security solutions, including cyber insurance.

See also: How to Create Resilient Cybersecurity Model  

Though our data is still maturing, the steady increase in SMB shopper awareness and overall market readiness indicate that 2018 serves as an inflection point for the mainstream adoption of cyber insurance. Furthermore, with the SMB population in the U.S. expected to exceed 34 million by 2025, cyber insurance will be an essential factor in securing our collective digital world, and we can expect any business with assets to secure, and long-term viability to protect, to make cyber insurance a critical element of their comprehensive cybersecurity plan.

SMBs Need to Bulk Up Cyber Security

Third-party risks—the notion that a contractor or a supplier could inadvertently expose the first-party organization to a network breach—may not be the sexiest cybersecurity issue out there. But at RSA 2017—the weeklong cybersecurity conference that drew 43,000 attendees to San Francisco’s Moscone Center last month—there was much talk that third-party risks are destined to ascend as a bellwether phenomenon.

I mean that in this sense: Actually addressing third-party risks is something companies of all sizes—from enterprise-class first-party organizations to SMB-size third-party suppliers—must come to grips with, probably sooner than later. What’s more, as the journey to mitigate third-party risk unfolds, trustworthiness of internet-centric commerce naturally will rise, perhaps dramatically.

New market emerges

One marker is that tech research firm Gartner has begun monitoring a dozen or so technology vendors marketing third-party risk solutions to large enterprises. Gartner refers to this fledgling cottage industry as the “IT vendor risk management” market. In a report last fall, Gartner predicted that the IT VRM market would expand 30% by 2019.

See also: Ransomware: Growing Threat for SMBs  

The main growth driver: regulatory requirements.

Case in point: New York state’s freshly minted Cybersecurity Requirements for Financial Services Companies, which took effect March 1, includes provisions that require financial services companies to ensure the security of the systems used by their third-party suppliers.

Meanwhile, Europe has begun to roll out a comprehensive set of data-handling rules that also call out the need to address third-party risk. These include the new framework for commercial data exchange between the U.S. and the European Union, referred to as the EU-U.S. Privacy Shield, as well as the new EU privacy rules known as General Data Protection Regulation or GDPR.

SMBs in hackers’ cross-hairs

To be clear, the burden does not solely rest with large enterprises to mitigate third-party risks. This issue profoundly affects small and medium-size organizations. SMBs no doubt will face increasing requirements to prove their cybersecurity fitness to win contracts from first-party business customers.

“Third-party issues are driven by the fact that outsourcing trends are continuing unabated,” says Jonathan Dambrot, CEO and co-founder of Prevalent, one of the leading IT VRM vendors tracked by Gartner. He says third-party suppliers, in fact, are believed to be the source of as much as 70% of the network breaches that occur today,

Professional cyber criminals are fully aware of capabilities of the multimillion-dollar security systems that large companies have in place. So they wisely target “the small provider who’s providing some service and who doesn’t have their security controls,” Dambrot says.

Vendors lack knowledge

Meanwhile, all too many third-party suppliers continue to operate either ignorant of, or in denial of, the exposures they’re creating by failing to adhere to security best practices.

“A lot of smaller firms are still struggling with even understanding what they need to do, from a policies standpoint all the way down to the technical controls,” Dambrot says. “Do they have appropriate controls for encryption, identity management and multifactor authentication?”

It’s very early in the ballgame. A Ponemon Institute survey conducted last May found that the majority of the 600-plus respondents agreed that third-party risk was both serious and has been significantly growing in their organizations.

See also: Cyber Attacks Shift to Small Businesses  

However, Ponemon found that only a third of those organizations had formal programs in place to manage third-party risks, and only about a quarter of them purchased cyber insurance to reduce the economic impact of third-party risks.

But the potential for elevating internet security, in the longer run, is palpable.

This post originally appeared on ThirdCertainty.

Cyber Attacks Shift to Small Businesses

Small- and mid-sized businesses (SMBs) are increasingly at risk for data breach class-action lawsuits that typically have targeted large corporations.

Large companies are learning to address cyber threats. Hackers are responding by setting their sights on SMBs. So it’s simply more productive and efficient to attack poorly protected companies that could take weeks or even months to notice they’ve been breached.

As the risk of exposure moves downstream, the associated class-action lawsuits surely will follow. Statistics from the Identity Theft Resource Center show that the number of data breaches reported in 2016 exceeded 2015 levels by 40%, a worrying trend for those in the small business sector that likely will bear a greater percentage of those breaches going forward. The data stores held by SMBs may be smaller, but they’re no less rich in value to hackers. They contain financial data, healthcare information and other tantalizing personal details.

Security falls short

Unfortunately, because SMBs often lag behind larger companies in the sophistication and scope of their defensive measures, they’re much more susceptible to litigation centered on charges of negligence or a lack of due diligence. Exposures in the SMB sector also could go undetected for long periods, leaving more records vulnerable and increasing the size of the victim pool that may be interested in suing.

See also: The Key to Survival in Wild West of Cyber  

Smaller firms’ responses to the risk of cyber attack and litigation depend largely on their industry. Even the smallest healthcare entities are typically well-adapted to address potential data breaches and cyber risks. Long-standing mandates such as HIPAA — as well as a robust, centralized breach-reporting mechanism — have made companies in the medical space a little paranoid about their heavily regulated environment.

Behind the curve

Other small business sectors aren’t as prepared for the risk of a breach. Outside healthcare, the professional services industry, including legal and accounting, is much less aware of where threats exist or how to mitigate them. Many small firms don’t understand their responsibilities regarding data privacy or how data breach notification laws apply to them. Without a good awareness of data privacy concerns, obligations and solutions, these businesses are easy targets for any hacker who happens upon them.

Litigation bills add up

Data-breach class-action lawsuits can result in million-dollar judgments, but devastating costs may be incurred even if a settlement never materializes. A breached small business still needs to defend itself against litigation, and that takes money. Between legal counsel, forensic investigations, data recovery and any other steps the company may be required to take, the company is likely to incur significant financial penalties no matter which way the lawsuit goes.

See also: Can Trump Make ‘the Cyber’ Secure?  

Some SMBs are realizing they aren’t prepared for a cyber attack. The truly savvy ones are waking up to the prospect that, just as with the professional and employment liability insurance they already have, it would be wise to pursue coverage to defer defensive and recovery costs around their cyber liabilities. With the specter of more breaches — and more class-action lawsuits — coming down the pipeline, SMBs must find a way to minimize the threat of exposures while also putting protective measures in place should they find themselves facing litigation.

This article was originally posted on ThirdCertainty. It was written by Eduard Goodman.