Lawrence Perret-Hall, Director at CYFOR Secure, discusses the benefits of cyber insurance for SMEs and how collaboration with cybersecurity partners and insurers can help overcome the risk of cybercrime
Small businesses are three times more likely to be targeted by cybercriminals than larger companies. Yet the Department for Digital, Culture, Media & Sport’s annual Cyber Security Breaches Survey this year found less than half of micro, small and medium businesses have a formal cybersecurity strategy. These statistics should raise concern among SMEs. Not only are they more at risk of suffering a cyberattack than large businesses, but they are also less prepared.
Indeed, many SMEs mistakenly assume that ‘higher value targets’ – such as digital bank Revolut, which recently suffered a breach – are more vulnerable to malicious threats. However, cyberattacks can happen to any organisation; some of the most devastating breaches in recent years have used smaller companies as entry-points to larger partner organisations in a supply chain. It is therefore crucial that smaller enterprises look for ways to bolster their security strategies.
It is no secret that these SMEs have fewer resources and face tighter budget constraints than larger corporations, particularly during the current cost of living crisis. Given that smaller to medium sized organisations represent more than 99% of all businesses in the UK, the disproportionate financial, operational and reputational impact a cyberattack can represent for them is deeply concerning. Due to external pressures on already stretched cybersecurity budgets, many SMEs feel they must choose between cybersecurity or cyber insurance; there is simply not the budget for both, especially with rising premiums costs. In fact, only 40% of small businesses and 17% of micro businesses have a cyber insurance policy in 2022.
As such, SMEs face a unique challenge within the cyber threat landscape and arguably work against heavier odds than larger corporations to protect their business. However, there are steps that can be taken by everyone working across the cybersecurity industry to protect SMEs from threats and to enable strategies that are efficient and deliver ROI (Return on Investment).
Building foundational cyber hygiene
SMEs need cost-effective and commercially flexible cybersecurity and insurance solutions. This should start with foundational security preparations that can be implemented quickly and at minimal cost to a smaller business.
Awareness training programs and phishing simulations can be greatly effective and do not pose a significant drain on budgets. Training staff in how to spot signs of phishing emails is a simple but effective way to manage cyber risk and helps to promote a culture of shared responsibility within a business’ workforce. Similarly, something as simple as having a fortified back-up strategy, with data back-ups completed frequently and across different networks, is one of the most effective ways to minimise the impact of a cyberattack.
Incident response (IR) plans are equally as important when building effective cyber defences. Having a strong IR plan proactively implemented and readily deployable in the event of a cyberattack means incidents are responded to rapidly to minimise disruption and downtime, which can be critical for smaller businesses.
All of these measures require a proactive approach from SME leaders but will significantly reduce the potentially devastating impact of a cyberattack. With this foundation, smaller companies can be confident that they have taken the vital first steps towards creating effective cyber risk management.
Collaboration between MSSPs and insurers
Managed security service providers (MSSPs) have a key role to play in supporting SMEs to build a strong foundation of cyber hygiene. And securing cost-effective insurance solutions can be a much easier process when MSSPs collaborate with SMEs, and subsequently insurers too.
Vulnerability assessments are a great example of this collaboration. Regular scanning for vulnerabilities can identify internal and external threats and enable an organisation to respond to and remedy systemic weaknesses before cybercriminals have a chance to exploit them. Vulnerability scanning can also include Dark Web monitoring to detect if compromised business credentials are for sale on the Dark Web. If an SME prioritises regular scanning with support of an MSSP, insurers can receive up-to-date data on their cyber resiliency and thus more accurately measure risk and price premiums.
Insurers also have a role to play in making cybersecurity more accessible to SMEs, but a shift is needed in the way they approach risk. Currently, premiums are priced on the estimated cost of a breach. Instead, insurers should be looking at the data they receive on an organisation’s cyber hygiene via solutions such as regular vulnerability scanning. They should be asking how mature the company’s cybersecurity is, how many attacks they have mitigated, and how regularly they can provide a reliable report on risk posture. For this bigger shift to occur, real-time security data should play a more central role in building the trust and transparency between MSSPs and cyber insurance partners.
With this collaborative approach, SMEs are much better positioned to secure lower premiums. Cost is a key reason SMEs fail to take up cyber insurance, so reducing premiums is one of the most effective ways barriers between small businesses and cybersecurity can be abolished. Ultimately, outsourcing to an MSSP is one of the best steps SMEs can take. With cyber insurance premiums rising, working with a trusted security partner can reassure an insurer that your security is in safe hands, thus reducing an insurance plan’s potential cost.
Bespoke solutions for growing threats
Once cyber hygiene foundations are built, regular vulnerability scanning is implemented and insurance premiums are reduced, SMEs need to identify a way to make sure their business stays secure, always. Many are turning to cyber retainers that guarantee ROI by rolling over time and money not spent on incident response to improving a company’s overall cybersecurity posture. The small, regular cost of a retainer can be planned and budgeted for, while also demonstrating the continued proactiveness and prioritisation of a business’ approach to cybersecurity.
Becoming a target for a hacker is no longer a question of ‘if’ but ‘when’. SMEs therefore need to adopt a proactive mindset and prepare as best they can for what is now considered the inevitable. Cyber insurance is a crucial part of an effective security strategy, but we need to see greater collaboration with MSSPs to make this achievable for SMEs. And for these smaller businesses, co-operating with insurance and security partners is the most effective way to bolster cyber defences while keeping costs to a minimum.