With an increasingly interconnected and technology-dependent society, awareness of cyber risks has grown, and these are being increasingly discussed by risk managers and company decision-makers. Following the outbreak of the COVID-19 pandemic, firms rapidly turned to virtual ways of doing business to cope with limited mobility and face-to-face gatherings.
“The pandemic and transition to fully remote work made companies extremely vulnerable to cyberattacks,” said Steve Prymas (pictured above), chief insurance officer of Embroker. “Companies lacked the security measures to keep their information safe while employees worked from home across a distributed IT infrastructure. Cybercrime, including everything from theft to data hacking, has increased 600% since the beginning of the pandemic. In response to this there has been a dramatic increase in the need and demand for cyber protection.”
According to Prymas, cyber risks can be classified into four main categories: extortion (ransomware), malware, phishing and cloud vulnerabilities.
“Ransomware, the most covered in the media, is malicious software that attacks a company and restricts users’ access to it until a ransom is paid out,” Prymas said. “Malware is another type of software that is intentionally designed to attack a business and cause damage to a computer, server, client or computer network. Phishing is the practice of sending fraudulent messages to businesses in order to reveal sensitive information. Cloud vulnerability is when a hacker gains access to a business’ cloud through unauthorized use of employee credentials or improper controls.”
However, there is a fifth classification of cyber risk, and it has less to do with electronic devices or software than the first four.
“One risk less-known risk that affects businesses is indifference or a false sense of security,” Prymas said. “According to a survey by Embroker, 63% of small business owners in the United States do not think they are at risk for an attack. The US Department of Homeland Security states that 50-70% of ransomware attacks are aimed at small to medium-sized businesses. Yet, our forthcoming survey demonstrates that only 28% of these business owners have coverage for cybercrimes. Because business owners do not understand the risks they are facing, this is a serious risk to the livelihood of the company.”
The lack of awareness of small businesses to cyber risk has turned ransomware into a lucrative enterprise for unscrupulous individuals. According to Prymas, it doesn’t cost much to form and run a ransomware organization, which makes small businesses a perfect target for a quick profit.
Prymas emphasized the importance of awareness in combating cyber risks, as well as admitting that one’s organization isn’t bulletproof.
“Increasing awareness is the first step companies can take to effectively manage emerging cyber risks,” he said. “All companies, no matter the size, are at risk of an attack. Managing these risks requires a proactive approach rather than a reactive one. This starts with dedicated leadership and staff, and of course ensuring that IT infrastructure is protected with the right cybersecurity tools.”
Another important step is for companies to educate their entire workforce on risk prevention.
“Human conduct, patch cadence and multi-factor authentication are three steps companies can take to ensure they’re not exposing themselves to hackers,” Prymas said. “An estimated 60% of small businesses who have faced an attack fail within six months of that attack. Businesses need to prepare themselves in case of a , as it can make the difference in whether a company will survive or not.”
Even with due diligence, a cyber attack is not a question of if, but when. This is where insurance comes in.
“Another way for businesses to prepare for cyber attacks is by keeping up with what their cybersecurity insurance policies cover to get the right protection from these risks. As new risks emerge, companies need to be proactive and communicate their needs from their insurers.”
According to Prymas, Embroker recently launched a standalone cyber insurance product to help companies being underserved by commercial insurance carriers.
“This new cyber insurance product covers financial losses due to data breaches and other cybercrimes that may compromise sensitive company and customer information,” he said. “A few of the protections offered in the cyber insurance product include privacy liability, data breach response and forensics, social engineering, extortion (ransomware) and business interruption.”
These risks are expected to remain even after the pandemic subsides, as many changes in business and social behaviour are here to stay.
“Businesses are switching to permanent hybrid work models, leaving them more vulnerable to cyber threats, Prymas said. “The threat landscape will continue to expand as hackers become smarter. Cyber policies will need to change with the landscape to continue keeping businesses safe.”