Small and medium-sized businesses are more at risk from cyberattacks than business owners might expect. Cyber insurance can help small businesses recover, but it can’t cover every risk—such as the reputational damage that can come from an information breach, or the time and hassle of returning to a state of normalcy after an attack.
If agents truly want to be trusted risk advisors, they need to talk with their customers about more than simply the insurance side of post-loss mitigation. Just as they would likely recommend burglar alarms, smoke detectors and water mitigation technology to reduce risks at home or in the office, agents should help their customers think about mitigating cyber risks.
There are three main methods of dealing with this risk: software installed into the computer network or connected via the cloud, hardware devices that are added to the computer network, and wetware, which are people-based solutions designed to train employees to detect and respond effectively to attacks.
The best software and hardware security measures in the world won’t help against the most pernicious security issue for most companies: people. It’s essential to train employees to be on the lookout for threats and to understand how to identify those that slip through the cracks.
For example, some companies train employees by randomly sending them emails that emulate the appearance of a typical malicious email. Anyone who mistakenly clicks on the embedded link is then warned that they would have compromised their security. Two such clicks will send the employee to an online security training course, as well as a note to their manager.
This kind of training program can be implemented quickly with a significant impact. It helps employees realize that they can’t simply rely on spam filters but must learn to recognize harmful emails. The system encourages them to constantly monitor their emails so that they don’t have to retake the training and alert their manager that they got fooled again.
Cyber training may be enough protection for businesses that operate mostly offline. But as the world becomes increasingly digital, it will be essential for most companies to go beyond the basics.
Cybersecurity software options range widely in price and breadth of coverage. Some of the most basic security programs are free and simply ensure that computer networks are up to date on critical updates, there aren't any computer misconfigurations, and all security patches are installed.
More intensive software can provide a wide array of security procedures and management analytics. The right fit will depend on your client’s needs and current systems.
There is a lot of complexity in the cybersecurity software space, so depending on the tech-savviness of a business client and their technology usage, it may make sense to use professional services to provide an appropriate package of software and monitoring solutions.
With the influence of cloud-based solutions for the digital age, cybersecurity is increasingly software-based. But some tech companies still provide hardware solutions. From VPN dongles and encrypted USB storage to mainframe solutions.
One such product sits between the internet and the user’s computer, performing all internet actions in a virtual environment and sending the results of those actions as pixels to the user’s screen. This means no active code ever moves from the internet to the computer, so the computer can’t be compromised.
Hardware solutions may be good options for high-tech companies that handle large quantities of sensitive information online and need very robust protection.
Depending on their risk profile and needs, businesses may use a combination of these methods. To determine which combination of these methods is right for clients, there are two important questions independent agents can ask:
1) How much customer data is available on the client’s computer systems, and how sensitive is it? The more sensitive the information, the greater the need for a significant software solution on top of employee training.
2) How critical are the client’s computer systems in day-to-day operations? Companies that do much of their day-to-day business online would be more impacted by a ransomware attack and should take more precautions.
As cybersecurity risks increase for small and medium-sized businesses, independent agents should take time to educate themselves and advise clients on which solutions may be most effective for mitigating risk.
Sam Affolter is senior director of agent research and innovation, Liberty Mutual Insurance.