Cybersecurity has gone mainstream as attacks on critical infrastructures—such as Colonial Pipeline and JBS—affect the supply chain. And it's the costs—both monetary and reputational—that are driving businesses to sit up and listen to experts (and take steps to protect their organizations).
The average cost of a data breach jumped 12.7% from 2020 at $4.24 million to $4.35 million in 2022, according to a 2022 IBM report, signaling things might get worse before they get better.
Business leaders realize the risks, listing cyberattacks as a top concern. Forty percent of executives named the increasing amount of cyberattacks as a top risk to their business—above talent acquisition and rising production/supply chain costs.
Ransomware tops the list
More specifically, a form of cyberattack called ransomware is a growing concern for business owners. Ransomware is a form of malicious software attackers use to encrypt or destroy files, forcing victims to pay a ransom to regain access. Many current ransomware variants lock up networks and deny access to business-critical data.
The World Economic Forum reported that "80% of cyber leaders stressed that ransomware is a dangerous and evolving threat to public safety," with 50% of respondents saying that ransomware is one of their greatest concerns when it comes to cyber threats.
"When a lot of companies get hit with a ransomware attack, they aren't sure what to do," said Paul Tucker, chief information security and privacy officer, BOK Financial®. "But the one thing they need is to be more strategic in their planning."
That begins with companies building more cyber resiliency into their systems.
"If you don't have cyber resiliency built in or the plans to recover and adapt, what does this mean for your business?" he encourages businesses to ask. "Are you not going to be able to operate? Will you have access to critical info? If not, this will affect your bottom line."
The biggest threat we’ve continued to encounter through the pandemic is more people working from home and using online services more than ever before, said Tucker. “The use of cloud-based services has expanded, but so has the risk. Companies don’t understand what their attack surface looks like. If you can’t see something, you can’t protect it.”
Security providers echoed that warning. "The future of cybersecurity is almost certainly automation and simplicity; it's crucial for companies of all sizes to be able to make informed decisions from their cybersecurity tools regardless of the end users' expertise level,” said David Norlin, chief information security officer at Lumifi Cyber. “Accessibility is key because you shouldn't need to be an expert in cybersecurity to understand your risks."
Managing cyber risk
Once companies have identified their cyber risk portfolio, they should focus on three ways to manage cybersecurity, said Sean Pechan, risk management practice leader at BOK Financial Insurance.
- Abstain from the risky practice. (But are you going to get rid of computers? Likely not.)
- Manage the risk. Focus on what the risks are and identify ways to mitigate it.
- Transfer the risk. This is where cyber insurance comes in to help share some of the risk.
"While cyber insurance doesn't change or eliminate the risk, it does help manage your operational cyber risk," Pechan said.
In the past, businesses would consider cyber insurance to cover their liability for a data breach involving sensitive client information, such as Social Security numbers, credit card numbers and account information. Coverage includes:
- Forensic costs related to identifying and fixing the breach, sending notifications and crisis communications/public relations.
- Network security costs for regulatory fines and penalties related to data loss.
- Negotiation services related to cyber extortion and ransom demands.
- Cyber business services and costs associated with business income loss when network-dependent revenue is stalled.
- Data restoration services for recovering data, systems and programs.
“That has changed in the last couple years as ransomware has grown so common that essentially any person or company could be impacted,” Pechan added. The cyber insurance marketplace has had to increase the importance of implementing risk management controls.
“As claims have increased and caused premiums to rise, underwriters are also making more demands on companies to even secure insurance,” he said.
Some baseline requirements for companies to be insured include:
- Implementing multi-factor authentication (MFA) across all users and systems.
- Investing in endpoint detection software, which helps block malicious activity on networks and detects suspicious system behavior.
- Investing in email filtering software.
- Limiting access to systems by outside vendors.
- User awareness training.
"There's increased focus now on enhancing a company's risk management protocols so they are more viable and insurable," Pechan said. This means implementing best practices and solutions aimed at protecting software systems and the network from external threats.
Businesses also need to understand the limits of cyber insurance, he said.
"The benefits of this kind of insurance are in the forensic needs, legal expertise, breach coaching, regulatory consulting, brand management—all of these should be involved in a comprehensive cyber protection program and insurance policy," Pechan said.
While underwriters are increasing requirements, insurance companies are also increasing the costs to protect businesses. Escalating numbers of ransomware attacks and geopolitical tensions are only a few of the factors driving the cost of cyber insurance up—the median rate increase was 37% on average in the first quarter of 2022, although some larger enterprises saw increases of 83.3% during the same timeframe.
“Having a plan in place ahead of time is really key.”- Paul Tucker, chief information security and privacy officer, BOK Financial
How to better prepare
There's a saying, "By failing to prepare, you are preparing to fail." The same can be said for businesses assessing their risk.
"Businesses need to do something to take the first steps toward preparing themselves for a cyber incident," Tucker said. "What I've seen in some of the companies we work with, when they get hit, they don't know where to start. Having a plan in place ahead of time is really key."
Tucker and Pechan offered tips for businesses on where to start:
Know what your assets are. Tucker stressed that you can't protect what you don't know about, so having a list of all your business assets—including cloud services, software, etc.—is a critical piece of the puzzle when determining what your cyber risk might be.
Invest in employee awareness training. Training employees on how to recognize and respond to things like phishing attempts can improve a company's security posture by making employees one of the first lines of defense against attackers. "If you have only $1 to spend on cybersecurity, spend it on awareness training," Tucker recommends.
Phishing attacks are responsible for more than 80% of reported security incidents—and employees are the biggest target, according to Cisco. Phishing refers to the act of cybercriminals sending emails that appear to be from reputable companies trying to convince individuals to reveal personal information like passwords, account numbers or credit card numbers.
Engage a managed security services provider (MSSP). MSSPs offer security as a service to your business, ensuring IT systems are safe, secure and compliant. MSSPs can help businesses by not only protecting the organization, but also helping them navigate following a breach or cyberattack. They monitor and protect technology systems and are able to respond quickly to threats.
Have a plan ready. Ideally, an organization should have an incident response plan in place that outlines step-by-step how it will respond to a cybersecurity incident, as well as regular preparedness exercises that will allow you to identify where holes exist in your response plan.
. © 2023 BOKF, NA.