How Cyber Insurance and Cybersecurity Services Protect Your Sensitive Data

The number of cyberattacks against businesses of all sizes is growing daily. Attacks with data encrypting ransomware can cripple a business by making it unable to service internal and external users. Malicious phishing campaigns attempt to compromise login credentials to enable unauthorized access to sensitive data resources. Maintaining the security of a company’s information technology (IT) environment has never been more important.

 

Over 40% of attacks are perpetrated against small and medium size businesses (SMBs). The effects of an attack can be extended downtime and lost customers. It can also involve the loss of sensitive information that can lead to regulatory penalties. In some cases, companies can be put out of business by the impact of a successful cyberattack.

 

We are going to look at how combining the benefits of cyber insurance and cybersecurity services helps protect companies from the damaging effects of a cyberattack.

 

What Makes a Company a Target for Cybercriminals?

Any company that stores or processes sensitive information is an attractive target for cybercriminals. Two types of data, in particular, that are prized by cybercriminals.

 

  • A company that accepts credit card payments processes sensitive data that is subject to l Payment Card Industry Data Security Standard (PCI-DSS) regulations regarding its privacy and security. In the modern world of e-commerce, this encompasses virtually every business with an online presence. Failure to adhere to the regulations can lead to substantial financial penalties.
  • Companies operating in the U.S. healthcare industry also process sensitive protected healthcare information (PHI). Privacy and security standards for this data are defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In the event of a data breach, companies found to be in noncompliance with HIPAA regulations are subject to serious monetary fines.

 

Compromising these data resources provides sensitive information about individuals that can be used by criminals. The fact that these data types are regulated makes it even more important for businesses to eliminate data breaches. They may be more willing to meet the demands of a ransomware gang to avoid adverse publicity.

 

What is Cyber Insurance?

Businesses processing sensitive information need to take every step necessary to maintain its privacy and security. They also have to protect themselves in the event that, despite their best efforts, a data breach involving sensitive data occurs. Cyber insurance offers that protection.

 

Cyber insurance is also called risk insurance or cyber liability insurance coverage. It’s an insurance policy that helps protect an organization in the wake of a cyberattack. The insurance is designed to assist a business reduce operational disruptions and recover after a successful attack. Cyber insurance can also help defray the financial costs of the attack and a company’s recovery efforts.

 

Items commonly covered by a cyber insurance policy include:

 

  • Lost revenue due to downtime or encryption of the customer’s IT systems;
  • Lost revenue due to downtime or encryption of a third-party provider’s IT systems;
  • The costs of meeting ransomware demands;
  • Costs associated with recovering systems and data resources;
  • Network security and privacy liability;
  • The expenses of responding to and remediating a data breach.

 

Various types of cyber insurance policies are available from reputable insurers like DataStream Cyber Insurance. The coverage from a viable policy that provides resilience against cyberattacks should include:

 

  • Data breaches – Assistance with breach response and remediation;
  • First-party liability – Provides coverage to first parties regarding issues such as system failure, fund transfer fraud, and loss of employee devices;
  • Third-party liability – Ensures customers are protected across their supply chain;
  • Business interruption – Covers the cost of restoring business operations;
  • Cyber extortion – Provides legal and IT experts to handle ransomware attacks.

 

A cyber insurance policy can be the difference between a company surviving or failing after a cyber attack. While the goal should always be to prevent data breaches and cyberattacks, no defense is foolproof. A breach can occur due to human error or a malicious insider that subverts a company’s security strategy. Cyber insurance enables an organization to recover and continue to operate its business.

What are Cyber Security Services?

Many small businesses lack the in-house resources to implement a successful cybersecurity strategy. Cyber security services are methods and techniques offered by a managed service provider (MSP) that strengthen an organization’s IT security. MSPs implement industry best practices to address any vulnerabilities in a company’s security standing.

 

A wide range of cyber security services are available that can be tailored to an organization’s business requirements. The following cyber security services are among the offerings available from a reliable MSP.

 

  • Managed firewall – A managed firewall protects a customer’s network while allowing them to concentrate on their business. Each network layer is protected with security that exceeds industry standards.
  • Intrusion protection – An intrusion protection system works in conjunction with network firewalls to identify and prevent threats in real-time.
  • Anti-malware protection – Cybersecurity includes identifying and eliminating malware before it can damage a company’s infrastructure and data resources.
  • Managed VPNs – This service manages, maintains, and resolves problems with your VPNs so remote employees can securely access company assets.
  • Multi-factor authentication (MFA) – MFA is one of the best ways to minimize unauthorized access to company IT resources. An MSP will assist in configuring MFA to secure an organization’s infrastructure.
  • Onsite and offsite backups – Maintaining backups for recovery from human error or cyberattacks is critical for data-driven companies. Backups should be taken regularly and sent offsite for disaster recovery.
  • Vulnerability assessments – An MSP can perform initial and ongoing vulnerability scans to identify security gaps. Assessments need to be performed regularly in dynamic environments where change is constant.

 

Some MSPs offer security service packages designed to address the security concerns of regulated industries. Healthcare organizations can implement HIPAA-compliant security measures to protect patient information. Companies processing credit cards can take advantage of cyber security services that address compliance with PCI-DSS standards.

 

The Benefits of a Comprehensive Approach to Cybersecurity

A comprehensive approach to cybersecurity includes both cybersecurity services and cyber insurance. While cyber insurance is designed to assist companies affected by a cyberattack, security services are meant to prevent or minimize the impact of an attack. You can think of security services as contributing to an organization’s first line of defense against cybercriminals. Cyber insurance is available to address threats that slip through the defenses.

 

Beginning with a vulnerability assessment, Atlantic.Net will identify areas that need enhanced security. They can specifically address the needs of companies requiring a HIPAA or PCI-compliant infrastructure or configure security services to fit your business needs. Regularly repeated scans will ensure that no new cracks in the defenses have opened and that all new infrastructure components are protected.

 

DataStream will analyze your current IT and cybersecurity stack when you engage them as your cyber insurance provider. They show you how your security risk compares to other organizations of similar size. Their cyber risk analysis incorporates over 3,000 risk factors to produce a comprehensive view of your security standing.

 

The combination of cybersecurity services from Atlantic.Net and cyber insurance from DataStream Cyber Insurance provides the maximum level of protection against cyberattacks. The risk of a successful cyberattack will be minimized and you will be protected if something does slip through.

 

About the author

Robert is a regular contributor and blogger for Atlantic.Net living in Northeastern Pennsylvania who specializes in various information technology topics. He brings over 30 years of IT experience to the table with a focus on backup, disaster recovery, security, compliance, and the cloud.

Constant Vigilance Is the Price of Cybersecurity

Constant Vigilance Is the Price of Cybersecurity

Change takes time, but it seems that businesses in general, not just large enterprises, are realizing that cybersecurity isn’t a fad but a key part of most modern businesses. Wayne Hunter, Founder and CEO at AvTek Solutions, Inc., has been preaching that message for years and we recently had the chance to interview him.

Something unique about AvTek that shows how seriously they take cybersecurity is their $1M guarantee against ransomware. If ransomware gets past the defenses they erect for your company, they will pay $1,000 per endpoint, up to $1M. This guarantee runs alongside their “no risk switch.” If you’re not happy within 30 days of coming to AvTek, they will help move you to another vendor. And moving vendor is easy at any point because AvTek believe in earning a client’s business every day, so they don’t require long-term contracts.

Phishing Attack

Wayne shared an insightful story about a construction company that AvTek had been working with for years. The company had many recommended safeguards in place that allowed AvTek to help recover the working environments — during a relatively short amount of time — that got frozen in a phishing attack. But the solution that would have helped them get up and running faster was immutable storage, which they had resisted implementing.

Immutable Storage

One of the advantages of cloud data is that it’s accessible from multiple devices, but that access also exposes the data to more vectors of risk. An immutable backup is a write-once-read-many format that cannot be changed, edited or overwritten. Read-only files cannot be lost, deleted, corrupted or encrypted in a ransomware attack.

Immutable storage can also be time-limited, allowing you to update or delete files within a certain period that the user specifies.

Business Functions Impacted in a Cyberattack

While some might think that a construction company would be less impacted than others by a cyberattack, the company faced three problems that are common in a cyberattack:

  • Work in Progress (WIP) can’t be billed. You likely cannot access information to see what has been invoiced, send invoices or receive payments.

  • Proposals can’t be accessed. Any information that had been gathered for a bid is locked away.

  • Payroll. Many employees are having their time tracked electronically and, without access to systems, you can’t figure out what people are owed. Even if you could, you might not be able to pay them using the traditional payroll system.

     

Smaller Businesses Get It

Wayne also shared that while some enterprise-level companies may move more slowly on implementing a full suite of protections against cyberattacks, smaller businesses are more and more “getting it” when it comes to cybersecurity. They’ve come to realize that even though they are smaller, with client lists of 50, not 5,000+, they represent part of a larger scheme. By getting access to those 50 clients, cybercriminals can keep going and soon have thousands of victims.

Practice What You Preach

Wayne knows that it can be annoying to have to use MFA and other security measures. He knows because he has the same measures in place at AvTek that he recommends to his clients. Not only does this protect AvTek but it also gives them a sense of the user experience — invaluable when framing the sale as well as for the onboarding process of new clients.

Wayne reminds himself every time he enters a password on an internal system that information is at risk and that without these measures, there’s every chance that AvTek (and by implication, all their clients) will be attacked and exposed.

Even though Wayne explains to clients that what he is proposing is what he does in his own company, change is still hard. But Wayne welcomes having those difficult conversations and documents when clients refuse to take certain measures. Every quarter he will go back to them and continue to beat the drum for change. “Documentation and communication,” he says. Clients may still refuse but Wayne will have proof that he’s been doing his job.

A Security Triangle

Part of that communication has to exist within your cybersecurity solution, as well. Cybersecurity isn’t just the measures you take. It’s the compliance you ensure you are meeting for your industry. It’s also the insurance you have in case anything goes wrong. Wayne advocates for an open line for communication — and collaboration — between these three partners. Silos between these partners can undermine the very cybersecurity that companies are trying to establish. Wayne emphasizes that “completing that circle” between these partners offers a much better security posture.

Now, if you’re dealing with a managed services provider (MSP) like AvTek, two angles of that triangle might be with the same provider: Wayne and his team provide both cybersecurity solutions and compliance assistance. There is the chance of a conflict of interest there and Wayne provides an analogy:

“If I’m walking out the door, I might always think I look good. But if I ask my wife, she might not agree.”

To guard against this, AvTek puts in checks and balances to ensure that compliance and security are looked at as the separate issues they are, rather than a blurred combo of the two which can lead to more risk.

If the worst happens, you’re going to want the best financial, legal and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

The Future of Cyber Insurance: Why Cyber Insurance Isn’t Going Away Anytime Soon

The cyber insurance market has faced challenges in recent years. Increased ransomware attacks have driven higher loss ratios. Russia’s attack on Ukraine has raised concerns about catastrophic global cyber events. With news that the U.S. government might create a government-backed national cyber insurance program, some people wonder whether private cyber insurance will become obsolete. The IT and cyber security community has questions about the future viability of the cyber insurance market.

We want to understand the potential threats to the cyber insurance market. We see three main risks from these threats:

  1. Insurance companies who are worried about large potential losses.
  2. The government creating a national cyber insurance program that will crowd out the private market.
  3. Prices for cyber insurance becoming so expensive that the coverage becomes unappealing to most.

Although these threats can disrupt the future of cyber insurance with some plausibility, ultimately we find them unlikely. Let’s take each in turn.

The fear that insurance companies will simply retreat from the market due to the threat of large potential losses may be the most pressing concern. We can assess this threat better with some perspective on the history of the overall cyber insurance market and its position in the global insurance market.

Although 2021 was a bad year for cyber losses, the overall performance of the cyber insurance market in its 20-year history gives us confidence. Cyber insurance continues to be among the most profitable lines of business for global property and casualty (P&C) insurance. For more than 10 years, the cyber insurance market has grown steadily and is likely to continue growing.

Cyber risk continues to be among the top three risks cited by global risk managers, affecting every aspect of business and society. From cars to manufacturing, and building systems, to the very nature of workers’ everyday lives, technology affects every area of business and thus the insurance covering the risks it brings with it. Therefore, insurance companies struggle to ignore the attractiveness of the growing and profitable cyber insurance market, particularly in a world with few other options.

Rather than avoid the market, insurers are trying to improve their overall performance in cyber insurance. They are increasing prices and tightening underwriting standards with more requirements for cyber security. How these changes impact loss trends has yet to be fully visible, but overall prices and requirements have moved at a greater pace in 2022 than in the previous two years.

Perhaps the greatest risk for massive losses is the risk of a nation-state-related catastrophic event. We see the insurance industry addressing this concern now.

Since the early days of insurance, insurance companies have recognized that war can create enough damage to bankrupt the entire industry. Every insurance policy, including cyber, excludes war-related losses. However, determining when a nation-state-related cyber attack constitutes a “war-like” action is a legal gray area.

Therefore, some insurance companies have started explicitly redefining “war” to include these nation-state-related attacks. For example, as of July 2022, Lloyds requires that cyber policies exclude coverage for nation-state-related attacks. Although this change might see painful losses for individual companies in the short term, it allows the cyber insurance market to thrive in the long term. By excluding these exorbitantly expensive and difficult-to-model losses as “war-related actions,” this change essentially aligns cyber insurance with more traditional insurance.

Recognizing nation-state-related cyber attacks as war-related actions leads to the second main risk: the U.S. government might create a national cyber insurance program to protect companies from these attacks, and companies might then decide that private cyber insurance is no longer necessary.

Rather than replace a functional private market, we find that the U.S. government typically intervenes only where the private market struggles to provide coverage. For example, after the 9/11 terrorist attacks, Congress enacted the Terrorism Risk Insurance Act (TRIA) to provide government-backed funding for insured losses from large-scale acts of terrorism. This successful program is a potential model for a cyber insurance fund for nation-state-related attacks, which can then be included in private cyber insurance policies.

Finally, the third threat—that prices will become so high as to make coverage unappealing to most companies—is also possible but unlikely. Cyber insurance is relatively inexpensive, often less than 10% of a company’s total cyber security expenses. We do expect the application and underwriting process to get longer and more involved, as underwriters bring more requirements and scrutiny to these risks. However, we also see insurance companies and technology firms working together to reduce the frequency and severity of cyber attacks. Efforts to reduce catastrophic events help make long-term price increases more manageable.

We expect cyber insurance to continue to be a vibrant and growing market, with the entrance of more companies offering more and better protection. Even as we see some volatility and change in the near term, as underwriters refine their process further and governments find their role, we expect cyber insurance to be essential for many companies for a very long time.

End-User Education Is the Last Mile of Cyber Security

End-User Education Is the Last Mile of Cyber Security

While we do believe that technology is part of solving the cybercrime puzzle, we know that it can’t help companies that don’t have leaders and end users who understand the technology, and more importantly, the cybercrime realities that make that technology a necessity in today’s business environment.

Bruce Nelson, President at Vertilocity, emphasizes the importance of end-user education. He recently sat down with us to discuss this and give real-life examples of how lack of end-user education plays out in bad outcomes for organizations.

A Spear Phishing Attack

Spear phishing is an attempt to acquire sensitive information, or access to computer systems, by sending counterfeit messages.

This type of attack often targets a specific person, or group, and will include information known to be of interest to the target, such as financial documents or current events.

Like other insidious forms of attack that use social engineering, this type of attack takes advantage of basic human nature, including:

  • A desire to be helpful.

  • Providing a positive response to those in authority.

  • Responding positively to someone who shares similar tastes or views.

In the example that Bruce shared with us, the threat actor was able to gain access to the email of a third-party project manager who worked between two IT firms that serviced one client. The victim managed projects and made sure that everyone was on the same page. The problem was, he was using a standard Gmail account for all this correspondence.

Don’t Use Personal Gmail for Business

We should note, it’s never a good idea to use a personal Gmail account for business. Apart from signaling a lack of professionalism by having @gmail.com as part of your work email address, you’re also advertising to cybercriminals. You’re letting them know that you’re on a version of Gmail that doesn’t offer much support in case something goes wrong (it is free, after all) and you’re also advertising that you’re not someone who takes cybersecurity that seriously.

Message received: this professional had his Gmail breached and the threat actor was able to read messages between all parties. The threat actor then sent a well-crafted, legitimate-looking email to the controller of Bruce’s client, one of the parties involved.

The email was asking the controller to update banking information. Since the email had come from a familiar Gmail account, it didn’t raise any red flags and the banking information was duly changed.

Almost three months passed before the real vendor called asking if something was wrong as they haven’t received payments for months. The controller was confused and sent over proof of payments…going to the new account. The problem was, of course, that the vendor never changed their banking information. The threat actor got cash and disappeared.

What went wrong? Clearly, the end user was not educated enough in the scams being used today. Instead of following up with a short phone call after receiving the request to update the banking information, they went straight ahead without verification and literally paid the price. As well as user education you can have systems in place to avoid this type of scam. For example, sending a dollar amount, or a type of request that requires secondary verification, a sort of “real life” MFA.

Bruce notes three red flags: the request was unusual (banking information doesn’t often change), impactful (this would affect all payments) and urgent (it needed to be done in a certain amount of time).

Bruce also shares an instance in which those three red lags helped a client avoid a scam. The company in question was in heavy acquisition mode and the CFO received what looked like an email from the CEO “greenlighting” an acquisition. But because two of the three warning signs were present (impactful and urgent), the CFO slowed down and was able to see that a few small things were off about the email, and after phone-verifying with the CEO, they realized it was a scam.

The overarching moral: don’t let team members think they will be penalized for slowing down, especially when it comes to financial issues. Better to be too slow in paying something legitimate than too fast in paying something illegitimate.

Using Our Emotions Against Us

Bruce also shared a story from a conference he attended in which a former FBI agent illustrated just how easy it is for threat actors to target victims. The following is a basic playbook:

  1. Go to LinkedIn and find the CEO of a midsize company and then gather more information that might be available online.

  2. Find out if this person has kids and where they go to school.

  3. Create a legitimate-looking email from that school saying that there’s been a terrible event such as an attack, or a sexual predator has been spotted in the area.

  4. In the email let the parent know that the situation is under control and to learn more, click here and…

You’ve got them. You harnessed the powerful emotions of a parent’s instinct to protect their child and, of course, they click on the unknown link. Note again the three warning signs: something unusual, impactful, and urgent. Those three signs should always cause us to stop and pause before taking action.

Keep It Simple

Bruce shared a simple tactic to help end users get on board with cybersecurity. “Make the secure way also the simplest way. It’s the way to get massive adoption,” he noted. Part of the reason change management is so difficult is not that people resist change in general, but they tend to resist things that take longer, even if they can see the merits of them.

Note the Worst-Case Scenario

It does happen that companies go out of business, or have to take drastic measures to stay alive, after a cyberattack. Employees should note that one wrong click, or following the directions of one wrong email, might cost the company everything, including everyone’s jobs.

If it’s framed as: “all our jobs depend on taking cybersecurity seriously,” team members will be more likely to pay attention.

Have a Plan

Bruce concludes by emphasizing something we hear from nearly all our guests on the podcast. Have a cyber risk assessment done. Have it printed out. Make sure people are designated to lead in the event of an attack.

Cyber risk assessments also have the helpful quality of identifying where the greatest risks lie so that the C-suite can spend the money where it will have the greatest impact (assuming most businesses do not have infinite cybersecurity funds).

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

Click here to learn more about how we can help secure your business data!

Stop Thinking Ransomware Attacks Won’t Happen to Your Business

Stop Thinking Ransomware Attacks Won't Happen to Your Business

One of the ways we help business owners wake up to the current realities of cybercrime is by sharing real-life stories. We recently had the chance to sit down with GroupSense CEO & Co-Founder Kurtis Minder to hear some of those stories. Kurtis and his team have hundreds of cases they’ve dealt with, many with Kurtis leading the negotiating team.

You Can’t Always Google Everything

One story Kurtis shared was about a small Midwestern architectural firm that got hit over a holiday period. Their data was encrypted and the backups destroyed.

An architectural firm’s IP is crucial. Think of all the drawings and blueprints, not just for current projects but for those going back decades. These documents are referenced over time and relate to vital infrastructure such as roads, bridges, buildings, etc., not things you want to lose the plans to.

If that wasn’t bad enough, all the machines were encrypted, so they couldn’t use any of their software to do the current work. Everything was at a standstill.

Kurtis noted that he and his team did not actually get the first call. The firm googled the name of the ransomware variant, along with, “How to destroy X.” But just as legitimate businesses pay for Google Ads to get listed at the top of a search, so too do illegitimate companies. They count on a portion of business owners looking for an online DIY fix to their ransomware attack.

Unfortunately, the architecture firm was just headed for the second round. The criminals in the Google ad promised to “decrypt” the ransomware. But they were the middlemen. Using the ransom note — which the architectural firm happily handed over, not considering why that note would be necessary for decryption — these criminals then went onto the dark web. There, they found the original perpetrators and put themselves forward as the original victims looking for the decryption key.

A standard operating procedure for ransomware attacks is that the threat actor then decrypts a small amount of the data to show the victim that they are capable of reversing the damage of the original attack. This can move the victim to pay the ransom. In this case, the ‘Google criminal,’ acting as the real victim, paid for this “mini decrypt” to give the architectural firm some hope. They then acted as a middleman, marking up their cost by 80%. They billed the architectural firm and received payment. These new criminals then disappeared. That’s when Kurtis and his team got the call.

Having been burned twice and with a price for the ransomware decrypt already set by the middlemen criminals, the architectural firm chose to go an alternate route. They went to their email inboxes and found as many files as possible. They emailed them to each other to rebuild their database, which they built back almost in full.

What Businesses Should Do

Kurtis concedes that most 30-person small businesses are unlikely to have a cyber expert on staff and even if they wanted to have one, there wouldn’t be a supply for such a demand.

However, when Kurtis speaks to business owners around the country, the response he often gets is, “Wow, that’s scary, but that’s not going to happen to me.”  Wrong. More than 80% of ransomware attacks happen to small businesses and those are just the ones that get the headlines. Many attacks happen around us that never make the news.

Make a Plan

When they do get convinced, however, some of these businesses tend to go overboard, wanting to create a cyber risk assessment that covers every possible contingency. “Don’t let perfect be the enemy of good,” Kurtis warns. Put something basic in place, and of course, when you have it, print it out so it can’t get encrypted and become useless in the case of an attack.

Sweat the Small Stuff

One of the reasons business owners procrastinate over protective measures for their businesses is the thought that it will take time and money to implement them. But this is a misperception.

Kurtis encourages business owners to look at the example of the criminal using Google Ads to ensnare victims. Those criminals are using tried-and-tested practices of advertising to small businesses.

Many of these threat actors are small shops with limited teams and infrastructure. Only a few of them are part of the giant syndicates that make the news. Hence, they are going for low hanging fruit, which in this case consists of companies who don’t follow basic best practices in cybersecurity. This includes:

  • Basic password policies: not permitting “password1234”, and other lazy practices, and insisting on forced changes more than once a year.

  • Software patches: ensuring that all devices accessing company information and resources are updated to the latest software.

  • MFA: ensuring that users are forced (whether they like it or not) to use multi-factor authentication to ensure the identity of those accessing company resources such as email accounts and databases.

  • Offsite storage: ensuring backups exist that are disconnected from your regular resources, so if those regular resources go down, you can still access the backups.

Believe it or not, most of these small businesses get attacked through one of these avenues, leaving businesses with the, “If only I had done X” feeling.

If companies can’t have a cyber expert on staff, the least they can do is take the basic steps that any cyber expert would if they were on staff: fix passwords, patch software and implement MFA.

Kurtis does lots of public speaking so if you know anyone who could benefit from hearing this information, you can book him here.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

Click here to learn more about how we can help secure your business data!

The Critical Convergence Between IT, Cybersecurity and Insurance

The complexities of technologies in the early days of computing are nothing compared with what MSPs contend with today. The speeds and feeds of yesteryear have evolved into conversations about processes and regulations and addressing challenges and opportunities with real business solutions. While running cable and repairing PCs are still vital functions, clients expect much more from their IT services partners today. That increasing reliance creates several key advantages for MSPs – from added revenue opportunities to greater customer satisfaction – as well as a few big drawbacks.

Most IT service providers’ greatest challenge is managing all their responsibilities without fail. While core technologies may be a strength, keeping track of and juggling all the different business and regulatory concerns can be a nightmare without the right people and systems in place. The reality of running an MSP today is that IT is no longer the sole priority. Providing multi-layered cybersecurity protections and advising clients on business continuity planning and awareness training are just as important as compliance with regulatory and industry requirements and obtaining the appropriate cyber insurance policy. Measuring and monitoring cyber risk in all environments the IT services provider manages is part of those responsibilities.

The convergence of multiple factors that influence and help protect these robust yet entirely vulnerable IT ecosystems is critical to MSP success today. Providers can no longer pick and choose which pieces of their clients’ businesses they wish to support without ensuring another capable entity has those obligations covered. Whether the company employs its own internal tech team or MSPs collaborate with peers, vendors and other suppliers to deliver various services, the responsibility increasingly falls on IT services companies to manage it all.

The Cybersecurity Equation

Some industry experts have suggested that every MSP should consider becoming a full-fledged MSSP, focusing most, if not all, of its resources on building and managing formidable defenses for business clients. The reality of the situation is that many organizations rely on providers with a mix of IT and cybersecurity skills to keep their operations running effectively. However, virtually every MSP dedicates more time and resources to data and network protection today to stave off potential malware attacks and other cybercrime.

While many industry experts predicted future shifts in the IT services provider business model, the pandemic and ensuing push to WFH shortened that timeline considerably. The subsequent rise in nation-state-supported ransomware attacks was a driving force behind many of those transitions, requiring most MSPs to commit more resources to strengthen their clients’ defenses.

Implementing proactive cybersecurity services like awareness training and multi-factor authentication is now the norm. While MSPs continue to support the entire IT ecosystem − including devices, networks, software and cloud-based applications – consultation on data protection and disaster recovery practices and policies is gaining importance and creating new revenue opportunities.

Cybersecurity has become a major differentiator for providers that understand how to identify, measure and monitor those risks and tackle all the current and potential vulnerabilities. Small businesses (and many larger organizations) rely more on third parties like MSPs and MSSPs to provide those services today.

The Symbiotic Relationship Between MSPs and Cyber Insurance Firms

Businesses are increasingly looking to the IT services community for insight on a variety of new issues in addition to the traditional services they’ve come to depend on to keep their operations in order. As in the case of cybersecurity, organizations want and need complementary types of support, including consultation on regulatory compliance, disaster recovery (technical and procedural) and risk assessment.

Decision-makers often look to MSPs for insight on issues on the fringe of their areas of expertise. Some of those questions or requests may fall outside of a provider’s legal comfort zone. Cyber insurance is a good example, as company executives look to MSPs for advice on finding the right companies and policies to cover potential liabilities.

Those requests should be seen as opportunities for IT professionals. When clients seek insight across multiple disciplines, especially those not entirely in the traditional IT realm, it’s a sign of a strong business relationship. The more support MSPs can provide, the greater those bonds. Whether providing that assistance solo or with specialists in those fields, those actions increase the value-add and trust between customers and providers.

Cyber insurance is one of those key areas of opportunity. By aligning with a reputable firm with specific expertise in IT-related liabilities, MSPs can ensure customers are investing in more effective defenses while potentially increasing the providers’ recurring revenue. For example, DataStream Cyber Insurance can assess the security posture of each client, identify vulnerabilities, and make recommendations to ensure those companies are “insurable.” This process gives MSPs an opening to discuss specific improvements to minimize liabilities for providers and their clients.

DataStream brings an in-depth understanding of insurance and cybersecurity standards and expectations to these partnerships, as well as unique AI technologies that identify areas of concern. The ability to leverage real customer data and proprietary models that measure real cyber risk is a key differentiator. MSP partners play a critical role in this assessment process and can leverage the results to strengthen their clients’ cybersecurity posture and potentially boost sales and profitability.

A Value-Added Relationship

While it’s true that only certified insurance agents can sell policies, IT services providers can grow MRR and project income through a DataStream alliance. MSPs register their clients for an assessment that will identify vulnerabilities and behaviors that put them at risk and emphasizes solutions their provider can implement to address those problem areas. DataStream provides partners with details of the factors preventing each assessed business from obtaining cyber insurance coverage.

This is when the MSP comes to their rescue. With implicit knowledge of that client’s security posture, providers can pitch the proper solutions to bring their defenses up to par. The end game is to make companies aware of their risks and increase cybersecurity investments − which benefits MSPs and their clients.

With the COVID-19 lockdowns and corresponding increase in work from home and hybrid environments, those opportunities are plentiful. Along with the ensuing rise in ransomware attacks, the conversations around cybersecurity are growing in frequency and complexity – a perfect opening for MSPs that can pitch solutions, not the “speeds and feeds” of technology. Why not make cyber insurance part of that conversation?

Resources like the Cyber Insurance Assessment help businesses determine their readiness for cyber insurance. And our Partner Cyber Risk Report shows partners numerically how much impact they have on reducing cyber risk among their business clients. Would a sales prospect pay more attention if they could visualize the effect your firm could have on their data defenses? DataStream provides MSPs with that power.

Build a Cybersecurity Fantasy Team

The cost of protecting data has never been higher. What many experts fail to say is that the financial liabilities associated with poorly secured systems are on the rise as cybercriminals target both MSPs and their clients. Estimating the cost of downtime and remediation support and the reputational damage from these attacks can be difficult for any business. For MSPs, those incidents are even more concerning as the experts in all things cybersecurity – a poor response can undermine their credibility in the business community.

That’s why dealing with cyber risk has become a team sport.

Cybercriminals are running businesses too, so they must continue refining and escalating attacks to maximize their revenue opportunities. For example, a recent IBM study found that the average incident takes 280 days from the point of access to conclusion and costs each company approximately $3.86 million.

Cybercriminals understand that most SMBs don’t have the internal resources to prevent cyberattacks. Ransomware purveyors target those businesses indiscriminately and rely on poor defenses, application vulnerabilities (vendors and suppliers) and inattentive and lazy employees – perhaps even a little luck – to gain entry.

Combined with the ever-increasing creativity of the cybercriminal community, it’s increasingly more difficult to protect businesses of any size today. As the amount of data they create, collect and store continues to grow, their financial and legal risks increase proportionally, and MSPs must work even harder to lock it all down.

A Complete Game Plan

Good teams produce more than the sum of their individual parts. Successful cybersecurity collaborations typically involve a tremendous amount of planning, training, evaluating, and, perhaps most importantly, communications. Most MSPs excel in most, if not all, of those areas, as are many of the specialists in their partner communities.

Building and executing cybersecurity “game plans” require that commitment. From conducting assessments and highlighting areas of concern to strengthening defensive measures and contracts, MSPs need to lead the way. That push begins (and ends) with finding the right partners.

Draft Highly Skilled Partners

Protection is truly a team sport. Building a ‘fantasy dream team’ by “drafting” quality partners can help minimize liability for MSPs and their clients. Collaborative relationships with complementary subject matter experts − those with knowledge and skills in different aspects of cybersecurity, liability and compliance requirements − will elevate the defensive game to new heights.

The “team cybersecurity” approach focuses on risk aversion to limit financial and legal exposure for both clients and providers. Together, they provide more comprehensive coverage, as each is an expert in their respective area. They may collectively review existing processes and systems to identify and quickly address high-risk vulnerabilities and then develop plans for resolving other potential breach points or areas of concern. Potential “players” and their responsibilities include:

  • Vendors − MSPs typically partner with a number of suppliers to comprehensively protect clients’ networks, devices, data, applications and other systems. From end-point protection and data back-up and recovery providers to Security Operations Centers (SOCs), these “players” are focused on the cybersecurity game and many can even chip in during the off hours to give MSPs a well-deserved break.
  • Auditors/Remediators − these firms help MSPs identify and fix potential vulnerabilities following a structured approach. These professionals often serve a dual role: mitigating cybersecurity threats before they can cause harm to clients or providers and addressing similar issues following an attack.
  • Cyber Insurance Experts −every team needs a coach to measure the threat environment and guide game plan development. DataStream Cyber Insurance offers that level of support to MSPs with a Cyber Risk Assessment that evaluates the defensive posture of each client and a 24/7 Hotline to call when they first suspect a compromise. A tech assessment on each policy helps expedite claims and payments, eliminating potential stressors for providers and the business they support.
  • Attorneys with IT Specialization – every cybersecurity team needs legal representation to minimize risk on the front end, writing air-tight legal agreements and contracts, and on the back end, supporting the response when things go bad. Those professionals should get the first call following a breach to review strategies and ensure MSPs properly execute their remediation plans.
  • Public Relations Firms −messaging matters before and after a breach. Every MSP should have a crisis communications expert on their team to interpret the key points of the situation and help craft verbal and written responses. Information management is crucial. MSPs may need to share details of the compromise with different audiences, including clients, government agencies, law enforcement, and media. Releasing the right information to the appropriate people helps ensure the success of the response plan and prevents additional exposure.
  • Cyber Forensics Experts − these companies or individuals step in after a breach, analyzing the evidence and reviewing each incident step-by-step to determine what went wrong. More importantly, the information they provide allows MSPs and other team members to mitigate vulnerabilities and prevent future attacks.

Are Your MSP’s Assets Adequately Protected from Cyberattacks?

IT service providers spend a lot of time discussing protection. Whether consulting with clients or developing plans to boost internal defenses, those conversations often center on data and the systems that store or transmit critical and sensitive information. With cybercrime on the rise, many technologists are more inclined to invest in more solutions and implement measures that will help keep providers and the businesses they support safe from IT-related threats.

While those defenses are critical, MSPs must look closely at legal liabilities associated with those IT ecosystems. Cybercriminals are directly targeting IT services companies since they hold the “keys to the kingdom,” with access to clients’ networks, business systems and, by default, their data. SMBs rely on MSPs’ security expertise to protect those assets. With the escalating attacks on organizations of every size and mission, the threat vectors are continually shifting and evolving.

The financial costs of a cyber failure are too big to ignore. Unfortunately, some SMBs are not taking the appropriate steps to secure every system, perform regular backups and protect all their important data. The lack of an effective cyber defense significantly increases their legal liabilities.

That last point is essential. No matter how well MSPs lock down information and secure critical infrastructure, if someone (or something) finds a way to get into a client’s systems, the provider will likely take some, if not all, of the blame. In a highly litigious society, that exposure can damage, if not cripple, a small business. Worse yet, if cybercriminals gain access through a provider’s network, they can expect other clients and prospects to scrutinize their practices. The costs, from both a public relations and legal perspective, could be enormous and threaten the MSP’s viability.

Why?

Because cybersecurity is a matter of trust. When companies sign up with an MSP, they expect that team to provide complete protection for their businesses and assume, as cybersecurity professionals, they will implement industry best practices across every part of their operation. If even one client becomes the victim of ransomware or a cyberattack, especially through a provider’s compromised system, the trust may erode quickly.

Cover the Risks

Despite the rising threats, there is hope for MSPs. Careful preparation on the business end of an IT service firm’s operations can lessen those liability concerns considerably. That’s why providers should always seek legal advice from attorneys who understand the MSP business model and appreciate the threats against your company and clients. Those professionals should have the know-how to minimize the firm’s liabilities in the event of a cyberattack and work collaboratively with insurers to support the best interests of providers and their clients. An IT services-skilled attorney will be an invaluable resource to prevent things from going sideways.

Consulting with someone with extensive expertise supporting the legal needs of MSPs provides peace of mind. A good tech attorney can craft, review or amend services contracts and master agreements and offer guidance on a variety of industry-specific issues, as well as general business processes and policies. MSPs need that type of oversight today. Quality counsel will proactively address potential issues before they become problems and minimize the exposure when things go bad.

Those professionals help keep an MSP safe from potential lawsuits and bureaucrats (think regulatory compliance) regardless of the threat landscape and legal environment. Think of them as a firewall for cybersecurity experts.

The Fine Print Matters

A key reason for working with IT-experienced attorneys is their understanding of professional services delivery and the documents that outline the various responsibilities of MSPs and their clients. The “legalese” in customer agreements could be a major fact in whether the firm continues to thrive, let alone survives, following a cyberattack.

That’s a major reason for updating your managed services-related documents. Attorney Brad Gross, a recognized authority in IT services law, suggests that companies with antiquated agreements may find themselves in worse shape than those without contracts.

“The devil is in the details,” he emphasizes. His recommendation to MSPs is to partner with a proven IT attorney to review and strengthen their critical business documents to minimize cybersecurity-related liabilities. For example, any promises IT services providers make, whether explicit or implied, must be based on reality, not marketing prowess. “You can be confident, but your confidence needs to be based on both tangible and intellectual honesty,” adds Gross. “The way to achieve that is to have agreements in place that manage customer expectations, and then have the technical background and ability to perform under those contracts.”

A poorly constructed MSA (master services agreement) or SOW (statement of work) can increase your liability. The language in these documents can expose an MSP to litigation following a breach or malware attack. Knowing what to put in and what to leave out are decisions best left in the hands of those properly trained to deal with those legal concerns.

Scams, Bad Plans, and Ransom Demands with Roger Grimes

Scams, Bad Plans, and Ransom Demands with Roger Grimes

If we find online safety measures like multi-factor authentication (MFA) irritating, we probably need to adjust our levels of expectation and trust for the internet of today. The longer we put off proper level-setting, the more likely we will fall for the scams and frauds that are rampant on today’s internet.

That’s one of the messages Roger Grimes shared with us recently. In this article, we’ll go deeper into his reasoning and share some of the best practices he advocates.

Subject-Matter Expert

Roger has been in computer security for over three decades. He started in the virus space, fighting Apple and DOS viruses, before spending the 1980s as a network technician, rising through the ranks.

Roger has written 1,200+ articles and 13 books, and has been interviewed on shows like “All Tech Considered” by NPR.

He now consults with hundreds of companies on security reviews, attack responses, and advanced persistent threats.

MFA

One of the things Roger is known for advocating is MFA. When he gets push back on it, it is usually in terms of “it’s too much trouble.” This indicates that some people are still thinking about the internet in the same way as real-life scenarios.

Roger gives the example of ordering a pizza; We call a number and have no idea who is answering. We may even give them a credit card number. Then some stranger comes to our residence and hands us food that we haven’t inspected and we give them money. When it’s framed like this, it sounds like a lot of trust is involved, and it is! But that’s because there are safeguards in real life, not least of which include the police who can help you in case of a potential attack.

Now consider that same scenario on the internet: You want to purchase a pizza. Is it strange that your bank or credit card company or even the pizza place want to double check that it’s a real person ordering and not just a bot?

So once we understand that it’s unreasonable to apply our default real-world levels of trust and expectation to the internet, we’re approaching the right mindset for keeping safe online.

Four Signs You’re Being Hacked

But you can’t question every experience, right? So once a reasonable level of security expectation is established, what are some warning signs to put you on high alert for fraud? Roger lists four:

  1. An unexpected communication — this could come from a person or organization that you know or would be reasonable for you to know.

  2. Being asked to do something for the first time — this could mean filling out a form or sending an email or providing particular details.

  3. A stressor event — this is a demand that the thing you are being expected to do needs to be done in a short time window.

  4. Could be malicious — this is recognizing that whatever you do might expose you. This might include sharing your bank details or home address, or part of an identifying document, such as a partial social security number.

Job-Offer Hack

Red lights would definitely be going off in your head if all four of these signs happened at once. But Roger stresses that if any one of these occurs, you’re at risk. If all four do, you’re almost definitely being scammed.

Roger shares an example where a candidate was applying for a posted job offer whilst working at his current role (he was a chief marketing officer). He was asked to fill out an application in Microsoft Word format that had active fields in it. These active fields served as vectors for malware to capture his passwords and gain access. The scam cost his firm quite a bit of money, to say nothing of his embarrassment that the compromise happened because he was looking for new employment. Even worse, this person regularly read Roger’s columns and still fell victim to a scam.

This doesn’t mean that you can never trust a situation where there is a stressor event. It just means that you need to be vigilant, even in a scenario that you think you’ve initiated.

Romance Scams

Roger believes that sharing stories is a big preventative measure. But sometimes people disregard the evidence that they are being scammed.

Roger says this is most prevalent in romance/dating scams. Even when someone has been shown they are being scammed out of money, they still want to pursue a “relationship” with the scammer. “The heart has a mind that the mind knows nothing of,” Roger says.

It’s Not About Intelligence

It’s not “stupid” people who get caught up in these scams. One of Roger’s clients has a Nobel Prize in quantum physics — not someone you would classify as “stupid.” Yet he still got scammed out of two million dollars.

It’s not about intelligence, it’s about awareness. Keep up with the scams that are out there, be aware of the four warning signs in your personal interactions, and advocate for proper security measures to be taken in your professional environment.

Passwords and MFA

The average person logs into about 170 websites a year, but only tends to use three to seven passwords across those 170 sites, often without the help of a password manager. This goes back to the mentality shift Roger advocates.

We aren’t asked to remember dozens of passwords in everyday life. But instead of realizing that online there are methods in place to keep us safe, we rely on our memory and gut and then act surprised when we get hacked.

That doesn’t mean MFA is a cure-all. One of the last things Roger mentioned to us on the episode is about the class of MFA you are using. He advocates for phishing-resistant MFA. Just like viruses adapt to overcome treatments, criminals don’t just give up when confronted with MFA. They try to find a way in, starting with getting your password.

If they can find a way to hack your password, they can find a way to intercept your text messages, a one-time password, or answers to your security questions.

Roger refers to phishing-resistant technologies outlined in a White House document: FIDO2 WebAuthn and PIV smart cards, which use a third piece of technology to verify that the person requesting access is actually the right person.

Remember that if your reaction to this is that it’s overkill, it’s because you haven’t sufficiently shifted your mindset to what is normal on the internet. Until you do, you’ll be susceptible to attack.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

Click here to learn more about how we can help secure your business data!

Giving Employees the Proper Cybersecurity Training

Giving Employees the Proper Cybersecurity Training

We recently had the chance to sit down with Michael O’Hara, a Certified Information Systems Security Professional at KB Communications. Michael was recently introduced as the guy “with more letters after his name than letters in his name.” We thought it might be useful to review some of those letters to give context to his great advice.

CISSP

The Certified Information Systems Security Professional is an information security certification granted by the International Information System Security Certification Consortium (ISC). As of January 2022, just over 150,000 people hold this certification worldwide. It has been assessed by some organizations as the equivalent of a master’s degree.

CHP

A Certified HIPAA Professional is someone who has undergone training to enable their company to become HIPAA compliant. The course covers areas such as the implementation of policies and procedures, patient confidentiality, and security measures in line with HIPAA requirements.

HIPAA

The Health Insurance Portability and Accountability Act of 1996 modernized the flow of healthcare information. It stipulates how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft. It generally prohibits healthcare providers and businesses from disclosing protected information to anyone other than the patient or the patient’s authorized representative without their consent.

CCSA

The Certified Cyber Security Architect credential validates knowledge and skill sets in cybersecurity strategy, specifically:

  • Incident response

  • Encryption

  • Risk assessment

    • Vulnerability assessment

    • Penetration testing

Michael has been in cybersecurity for 30 years and says that the letters after his name really only drive home the fact that he’s a cybersecurity evangelist and wants to spread that gospel to all nations.

Case #1: The Fake Invoice

Michael can get called in at any stage of an attack. In the first story he shared with us, the client had inadvertently paid a fake invoice to the tune of $30,000.

The company has eight employees and $1.5M a year in revenue.

The owner was on vacation for the first time in 38 years, enjoying a cruise. His staff received an official-looking invoice demanding payment of $30,000.

With the owner finally away on a vacation, the staff debated whether to call him to verify the invoice. After some discussion, it was decided to let him enjoy his time away and the staff duly paid the invoice.

When the owner came back and realized that a fake invoice had been paid,  he complained to his bank. His banker recommended Michael to him to make sure this couldn’t happen in the future.

Email Training

One of the reasons the staff had been tricked was that the email “looked legitimate and official.” Michael gave them a basic rule to avoid the same mistake again: when examining an email, look at the headers to find out if the domain is a legitimate one. In this particular case, even this quick check yielded the fact that the server was located in Russia, which was not the home of any company that the owner was doing business with.

Other times, what looks to be legitimate might be just off by a letter or two and will be missed by someone who doesn’t take the time to do what Michael recommends.

Social Media Awareness

Criminals, not just cybercriminals, are watching Facebook and Nextdoor to see if people are away from home. Michael reminded the owner and his staff not to “live their life online.” In other words, if you’re having a great time on vacation, save all those pictures and post them when you get home—otherwise you give criminals an opening; they will know you are away from your home and/or business.

Case #2: Email Breach

The second case Michael shared with us was one in which the staff emails of a small warehousing company were hijacked six weeks in a row. The threat actor then spammed customers from the company accounts with links to sites that could personally compromise those who clicked.

When the company asked their managed service provider why this was happening, the MSP responded that he had recommended MFA when he took over the account ten weeks prior. But the staff had pushed back, saying, “there are too many extra steps to get into our email.”

Well, they learned that those extra steps could have saved the company a lot of reputational damage.

MFA

Multi-factor authentication requires a user to provide two or more verification factors to gain access to a resource such as an application, online account, or VPN. It is an industry-wide best practice of strong identity and access management.

Final Thoughts

Michael’s take-home message is that it only takes a bit of extra effort to maintain a minimum level of security; check email headers, add MFA to password protocols, and don’t post those vacation photos in real-time. Don’t be “annoyed.” Be professional.

All your security measures should be part of (last acronym, we promise!) a WISP—a written information security program—which is a document that details an organization’s security controls, processes, and policies. This should be printed out so that a copy can be referenced in the case of a cyberattack when computers can’t be accessed.

And if you need Michael and his team to help write a WISP or convince your team of the importance of cybersecurity, reach out to him at KB Communications.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

Click here to learn more about how we can help secure your business data!