There’s been a significant amount of chatter around Cybersecurity Insurance for SMBs. Insurance carriers and underwriters are ratcheting up requirements for getting a policy, and the attestations are getting more and more intense. Of course, this makes things harder when you’re an SMB looking to get protected, but let’s unpack this a little more.
Cybersecurity is a threat on all fronts
Cybersecurity in the private sector is a multi-faceted problem. It threatens national security, economic security, and endangers workers and consumers at the same time. According to a 2019 article from the Small Business Administration, small business is a HUGE part of the economy:
SMBs create two-thirds of net new jobs,
SMB accounts for 44% of U.S. economic activity,
Small business generates 43.5% of the U.S. GDP (down from almost half).
That’s a MASSIVE chunk of the economy in the United States. That doesn’t account for other countries, and the total impact on the world economy is no doubt significant. It’s not hard to quantify the economic impact of SMB, let’s talk about the other issues.
Some folks have called me dramatic for saying this, but its true for many reasons. First and foremost, many government agencies are served by SMBs. The Federal Government does specific SMB set asides (which is amazing, but the rate of compliance/security barrier violation is astronomical). The same rings true for state and local government, critical infrastructure organizations, and more, many of these orgs contract with small businesses for all kinds of different services. The impact of an SMB breach can have far-reaching, long-lasting consequences.
This one should be obvious. We have a ton of data about our employees and customers. Names, addresses, DOB, SSN, payment data, shipping data, order history et al. All of that data is sensitive and needs to be protected. A compromise could compromise someone’s identity, operational security, or even physical safety.
Every business has sensitive data to protect.
Small Business is High Risk
Unfortunately, this is just an “is what it is” conversation. Small businesses, be default, fall into a higher risk category when it comes to cyber. But why? Here’s how I would look at it as an insurance carrier:
Little to no Standardization
Very few small businesses have real cybersecurity plans. They might have a firewall and an AV, hopefully even MFA. But there’s no framework or strategy in place to document how each piece of technology, each policy, and each operational decision supports the overall security mission.
No Security Culture
Small businesses (in general) simply do not prioritize cybersecurity. It’s an afterthought. A security culture puts security top of mind, and inserts it into every critical decision making process. New piece of technology? How do we secure it? New line of business? What’s the cyber risk?
The cost of inaction is exponentially greater than the cost of action.
Lack of Resources
Cybersecurity professionals are expensive, and rightfully so. If you truly invest in learning proper Cybersecurity from a technical, tactical, and operational standpoint, you’re liking spending a lot of time and money. There’s a shortage of these professionals, and it manifests in higher cost. However, without these types of resources, it’s much more difficult to develop cyber plans, so the insurance companies need to see proof that steps are being taken.
Lack of Technology Adoption
Technology is one of the pillars of cyber. It’s equally as important as policies and overall strategy. The best technology is just now scaling down to the SMB market through the channel, but the adoption hasn’t been great. This falls into categories like SaaS/PaaS options such as Microsoft 365 and current-gen security platforms such as SentinelOne and SOC providers.
If we equate the state of SMB cyber to other insurance (let’s say car insurance), the risk profile is not great. It’s sort of like insuring a driver with 99% certainty they’re going to get into a major accident.
How insurance companies must react.
Insurance companies are in the risk business. They assess your risk, score it, and decide what they’re willing to cover. As a result, we’re seeing insurance questionnaires morph to make you attest to having price of admission security. Items such as MFA, managing privileged access, et al. are no longer nice to haves. They are a minimum barrier for cybersecurity. The same goes for third-party risk, anyone with access should be equal or greater in cybersecurity maturity.
Every piece of technology is attackable, so every piece of technology is in scope of needing protection. Endpoints, servers, cloud services, networking devices, and the like all create attack surface. You can help here by reducing the attack surface of these items. For example, no server means no server to secure. Being on M365 means more of the burden is on Microsoft when it comes to infrastructure, networking etc.
How do we REDUCE risk?
You can’t eliminate risk. Having a piece of technology is risky, period. What we can do is reduce it and mitigate it. The cool thing is that the goal of the insurance company, the client, and you are identical. They want to reduce risk, you want to reduce risk. Here’s a couple of ideas I’m chasing with the team now:
This is the most useful thing you can do. Adopt something like the CIS controls (start with implementation group 1). Being able to say “yep we’ve applied this CIS controls, here’s the underlying policy, and the technical execution” looks good for everyone. It’s also much easier to make smart security decisions when you can weigh it against your framework.
If you’re an MSP or Solutions Provider, standardize how you do security. Establish price of admission for working with you. It should include the minimum price of admission for cybersecurity practices. Aligning things to a framework will make it easier to explain this to your clients and create workplans to get more and more aligned.
Start with your house!
Again, if you provide IT services, you should be the spitting image of mature cybersecurity operations. Put security first, not last. Put it into every decision, and align internally to a framework such as CIS. And be strict about it, don’t make exceptions. If you’re the owner, you should have the same restrictions as everyone who works for you.
In conclusion, cybersecurity coverage should be “harder” to get. But really, they’re just enforcing minimum barriers to entry. I think this is a great opportunity to push cybersecurity first to everyone you work with.