Why Cyber Risk Assessments are So Important (and What to Do With the Results)

If your business is connected to the internet or operates via IT infrastructure, you probably have some level of cyber security risk. Yes, that means practically everyone has some vulnerabilities, whether you run a large corporation or operate a small business.

Knowing exactly what your cyber risk looks like allows you to address vulnerabilities, and addressing those vulnerabilities will help you get a better cyber insurance quote.

So if you’re looking for an efficient way to assess and manage your cyber risk before you apply for cyber insurance, a cyber risk assessment is the perfect solution. This report will provide you with a comprehensive understanding of your unique vulnerabilities and allow you to take proactive steps to protect yourself from potential cyber threats.

Through our cyber risk assessment, you’ll receive a detailed report outlining the areas of your cyber risk that need improvement. The report will also show what steps you need to take to mitigate any risks.

So, what does a cybersecurity risk assessment show? And how can it help you get ahead of the game when it comes to your own cyber security posture?

Let’s review…

What Does a Good Cyber Security Posture Look Like?

Before we discuss what our cyber risk assessment looks like, let’s see what it looks like to have good cyber security posture, and how we evaluate that at DataStream Insurance.

Everyone has unique security vulnerabilities: companies work in different verticals and with unique clients, and not everyone uses the same IT infrastructure, software, and tools. Knowing this, we take a “3-legged stool approach” to cyber risk, where a truly secure cyber security posture depends on three essential supports:

  • Tools and technology: a combination of hardware, software, and processes that form the first line of defense in securing your business.
  • Compliance: data regulations that may need to be followed such as GDPR, HIPAA, CCPA, etc.
  • Cyber Insurance: whether you have cyber insurance is the key to protecting your business after a breach

Your cyber security posture will take into account these key factors along with the unique needs of your business and industry. Within these factors, we’ll also understand the degree of third-party risk you face when it comes to your vendor networks, and how sensitive your data is based on your industry.

So, rather than look at one or two factors like whether you are in a high-risk industry or what IT security you already have in place, we take a holistic overview of many factors that affect how vulnerable you are to a breach.

What is a Cyber Risk Assessment?

Cyber risk assessments are used routinely to identify and evaluate risk to a business or organization. These reports help to ensure that the cyber security controls you choose are appropriate to the risks your business faces. By knowing your risk, you’ll save time, resources, and even cut down on premiums before you apply for cyber insurance.

Our cyber risk assessment uses data to evaluate threats and vulnerabilities, and summarizes your risk for a cyber attack. We use our industry knowledge to do a vulnerability analysis of your network, estimating the likelihood of an attack and its cost to you. We also estimate how the risk level of your business compares to others in your industry and we also recommend ways to reduce your risk.

How Does My Industry Affect My Cyber Risk?

According to an FBI report, there has been a 300% increase in cyber attacks in the last couple years. These attacks affect all kinds of businesses differently, but we’ll review just a few of the biggest targets aside from large corporations to give you an idea of the different kinds of risk businesses might face.

Small businesses are frequent targets of phishing attacks and malware. Many small business owners often think they’re “too small” to be a target, so they don’t implement strict enough security measures when it comes to their IT infrastructure. This leaves them vulnerable to attack in ways that are really preventable with a few different security measures including cyber insurance.

Nonprofits and NGOs can be targets because similar to small businesses, they see themselves as small fish. But these organizations often process sensitive information regularly, especially as they receive donations–in fact, this amounts to about $30 billion annually. Processing regular payments like this makes them a target similar to financial institutions.

Financial institutions are probably the first thing that comes to mind when it comes to cyber attacks, and they are affected globally. A report from the IMF explained that the pandemic heightened demand for digital financial systems, and that trend continues. Financial institutions are frequently targeted with phishing, malware, and devastating DDoS attacks.

Businesses in the healthcare industry deal with ultra sensitive user data. During a cyber attack, a healthcare facility may be unable to provide patient care, making it all the more urgent that these organizations have the proper precautions in place.

Your industry is just one of the factors that’s included in a cyber risk assessment, but it’s not the only one.

What Does a Cyber Risk Assessment Include?

There is lots of valuable information a cyber risk includes that will allow you to see your vulnerabilities more clearly. While every company has some level of risk, in general, risk changes with company size and is unique to what industry you serve and what your networks look like.

Datastream’s cyber risk assessment uses machine learning models that provide more accurate insight than models built using industry and size alone. The risk assessment we provide will put together a report of just how risky your business is, the likelihood that it will be hit by a cyber attack, and the average economic loss to your business. You’ll also learn how your cyber risk compares to businesses like yours.

We also include a graph that shows what any reasonably competent attacker can see of your network. We call this your External Cyber Posture, and it shows you how your main domain is connected to subdomains and devices that may be connected to vulnerabilities or risky open ports.

In short, our cyber risk assessment shows you where your company is most vulnerable, so you can decide your best course of action.

What are the Benefits of a Cyber Risk Assessment?

Security breaches are expensive for businesses of all sizes. Attacks are getting more sophisticated and require better tools to address and monitor risk. In 2022 alone, there have been large data breaches and attacks on Microsoft, the Red Cross, Cash App, countless instances of crypto currency theft, and many smaller businesses that didn’t make the news.

A cyber risk assessment will provide you with increased awareness of what threats your business might be facing, and how those threats can impact your business and employees. It will also help you tackle and mitigate future risk by preparing your company for the worst. You may also find ways to improve communication or tools that you’re using at work.

One of the other major benefits that can come from knowing your cyber risk, is that you can save big on cyber security insurance premiums. Doing the assessment before you apply for insurance will allow you to address issues that can make your cyber insurance premiums costly.

How Can I Improve My Cyber Risk Score?

After you take our cyber risk assessment, experts at DataStream can review your report and outline the things you need to do to improve your cyber risk before you move on to get a quote for cyber insurance.

This could be tackling things like security infrastructure, vendor compliance, cleaning up unnecessary data, making sure you have information backed up, and anything else that comes out of the report that is unique to your business.

But before you can improve your score you need to know what it is.

A cyber risk assessment is an invaluable document to any business that will help you get ahead of the game. By getting started with your free cyber risk assessment, you can improve your score and set your business up for success.

How Cyber Insurance and Cybersecurity Services Protect Your Sensitive Data

The number of cyberattacks against businesses of all sizes is growing daily. Attacks with data encrypting ransomware can cripple a business by making it unable to service internal and external users. Malicious phishing campaigns attempt to compromise login credentials to enable unauthorized access to sensitive data resources. Maintaining the security of a company’s information technology (IT) environment has never been more important.

 

Over 40% of attacks are perpetrated against small and medium size businesses (SMBs). The effects of an attack can be extended downtime and lost customers. It can also involve the loss of sensitive information that can lead to regulatory penalties. In some cases, companies can be put out of business by the impact of a successful cyberattack.

 

We are going to look at how combining the benefits of cyber insurance and cybersecurity services helps protect companies from the damaging effects of a cyberattack.

 

What Makes a Company a Target for Cybercriminals?

Any company that stores or processes sensitive information is an attractive target for cybercriminals. Two types of data, in particular, that are prized by cybercriminals.

 

  • A company that accepts credit card payments processes sensitive data that is subject to l Payment Card Industry Data Security Standard (PCI-DSS) regulations regarding its privacy and security. In the modern world of e-commerce, this encompasses virtually every business with an online presence. Failure to adhere to the regulations can lead to substantial financial penalties.
  • Companies operating in the U.S. healthcare industry also process sensitive protected healthcare information (PHI). Privacy and security standards for this data are defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In the event of a data breach, companies found to be in noncompliance with HIPAA regulations are subject to serious monetary fines.

 

Compromising these data resources provides sensitive information about individuals that can be used by criminals. The fact that these data types are regulated makes it even more important for businesses to eliminate data breaches. They may be more willing to meet the demands of a ransomware gang to avoid adverse publicity.

 

What is Cyber Insurance?

Businesses processing sensitive information need to take every step necessary to maintain its privacy and security. They also have to protect themselves in the event that, despite their best efforts, a data breach involving sensitive data occurs. Cyber insurance offers that protection.

 

Cyber insurance is also called risk insurance or cyber liability insurance coverage. It’s an insurance policy that helps protect an organization in the wake of a cyberattack. The insurance is designed to assist a business reduce operational disruptions and recover after a successful attack. Cyber insurance can also help defray the financial costs of the attack and a company’s recovery efforts.

 

Items commonly covered by a cyber insurance policy include:

 

  • Lost revenue due to downtime or encryption of the customer’s IT systems;
  • Lost revenue due to downtime or encryption of a third-party provider’s IT systems;
  • The costs of meeting ransomware demands;
  • Costs associated with recovering systems and data resources;
  • Network security and privacy liability;
  • The expenses of responding to and remediating a data breach.

 

Various types of cyber insurance policies are available from reputable insurers like DataStream Cyber Insurance. The coverage from a viable policy that provides resilience against cyberattacks should include:

 

  • Data breaches – Assistance with breach response and remediation;
  • First-party liability – Provides coverage to first parties regarding issues such as system failure, fund transfer fraud, and loss of employee devices;
  • Third-party liability – Ensures customers are protected across their supply chain;
  • Business interruption – Covers the cost of restoring business operations;
  • Cyber extortion – Provides legal and IT experts to handle ransomware attacks.

 

A cyber insurance policy can be the difference between a company surviving or failing after a cyber attack. While the goal should always be to prevent data breaches and cyberattacks, no defense is foolproof. A breach can occur due to human error or a malicious insider that subverts a company’s security strategy. Cyber insurance enables an organization to recover and continue to operate its business.

What are Cyber Security Services?

Many small businesses lack the in-house resources to implement a successful cybersecurity strategy. Cyber security services are methods and techniques offered by a managed service provider (MSP) that strengthen an organization’s IT security. MSPs implement industry best practices to address any vulnerabilities in a company’s security standing.

 

A wide range of cyber security services are available that can be tailored to an organization’s business requirements. The following cyber security services are among the offerings available from a reliable MSP.

 

  • Managed firewall – A managed firewall protects a customer’s network while allowing them to concentrate on their business. Each network layer is protected with security that exceeds industry standards.
  • Intrusion protection – An intrusion protection system works in conjunction with network firewalls to identify and prevent threats in real-time.
  • Anti-malware protection – Cybersecurity includes identifying and eliminating malware before it can damage a company’s infrastructure and data resources.
  • Managed VPNs – This service manages, maintains, and resolves problems with your VPNs so remote employees can securely access company assets.
  • Multi-factor authentication (MFA) – MFA is one of the best ways to minimize unauthorized access to company IT resources. An MSP will assist in configuring MFA to secure an organization’s infrastructure.
  • Onsite and offsite backups – Maintaining backups for recovery from human error or cyberattacks is critical for data-driven companies. Backups should be taken regularly and sent offsite for disaster recovery.
  • Vulnerability assessments – An MSP can perform initial and ongoing vulnerability scans to identify security gaps. Assessments need to be performed regularly in dynamic environments where change is constant.

 

Some MSPs offer security service packages designed to address the security concerns of regulated industries. Healthcare organizations can implement HIPAA-compliant security measures to protect patient information. Companies processing credit cards can take advantage of cyber security services that address compliance with PCI-DSS standards.

 

The Benefits of a Comprehensive Approach to Cybersecurity

A comprehensive approach to cybersecurity includes both cybersecurity services and cyber insurance. While cyber insurance is designed to assist companies affected by a cyberattack, security services are meant to prevent or minimize the impact of an attack. You can think of security services as contributing to an organization’s first line of defense against cybercriminals. Cyber insurance is available to address threats that slip through the defenses.

 

Beginning with a vulnerability assessment, Atlantic.Net will identify areas that need enhanced security. They can specifically address the needs of companies requiring a HIPAA or PCI-compliant infrastructure or configure security services to fit your business needs. Regularly repeated scans will ensure that no new cracks in the defenses have opened and that all new infrastructure components are protected.

 

DataStream will analyze your current IT and cybersecurity stack when you engage them as your cyber insurance provider. They show you how your security risk compares to other organizations of similar size. Their cyber risk analysis incorporates over 3,000 risk factors to produce a comprehensive view of your security standing.

 

The combination of cybersecurity services from Atlantic.Net and cyber insurance from DataStream Cyber Insurance provides the maximum level of protection against cyberattacks. The risk of a successful cyberattack will be minimized and you will be protected if something does slip through.

 

About the author

Robert is a regular contributor and blogger for Atlantic.Net living in Northeastern Pennsylvania who specializes in various information technology topics. He brings over 30 years of IT experience to the table with a focus on backup, disaster recovery, security, compliance, and the cloud.

Constant Vigilance Is the Price of Cybersecurity

Change takes time, but it seems that businesses in general, not just large enterprises, are realizing that cybersecurity isn’t a fad but a key part of most modern businesses. Wayne Hunter, Founder and CEO at AvTek Solutions, Inc., has been preaching that message for years and we recently had the chance to speak with him on The Cyber Crime Lab Podcast.

Something unique about AvTek that shows how seriously they take cybersecurity is their $1M guarantee against ransomware. If ransomware gets past the defenses they erect for your company, they will pay $1,000 per endpoint, up to $1M. This guarantee runs alongside their “no risk switch.” If you’re not happy within 30 days of coming to AvTek, they will help move you to another vendor. And moving vendor is easy at any point because AvTek believe in earning a client’s business every day, so they don’t require long-term contracts.

Phishing Attack

Wayne shared an insightful story about a construction company that AvTek had been working with for years. The company had many recommended safeguards in place that allowed AvTek to help recover the working environments — during a relatively short amount of time — that got frozen in a phishing attack. But the solution that would have helped them get up and running faster was immutable storage, which they had resisted implementing.

Immutable Storage

One of the advantages of cloud data is that it’s accessible from multiple devices, but that access also exposes the data to more vectors of risk. An immutable backup is a write-once-read-many format that cannot be changed, edited or overwritten. Read-only files cannot be lost, deleted, corrupted or encrypted in a ransomware attack.

Immutable storage can also be time-limited, allowing you to update or delete files within a certain period that the user specifies.

Business Functions Impacted in a Cyberattack

While some might think that a construction company would be less impacted than others by a cyberattack, the company faced three problems that are common in a cyberattack:

  • Work in Progress (WIP) can’t be billed. You likely cannot access information to see what has been invoiced, send invoices or receive payments.

  • Proposals can’t be accessed. Any information that had been gathered for a bid is locked away.

  • Payroll. Many employees are having their time tracked electronically and, without access to systems, you can’t figure out what people are owed. Even if you could, you might not be able to pay them using the traditional payroll system.

Smaller Businesses Get It

Wayne also shared that while some enterprise-level companies may move more slowly on implementing a full suite of protections against cyberattacks, smaller businesses are more and more “getting it” when it comes to cybersecurity. They’ve come to realize that even though they are smaller, with client lists of 50, not 5,000+, they represent part of a larger scheme. By getting access to those 50 clients, cybercriminals can keep going and soon have thousands of victims.

Practice What You Preach

Wayne knows that it can be annoying to have to use MFA and other security measures. He knows because he has the same measures in place at AvTek that he recommends to his clients. Not only does this protect AvTek but it also gives them a sense of the user experience — invaluable when framing the sale as well as for the onboarding process of new clients.

Wayne reminds himself every time he enters a password on an internal system that information is at risk and that without these measures, there’s every chance that AvTek (and by implication, all their clients) will be attacked and exposed.

Even though Wayne explains to clients that what he is proposing is what he does in his own company, change is still hard. But Wayne welcomes having those difficult conversations and documents when clients refuse to take certain measures. Every quarter he will go back to them and continue to beat the drum for change. “Documentation and communication,” he says. Clients may still refuse but Wayne will have proof that he’s been doing his job.

A Security Triangle

Part of that communication has to exist within your cybersecurity solution, as well. Cybersecurity isn’t just the measures you take. It’s the compliance you ensure you are meeting for your industry. It’s also the insurance you have in case anything goes wrong. Wayne advocates for an open line for communication — and collaboration — between these three partners. Silos between these partners can undermine the very cybersecurity that companies are trying to establish. Wayne emphasizes that “completing that circle” between these partners offers a much better security posture.

Now, if you’re dealing with a managed services provider (MSP) like AvTek, two angles of that triangle might be with the same provider: Wayne and his team provide both cybersecurity solutions and compliance assistance. There is the chance of a conflict of interest there and Wayne provides an analogy:

“If I’m walking out the door, I might always think I look good. But if I ask my wife, she might not agree.”

To guard against this, AvTek puts in checks and balances to ensure that compliance and security are looked at as the separate issues they are, rather than a blurred combo of the two which can lead to more risk.

If the worst happens, you’re going to want the best financial, legal and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

Click here to learn more about how we can help secure your business data!

What To Do When Insurance Companies Won’t Pay

While having cyber insurance coverage is important, it’s important to have coverage counsel as well, says Scott Godes, Partner and Co-Chair, Insurance Recovery and Counseling Practice, and Co-Chair, Data Security and Privacy at Barnes & Thornburg LLP.

Scott joins host Andy Anderson to walk through the details of a case he dealt with. They discuss:

– Direct and indirect loss — covering both Scott’s opinions and those of the courts.

– Why the language in an insurance contract is so important in deciding cases like these.

– Tips on how to evaluate and buy insurance.

– How coverage counsel can help you receive coverage when your insurance company refuses to pay.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

Click here to learn more about how we can help secure your business data!

The Future of Cyber Insurance: Why cyber insurance isn’t going away anytime soon

The cyber insurance market has faced challenges in recent years. Increased ransomware attacks have driven higher loss ratios. Russia’s attack on Ukraine has raised concerns about catastrophic global cyber events. With news that the U.S. government might create a government-backed national cyber insurance program, some people wonder whether private cyber insurance will become obsolete. The IT and cyber security community has questions about the future viability of the cyber insurance market.

We want to understand the potential threats to the cyber insurance market. We see three main risks from these threats:

  1. Insurance companies, worried about large potential losses, retreat from the
  2. The S. government creates a national cyber insurance program that crowds out the private market.
  3. Prices for cyber insurance become so expensive that coverage becomes unappealing to most

Although these threats can disrupt the future of cyber insurance with some level of plausibility, ultimately we find them unlikely. Let’s take each in turn.

The fear that insurance companies will simply retreat from the market due to the threat of large potential losses may be the most pressing concern. We can assess this threat better with some perspective on the history of the overall cyber insurance market and its position in the global insurance market.

Although 2021 was a bad year for cyber losses, the overall performance of the cyber insurance market in its 20-year history gives us confidence. Cyber insurance continues to be among the most profitable lines of business for global property and casualty (P&C) insurance. For more than 10 years, the cyber insurance market has grown steadily and is likely to continue growing.

Cyber risk continues to be among the top three risks cited by global risk managers, affecting every aspect of business and society. From cars, to manufacturing, building systems, to the very nature of workers’ everyday lives, technology affects every area of business and thus the insurance covering the risks it brings with it. Therefore, insurance companies struggle to ignore the attractiveness of the growing and profitable cyber insurance market, particularly in a world with few other options.

Rather than avoid the market, insurers are trying to improve their overall performance in cyber insurance. They are increasing prices and tightening underwriting standards with more requirements for cyber security. How these changes impact loss trends is not yet fully visible, but overall prices and requirements have moved at a greater pace in 2022 than in the previous two years.

Perhaps the greatest risk for massive losses is the risk of a nation-state-related catastrophic event. We see the insurance industry addressing this concern now.

Since the early days of insurance, insurance companies have recognized that war can create enough damage to bankrupt the entire industry. Every insurance policy, including cyber, excludes war-related losses. However, determining when a nation-state-related cyber attack constitutes a “war-like” action is a legal gray area.

Therefore, some insurance companies have started explicitly redefining “war” to include these nation-state-related attacks. For example, as of July 2022, Lloyds requires that cyber policies exclude coverage for nation-state-related attacks. Although this change might see painful losses for individual companies in the short term, it allows the cyber insurance market to thrive in the long term. By excluding these exorbitantly expensive and difficult-to-model losses as

“war-related actions,” this change essentially aligns cyber insurance with more traditional insurance.

Recognizing nation-state-related cyber attacks as war-related actions leads to the second main risk: the U.S. government might create a national cyber insurance program to protect

companies from these attacks, and companies might then decide that private cyber insurance is no longer necessary.

Rather than replace a functional private market, we find that the U.S. government typically intervenes only where the private market struggles to provide coverage. For example, after the 9/11 terrorist attacks, Congress enacted the Terrorism Risk Insurance Act (TRIA) to provide government-backed funding for insured losses from large-scale acts of terrorism. This successful program is a potential model for a cyber insurance fund for nation-state-related attacks, which can then be included in private cyber insurance policies.

Finally, the third threat—that prices will become so high as to make coverage unappealing to most companies—is also possible but unlikely. Cyber insurance is relatively inexpensive, often less than 10% of a company’s total cyber security expenses. We do expect the application and underwriting process to get longer and more involved, as underwriters bring more requirements and scrutiny to these risks. However, we also see insurance companies and technology firms working together to reduce the frequency and severity of cyber attacks. Efforts to reduce catastrophic events help make long-term price increases more manageable.

We expect cyber insurance to continue to be a vibrant and growing market, with the entrance of more companies offering more and better protection. Even as we see some volatility and change in the near term, as underwriters refine their process further and governments find their role, we expect cyber insurance to be essential for many companies for a very long time.

End-User Education Is the Last Mile of Cyber Security

While we do believe that technology is part of solving the cybercrime puzzle, we know that it can’t help companies that don’t have leaders and end users who understand the technology, and more importantly, the cybercrime realities that make that technology a necessity in today’s business environment.

Bruce Nelson, President at Vertilocity, emphasizes the importance of end-user education. He recently sat down with us on the Cyber Crime Lab Podcast to discuss this and give real-life examples of how lack of end-user education plays out in bad outcomes for organizations.

A Spear Phishing Attack

Spear phishing is an attempt to acquire sensitive information, or access to computer systems, by sending counterfeit messages.

This type of attack often targets a specific person, or group, and will include information known to be of interest to the target, such as financial documents or current events.

Like other insidious forms of attack that use social engineering, this type of attack takes advantage of basic human nature, including:

  • A desire to be helpful.

  • Providing a positive response to those in authority.

  • Responding positively to someone who shares similar tastes or views.

In the example that Bruce shared with us, the threat actor was able to gain access to the email of a third-party project manager who worked between two IT firms that serviced one client. The victim managed projects and made sure that everyone was on the same page. The problem was, he was using a standard Gmail account for all this correspondence.

Don’t Use Personal Gmail for Business

We should note, it’s never a good idea to use a personal Gmail account for business. Apart from signaling a lack of professionalism by having @gmail.com as part of your work email address, you’re also advertising to cybercriminals. You’re letting them know that you’re on a version of Gmail that doesn’t offer much support in case something goes wrong (it is free, after all) and you’re also advertising that you’re not someone who takes cybersecurity that seriously.

Message received: this professional had his Gmail breached and the threat actor was able to read messages between all parties. The threat actor then sent a well-crafted, legitimate-looking email to the controller of Bruce’s client, one of the parties involved.

The email was asking the controller to update banking information. Since the email had come from a familiar Gmail account, it didn’t raise any red flags and the banking information was duly changed.

Almost three months passed before the real vendor called asking if something was wrong as they haven’t received payments for months. The controller was confused and sent over proof of payments…going to the new account. The problem was, of course, that the vendor never changed their banking information. The threat actor got cash and disappeared.

What went wrong? Clearly, the end user was not educated enough in the scams being used today. Instead of following up with a short phone call after receiving the request to update the banking information, they went straight ahead without verification and literally paid the price. As well as user education you can have systems in place to avoid this type of scam. For example, sending a dollar amount, or a type of request that requires secondary verification, a sort of “real life” MFA.

Bruce notes three red flags: the request was unusual (banking information doesn’t often change), impactful (this would affect all payments) and urgent (it needed to be done in a certain amount of time).

Bruce also shares an instance in which those three red lags helped a client avoid a scam. The company in question was in heavy acquisition mode and the CFO received what looked like an email from the CEO “greenlighting” an acquisition. But because two of the three warning signs were present (impactful and urgent), the CFO slowed down and was able to see that a few small things were off about the email, and after phone-verifying with the CEO, they realized it was a scam.

The overarching moral: don’t let team members think they will be penalized for slowing down, especially when it comes to financial issues. Better to be too slow in paying something legitimate than too fast in paying something illegitimate.

Using Our Emotions Against Us

Bruce also shared a story from a conference he attended in which a former FBI agent illustrated just how easy it is for threat actors to target victims. The following is a basic playbook:

  1. Go to LinkedIn and find the CEO of a midsize company and then gather more information that might be available online.

  2. Find out if this person has kids and where they go to school.

  3. Create a legitimate-looking email from that school saying that there’s been a terrible event such as an attack, or a sexual predator has been spotted in the area.

  4. In the email let the parent know that the situation is under control and to learn more, click here and…

You’ve got them. You harnessed the powerful emotions of a parent’s instinct to protect their child and, of course, they click on the unknown link. Note again the three warning signs: something unusual, impactful, and urgent. Those three signs should always cause us to stop and pause before taking action.

Keep It Simple

Bruce shared a simple tactic to help end users get on board with cybersecurity. “Make the secure way also the simplest way. It’s the way to get massive adoption,” he noted. Part of the reason change management is so difficult is not that people resist change in general, but they tend to resist things that take longer, even if they can see the merits of them.

Note the Worst-Case Scenario

It does happen that companies go out of business, or have to take drastic measures to stay alive, after a cyberattack. Employees should note that one wrong click, or following the directions of one wrong email, might cost the company everything, including everyone’s jobs.

If it’s framed as: “all our jobs depend on taking cybersecurity seriously,” team members will be more likely to pay attention.

Have a Plan

Bruce concludes by emphasizing something we hear from nearly all our guests on the podcast. Have a cyber risk assessment done. Have it printed out. Make sure people are designated to lead in the event of an attack.

Cyber risk assessments also have the helpful quality of identifying where the greatest risks lie so that the C-suite can spend the money where it will have the greatest impact (assuming most businesses do not have infinite cybersecurity funds).

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

Click here to learn more about how we can help secure your business data!

Stop Thinking Ransomware Attacks Won’t Happen to Your Business

One of the ways we help business owners wake up to the current realities of cybercrime is by sharing real-life stories. We recently had the chance to sit down with GroupSense CEO & Co-Founder Kurtis Minder to hear some of those stories. Kurtis and his team have hundreds of cases they’ve dealt with, many with Kurtis leading the negotiating team.

You Can’t Always Google Everything

One story Kurtis shared was about a small Midwestern architectural firm that got hit over a holiday period. Their data was encrypted and the backups destroyed.

An architectural firm’s IP is crucial. Think of all the drawings and blueprints, not just for current projects but for those going back decades. These documents are referenced over time and relate to vital infrastructure such as roads, bridges, buildings, etc., not things you want to lose the plans to.

If that wasn’t bad enough, all the machines were encrypted, so they couldn’t use any of their software to do the current work. Everything was at a standstill.

Kurtis noted that he and his team did not actually get the first call. The firm googled the name of the ransomware variant, along with, “How to destroy X.” But just as legitimate businesses pay for Google Ads to get listed at the top of a search, so too do illegitimate companies. They count on a portion of business owners looking for an online DIY fix to their ransomware attack.

Unfortunately, the architecture firm was just headed for the second round. The criminals in the Google ad promised to “decrypt” the ransomware. But they were the middlemen. Using the ransom note — which the architectural firm happily handed over, not considering why that note would be necessary for decryption — these criminals then went onto the dark web. There, they found the original perpetrators and put themselves forward as the original victims looking for the decryption key.

A standard operating procedure for ransomware attacks is that the threat actor then decrypts a small amount of the data to show the victim that they are capable of reversing the damage of the original attack. This can move the victim to pay the ransom. In this case, the ‘Google criminal,’ acting as the real victim, paid for this “mini decrypt” to give the architectural firm some hope. They then acted as a middleman, marking up their cost by 80%. They billed the architectural firm and received payment. These new criminals then disappeared. That’s when Kurtis and his team got the call.

Having been burned twice and with a price for the ransomware decrypt already set by the middlemen criminals, the architectural firm chose to go an alternate route. They went to their email inboxes and found as many files as possible. They emailed them to each other to rebuild their database, which they built back almost in full.

What Businesses Should Do

Kurtis concedes that most 30-person small businesses are unlikely to have a cyber expert on staff and even if they wanted to have one, there wouldn’t be a supply for such a demand.

However, when Kurtis speaks to business owners around the country, the response he often gets is, “Wow, that’s scary, but that’s not going to happen to me.”  Wrong. More than 80% of ransomware attacks happen to small businesses and those are just the ones that get the headlines. Many attacks happen around us that never make the news.

Make a Plan

When they do get convinced, however, some of these businesses tend to go overboard, wanting to create a cyber risk assessment that covers every possible contingency. “Don’t let perfect be the enemy of good,” Kurtis warns. Put something basic in place, and of course, when you have it, print it out so it can’t get encrypted and become useless in the case of an attack.

Sweat the Small Stuff

One of the reasons business owners procrastinate over protective measures for their businesses is the thought that it will take time and money to implement them. But this is a misperception.

Kurtis encourages business owners to look at the example of the criminal using Google Ads to ensnare victims. Those criminals are using tried-and-tested practices of advertising to small businesses.

Many of these threat actors are small shops with limited teams and infrastructure. Only a few of them are part of the giant syndicates that make the news. Hence, they are going for low hanging fruit, which in this case consists of companies who don’t follow basic best practices in cybersecurity. This includes:

  • Basic password policies: not permitting “password1234”, and other lazy practices, and insisting on forced changes more than once a year.

  • Software patches: ensuring that all devices accessing company information and resources are updated to the latest software.

  • MFA: ensuring that users are forced (whether they like it or not) to use multi-factor authentication to ensure the identity of those accessing company resources such as email accounts and databases.

  • Offsite storage: ensuring backups exist that are disconnected from your regular resources, so if those regular resources go down, you can still access the backups.

Believe it or not, most of these small businesses get attacked through one of these avenues, leaving businesses with the, “If only I had done X” feeling.

If companies can’t have a cyber expert on staff, the least they can do is take the basic steps that any cyber expert would if they were on staff: fix passwords, patch software and implement MFA.

Kurtis does lots of public speaking so if you know anyone who could benefit from hearing this information, you can book him here.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

Click here to learn more about how we can help secure your business data!

The Critical Convergence Between IT, Cybersecurity and Insurance

The complexities of technologies in the early days of computing are nothing compared with what MSPs contend with today. The speeds and feeds of yesteryear have evolved into conversations about processes and regulations and addressing challenges and opportunities with real business solutions. While running cable and repairing PCs are still vital functions, clients expect much more from their IT services partners today. That increasing reliance creates several key advantages for MSPs – from added revenue opportunities to greater customer satisfaction – as well as a few big drawbacks.

Most IT service providers’ greatest challenge is managing all their responsibilities without fail. While core technologies may be a strength, keeping track of and juggling all the different business and regulatory concerns can be a nightmare without the right people and systems in place. The reality of running an MSP today is that IT is no longer the sole priority. Providing multi-layered cybersecurity protections and advising clients on business continuity planning and awareness training are just as important as compliance with regulatory and industry requirements and obtaining the appropriate cyber insurance policy. Measuring and monitoring cyber risk in all environments the IT services provider manages is part of those responsibilities.

The convergence of multiple factors that influence and help protect these robust yet entirely vulnerable IT ecosystems is critical to MSP success today. Providers can no longer pick and choose which pieces of their clients’ businesses they wish to support without ensuring another capable entity has those obligations covered. Whether the company employs its own internal tech team or MSPs collaborate with peers, vendors and other suppliers to deliver various services, the responsibility increasingly falls on IT services companies to manage it all.

The Cybersecurity Equation

Some industry experts have suggested that every MSP should consider becoming a full-fledged MSSP, focusing most, if not all, of its resources on building and managing formidable defenses for business clients. The reality of the situation is that many organizations rely on providers with a mix of IT and cybersecurity skills to keep their operations running effectively. However, virtually every MSP dedicates more time and resources to data and network protection today to stave off potential malware attacks and other cybercrime.

While many industry experts predicted future shifts in the IT services provider business model, the pandemic and ensuing push to WFH shortened that timeline considerably. The subsequent rise in nation-state-supported ransomware attacks was a driving force behind many of those transitions, requiring most MSPs to commit more resources to strengthen their clients’ defenses.

Implementing proactive cybersecurity services like awareness training and multi-factor authentication is now the norm. While MSPs continue to support the entire IT ecosystem − including devices, networks, software and cloud-based applications – consultation on data protection and disaster recovery practices and policies is gaining importance and creating new revenue opportunities.

Cybersecurity has become a major differentiator for providers that understand how to identify, measure and monitor those risks and tackle all the current and potential vulnerabilities. Small businesses (and many larger organizations) rely more on third parties like MSPs and MSSPs to provide those services today.

The Symbiotic Relationship Between MSPs and Cyber Insurance Firms

Businesses are increasingly looking to the IT services community for insight on a variety of new issues in addition to the traditional services they’ve come to depend on to keep their operations in order. As in the case of cybersecurity, organizations want and need complementary types of support, including consultation on regulatory compliance, disaster recovery (technical and procedural) and risk assessment.

Decision-makers often look to MSPs for insight on issues on the fringe of their areas of expertise. Some of those questions or requests may fall outside of a provider’s legal comfort zone. Cyber insurance is a good example, as company executives look to MSPs for advice on finding the right companies and policies to cover potential liabilities.

Those requests should be seen as opportunities for IT professionals. When clients seek insight across multiple disciplines, especially those not entirely in the traditional IT realm, it’s a sign of a strong business relationship. The more support MSPs can provide, the greater those bonds. Whether providing that assistance solo or with specialists in those fields, those actions increase the value-add and trust between customers and providers.

Cyber insurance is one of those key areas of opportunity. By aligning with a reputable firm with specific expertise in IT-related liabilities, MSPs can ensure customers are investing in more effective defenses while potentially increasing the providers’ recurring revenue. For example, DataStream Cyber Insurance can assess the security posture of each client, identify vulnerabilities, and make recommendations to ensure those companies are “insurable.” This process gives MSPs an opening to discuss specific improvements to minimize liabilities for providers and their clients.

DataStream brings an in-depth understanding of insurance and cybersecurity standards and expectations to these partnerships, as well as unique AI technologies that identify areas of concern. The ability to leverage real customer data and proprietary models that measure real cyber risk is a key differentiator. MSP partners play a critical role in this assessment process and can leverage the results to strengthen their clients’ cybersecurity posture and potentially boost sales and profitability.

A Value-Added Relationship

While it’s true that only certified insurance agents can sell policies, IT services providers can grow MRR and project income through a DataStream alliance. MSPs register their clients for an assessment that will identify vulnerabilities and behaviors that put them at risk and emphasizes solutions their provider can implement to address those problem areas. DataStream provides partners with details of the factors preventing each assessed business from obtaining cyber insurance coverage.

This is when the MSP comes to their rescue. With implicit knowledge of that client’s security posture, providers can pitch the proper solutions to bring their defenses up to par. The end game is to make companies aware of their risks and increase cybersecurity investments − which benefits MSPs and their clients.

With the COVID-19 lockdowns and corresponding increase in work from home and hybrid environments, those opportunities are plentiful. Along with the ensuing rise in ransomware attacks, the conversations around cybersecurity are growing in frequency and complexity – a perfect opening for MSPs that can pitch solutions, not the “speeds and feeds” of technology. Why not make cyber insurance part of that conversation?

Resources like the Cyber Insurance Assessment help businesses determine their readiness for cyber insurance. And our Partner Cyber Risk Report shows partners numerically how much impact they have on reducing cyber risk among their business clients. Would a sales prospect pay more attention if they could visualize the effect your firm could have on their data defenses? DataStream provides MSPs with that power.

Build a Cybersecurity Fantasy Team

The cost of protecting data has never been higher. What many experts fail to say is that the financial liabilities associated with poorly secured systems are on the rise as cybercriminals target both MSPs and their clients. Estimating the cost of downtime and remediation support and the reputational damage from these attacks can be difficult for any business. For MSPs, those incidents are even more concerning as the experts in all things cybersecurity – a poor response can undermine their credibility in the business community.

That’s why dealing with cyber risk has become a team sport.

Cybercriminals are running businesses too, so they must continue refining and escalating attacks to maximize their revenue opportunities. For example, a recent IBM study found that the average incident takes 280 days from the point of access to conclusion and costs each company approximately $3.86 million.

Cybercriminals understand that most SMBs don’t have the internal resources to prevent cyberattacks. Ransomware purveyors target those businesses indiscriminately and rely on poor defenses, application vulnerabilities (vendors and suppliers) and inattentive and lazy employees – perhaps even a little luck – to gain entry.

Combined with the ever-increasing creativity of the cybercriminal community, it’s increasingly more difficult to protect businesses of any size today. As the amount of data they create, collect and store continues to grow, their financial and legal risks increase proportionally, and MSPs must work even harder to lock it all down.

A Complete Game Plan

Good teams produce more than the sum of their individual parts. Successful cybersecurity collaborations typically involve a tremendous amount of planning, training, evaluating, and, perhaps most importantly, communications. Most MSPs excel in most, if not all, of those areas, as are many of the specialists in their partner communities.

Building and executing cybersecurity “game plans” require that commitment. From conducting assessments and highlighting areas of concern to strengthening defensive measures and contracts, MSPs need to lead the way. That push begins (and ends) with finding the right partners.

Draft Highly Skilled Partners

Protection is truly a team sport. Building a ‘fantasy dream team’ by “drafting” quality partners can help minimize liability for MSPs and their clients. Collaborative relationships with complementary subject matter experts − those with knowledge and skills in different aspects of cybersecurity, liability and compliance requirements − will elevate the defensive game to new heights.

The “team cybersecurity” approach focuses on risk aversion to limit financial and legal exposure for both clients and providers. Together, they provide more comprehensive coverage, as each is an expert in their respective area. They may collectively review existing processes and systems to identify and quickly address high-risk vulnerabilities and then develop plans for resolving other potential breach points or areas of concern. Potential “players” and their responsibilities include:

  • Vendors − MSPs typically partner with a number of suppliers to comprehensively protect clients’ networks, devices, data, applications and other systems. From end-point protection and data back-up and recovery providers to Security Operations Centers (SOCs), these “players” are focused on the cybersecurity game and many can even chip in during the off hours to give MSPs a well-deserved break.
  • Auditors/Remediators − these firms help MSPs identify and fix potential vulnerabilities following a structured approach. These professionals often serve a dual role: mitigating cybersecurity threats before they can cause harm to clients or providers and addressing similar issues following an attack.
  • Cyber Insurance Experts −every team needs a coach to measure the threat environment and guide game plan development. DataStream Cyber Insurance offers that level of support to MSPs with a Cyber Risk Assessment that evaluates the defensive posture of each client and a 24/7 Hotline to call when they first suspect a compromise. A tech assessment on each policy helps expedite claims and payments, eliminating potential stressors for providers and the business they support.
  • Attorneys with IT Specialization – every cybersecurity team needs legal representation to minimize risk on the front end, writing air-tight legal agreements and contracts, and on the back end, supporting the response when things go bad. Those professionals should get the first call following a breach to review strategies and ensure MSPs properly execute their remediation plans.
  • Public Relations Firms −messaging matters before and after a breach. Every MSP should have a crisis communications expert on their team to interpret the key points of the situation and help craft verbal and written responses. Information management is crucial. MSPs may need to share details of the compromise with different audiences, including clients, government agencies, law enforcement, and media. Releasing the right information to the appropriate people helps ensure the success of the response plan and prevents additional exposure.
  • Cyber Forensics Experts − these companies or individuals step in after a breach, analyzing the evidence and reviewing each incident step-by-step to determine what went wrong. More importantly, the information they provide allows MSPs and other team members to mitigate vulnerabilities and prevent future attacks.

Are Your MSP’s Assets Adequately Protected from Cyberattacks?

IT service providers spend a lot of time discussing protection. Whether consulting with clients or developing plans to boost internal defenses, those conversations often center on data and the systems that store or transmit critical and sensitive information. With cybercrime on the rise, many technologists are more inclined to invest in more solutions and implement measures that will help keep providers and the businesses they support safe from IT-related threats.

While those defenses are critical, MSPs must look closely at legal liabilities associated with those IT ecosystems. Cybercriminals are directly targeting IT services companies since they hold the “keys to the kingdom,” with access to clients’ networks, business systems and, by default, their data. SMBs rely on MSPs’ security expertise to protect those assets. With the escalating attacks on organizations of every size and mission, the threat vectors are continually shifting and evolving.

The financial costs of a cyber failure are too big to ignore. Unfortunately, some SMBs are not taking the appropriate steps to secure every system, perform regular backups and protect all their important data. The lack of an effective cyber defense significantly increases their legal liabilities.

That last point is essential. No matter how well MSPs lock down information and secure critical infrastructure, if someone (or something) finds a way to get into a client’s systems, the provider will likely take some, if not all, of the blame. In a highly litigious society, that exposure can damage, if not cripple, a small business. Worse yet, if cybercriminals gain access through a provider’s network, they can expect other clients and prospects to scrutinize their practices. The costs, from both a public relations and legal perspective, could be enormous and threaten the MSP’s viability.

Why?

Because cybersecurity is a matter of trust. When companies sign up with an MSP, they expect that team to provide complete protection for their businesses and assume, as cybersecurity professionals, they will implement industry best practices across every part of their operation. If even one client becomes the victim of ransomware or a cyberattack, especially through a provider’s compromised system, the trust may erode quickly.

Cover the Risks

Despite the rising threats, there is hope for MSPs. Careful preparation on the business end of an IT service firm’s operations can lessen those liability concerns considerably. That’s why providers should always seek legal advice from attorneys who understand the MSP business model and appreciate the threats against your company and clients. Those professionals should have the know-how to minimize the firm’s liabilities in the event of a cyberattack and work collaboratively with insurers to support the best interests of providers and their clients. An IT services-skilled attorney will be an invaluable resource to prevent things from going sideways.

Consulting with someone with extensive expertise supporting the legal needs of MSPs provides peace of mind. A good tech attorney can craft, review or amend services contracts and master agreements and offer guidance on a variety of industry-specific issues, as well as general business processes and policies. MSPs need that type of oversight today. Quality counsel will proactively address potential issues before they become problems and minimize the exposure when things go bad.

Those professionals help keep an MSP safe from potential lawsuits and bureaucrats (think regulatory compliance) regardless of the threat landscape and legal environment. Think of them as a firewall for cybersecurity experts.

The Fine Print Matters

A key reason for working with IT-experienced attorneys is their understanding of professional services delivery and the documents that outline the various responsibilities of MSPs and their clients. The “legalese” in customer agreements could be a major fact in whether the firm continues to thrive, let alone survives, following a cyberattack.

That’s a major reason for updating your managed services-related documents. Attorney Brad Gross, a recognized authority in IT services law, suggests that companies with antiquated agreements may find themselves in worse shape than those without contracts.

“The devil is in the details,” he emphasizes. His recommendation to MSPs is to partner with a proven IT attorney to review and strengthen their critical business documents to minimize cybersecurity-related liabilities. For example, any promises IT services providers make, whether explicit or implied, must be based on reality, not marketing prowess. “You can be confident, but your confidence needs to be based on both tangible and intellectual honesty,” adds Gross. “The way to achieve that is to have agreements in place that manage customer expectations, and then have the technical background and ability to perform under those contracts.”

A poorly constructed MSA (master services agreement) or SOW (statement of work) can increase your liability. The language in these documents can expose an MSP to litigation following a breach or malware attack. Knowing what to put in and what to leave out are decisions best left in the hands of those properly trained to deal with those legal concerns.