If that’s you, I have a plan.

Why are small businesses big targets?

It’s helpful to understand the reality behind the statistics. Small and medium-sized businesses are a popular target because they tend to have poor cybersecurity compared to their larger counterparts. Many attackers want money, so small businesses are more likely to pay to recover. Others want access to data – and small businesses have that, plus access to larger partners and vendors. 

Many small business owners think they are flying under the radar and are too small to be targeted, but phishing schemes and ransomware are crimes of opportunity and even a few hundred dollars of ransom is profitable for cybercriminals.

The case for cyber insurance

With new, next-gen attacks using artificial intelligence technologies to study and replicate human behavior for sophisticated phishing schemes, businesses of every size are being compelled to protect their company, employees, and data. And a natural starting place for many small-to-medium businesses is cyber insurance. 

Cyber liability insurance protects the business from the high costs associated with recovering from a data breach or malware attack at a relatively low price point. Recovery costs may include ransom payments. But, also the technical resources needed to recover lost data and restore system access, communication with stakeholders, lost productivity due to the breach, and reputational damage.

While insurance can make the difference between closing your doors and surviving a cyber-attack, it isn’t a complete solution.

The one issue with cyber insurance 

Cyber insurance may help your business recover from an attack. But it does little to fight off attackers in the first place. 

Today, most insurance policies require basic cyber hygiene to qualify for coverage, such as having practices and plans to keep sensitive data organized, safe, and secure, with more advanced security helping to lower rates. Companies are allowed to self-attest their cyber protection. But, insurance companies are beginning to ask for objective evidence that controls are being met if marked implemented on a questionnaire. 

A recent article from Insurance Journal explains how one insurance company refused to pay out the policy after it determine that the company filing the claim didn’t actually follow its cybersecurity plans, allowing an attack to happen.

A complete solution for companies of any size includes cyber insurance, cybersecurity protection, and employee training.

A three-step plan

Anyone running a business knows there are certain operational requirements. Cybersecurity now joins traditional tasks like running payroll, obtaining Internet access, and purchasing office supplies. Developing and maintaining comprehensive cybersecurity practices is a must for any company that has customers, data, or employees. In other words, every company.

Because small business owners tend to wear many hats and involve themselves in core business activities, they often view cybersecurity as a challenge. But it doesn’t have to be. 

I’ve outlined a three-step plan for small businesses to establish a cybersecurity baseline and prepare for cybersecurity insurance coverage.  

Step 1: Assess your cybersecurity posture.

Start by making a list of all hardware, software, and online applications your business uses. Analyze the list for security vulnerabilities. That might include how you dispose of old and unused equipment or how often you install software updates. It could also include what password guidelines are used and how often you back up data. Additionally, whether employees connect to work systems remotely.

Step 2: Create a basic cyber hygiene policy.

With insights from your assessment, write out a set of practices (the rules, procedures, personnel, and schedules) to maintain good cyber hygiene. Minimally it should include:

• Passwords: Complex passwords, changed regularly 
• Software updates: Updating all software you use regularly and installing security patches when released
• Hardware updates: Computers, smartphones, and other mobile devices need firmware updated regularly 
• Management of new installs: Anything new that connects to your systems or internet access needs documented and installed properly. Employees should not download apps or connect to new accounts without permission 
• Limit users: Only those who need admin-level access to programs should have access
• Back up of data: All data needs backed up to a secondary source (such as a hard drive or cloud storage) to ensure its safety in the event of a breach or ransom.
• A cybersecurity framework. Select a framework used by your industry or available from the U.S. government, like the NIST cybersecurity framework, to guide more advanced security standards. Even if you aren’t fully compliant with all guidelines right away, these frameworks can help you focus your plans and security investments.

Step 3: Do your insurance homework.

All cyber insurance policies are not created equal. Compare rates and coverage and ask about factors that lower rates. You may be able to get a lower insurance rate simply by switching on multi-factor authentication for your email accounts. Or completing online training classes! So, look for policies with valuable benefits. Like cyber investigators helping during an attack or legal aid to determine your liability to customers and vendors.

Cybersecurity is for every business, and cyber liability insurance has quickly become an important part of protecting the country’s small businesses. While the threats will continue to be challenging, preparing your business to face them is feasible with sound cyber hygiene practices.

The post What Every Small Business Needs to Know about Cyber Insurance appeared first on SmallBizTechnology.

In an effort to capitalize on cybersecurity spending, many providers have resorted to pushy tactics. Their cybersecurity options via packages cover some of the basics plus include extras your company may not want or need, or include multi-year service contracts that far exceed any government requirements. If you don’t have some technical background in IT and know what’s required of your company, it’s easy to be swayed by marketing.

I advise business leaders to get smart. And the best way to do that is to seek out a variety of providers and ask for a free estimate. A good company will ask questions and provide a recommendation and costs. A great one will make sure you understand what’s required, where your company currently stands, and what services you will need. Your decision should include services that complement your own internal capabilities to:

Embed Best Practices

While thousands of U.S. companies will need to comply with NIST 800-171, CMMC 2.0, and DFARS Clause 252.204-7012, bad actors are also hard at work devising new ways to trick employees. That’s why it’s important to have a security mindset, a security-focused culture, and to continuously train and test your workforce. Indeed, adopting and embracing these best practices is a sign that security is part of everything you do.

Just look at CMMC Level 2. Of its 110 controls, about half are technical in nature. The rest require new policies and procedures involving a change in employee behaviors. When security is truly a core value of your organization, classroom cybersecurity training is reinforced in daily processes and interactions. Plus, thinking about security first becomes a habit. 

Align Cybersecurity Options and Business Strategy

Just like all of the other administrative functions in your company (finance, HR, operations), cybersecurity runs through all that you do. Managing the risks that pose a threat to your organization’s overall health requires staying focused on the big picture. To do that, you must align cybersecurity options to your business goals. 

• Use security plans to also meet larger company goals, like digital transformation, paperless operations, or upskilling employees.
• Connect security objectives to business requirements. For example, specific security objectives can be built into staff performance goals and supplier performance measurements. Protecting assets and information and avoiding breaches helps you meet business objectives.
• Focus on reducing risk, not eliminating it. Cybersecurity is a journey of incremental steps.

Focus on the Future

Every industry has or is developing cybersecurity standards. A future-focused strategy doesn’t just meet today’s minimum requirements. Instead, it looks at implementing coordinated programs and technology that can scale as requirements change. With a robust cybersecurity program in place, your company can pursue any certifications or audits that are needed or required. And your brand can use security as a competitive advantage. 

As an example of this approach, if you do work with the U.S. Government, it’s probably wise to invest in a high-trust environment like GCC High now. Not only does it meet current requirements, but it will fulfill compliance goals for CMMC 2.0, DFARS, FAR, ITAR, and CJIS.

Consider Your Options—and You Do Have Options

If you believe the ads that pop up when you search for cybersecurity, every provider out there has a single solution that meets all your needs. The truth is that there are many options and pathways. Tailor your approach to your company’s structure, existing systems, and business goals. 

You even have a choice when it comes to licenses. Returning to our GCC High example, GCC High requires a vetting process and comes with a bigger price tag. Options exist to use Microsoft Commercial in combination with other solutions to achieve the same level of security and compliance standards for less. A provider motivated only by their profits, and not invested in your success, might not present other options or even offer them within their portfolio. This is where internal knowledge and comparison shopping can help.

Also, your provider matters, too, even for licenses. Some good ones include implementation and configuration in their costs, and some even help with documentation

Cybersecurity is a significant investment for companies that may not have done risk management or security as part of their operations before now. However, make no mistake, every small or medium-sized business, regardless of its industry, now must incorporate security into their processes (the risks and impact are too high to leave it to chance). The best approach is to adopt industry best practices, align your cybersecurity options with your business strategy, and remain future-focused.

The post Make Good Choices: Breaking Down your Cybersecurity Options appeared first on SmallBizTechnology.

You know all too well that many businesses owe their success to luck as often as labor. That’s not to say that the risks you take aren’t carefully calculated – they are. However, many of you reading this may have risked everything by waiting to take effective cybersecurity measures.

The cybersecurity risks have never been higher than right now — and the government knows it.

It’s why the Cybersecurity and Infrastructure Security Agency (CISA) announced the Shields Up program. Shields Up is designed to protect American businesses from malicious cyber activity surrounding Russia’s invasion of Ukraine. It’s also why the DOJ announced it will fine government contractors and other businesses that fail to follow cybersecurity standards or fail to report cybersecurity incidents.

Waiting on security upgrades until regulatory agencies mandate security can be costly and dangerous for your businesses.

Any company, including contractors and subcontractors, who do business with the government faces a slew of orders to be compliant with various cybersecurity frameworks. This includes NIST 800-171, which outlines the required security standards and practices for non-federal organizations. Likewise, FAR 52.204-21 lays out 15 basic safeguards surrounding data, physical security, and cyber hygiene. Similarly, the Cybersecurity Maturity Model Certification (CMMC) program is a framework designed to protect the defense industrial base.

Playing a Dangerous Game of Cybersecurity Chance

As regulators negotiate, discuss, and finalize, we’ve noticed an alarming trend. Many companies are hitting the “Pause” button.

We get it. Last year’s CMMC town halls highlighted small business concerns. The new policies being proposed put a disproportional burden on smaller companies that might not have the systems, in-house expertise, or budget for the required response.

The industry developed CMMC 2.0 to address those issues. And in many ways, it does. But it also contains a few surprises.

The Reality Check

If you’ve pumped the brakes on investing in more robust cyber security and are waiting to see what the regulations will look like, you’re taking a huge gamble. Here’s the reality.

Attacks won’t wait.

While you spend time waiting on security, your business continues to be at risk for a data hack or ransom.

The business interruption, reputation damage, proprietary information losses, recovery fees, and customer or contract losses are often enough to sink even the most stable businesses. And any cyber insurance policy you’ve got won’t be sufficient. It won’t cover everything.

If hackers return your data after a ransomware attack, your problems may multiply. Corrupted and inaccessible data aren’t much use.

The “final” version will come up too quickly.

When DoD starts using CMMC 2.0 guidelines it will be with just 60 days’ notice.

That’s not enough time for most companies to complete remediation work. Waiting for a final version or official start may cost you contract opportunities. If you’re ready to go sooner, however, you might be able to grab work from others who are not.

While not fully finalized, DoD is planning to offer incentives to organizations that go through the certification process prior to the final rulemaking for CMMC.

Your to-do list has 320 tasks!

The requirement to be compliant with NIST 800-171 cybersecurity framework has 110 controls that require 320 assessment objectives.

For Maturity Level 1 and non-prioritized Maturity Level 2 contracts, senior leadership will self-attest to their company’s compliance each year.

But that’s not a free pass. The DOJ has already used the False Claims Act to go after companies who self-attest, have a security incident, and are found, through an investigation, not compliant.

Documentation did not go away.

Many companies believed that CMMC 2.0 would do away with documentation: It. Did. Not.

Companies must document all of the 320 assessment objectives. It’s a significant amount of work — and few companies can do it all internally. Another reason that waiting on security measures will backfire when the a time crunch comes.

The ROI Dilemma

We acknowledge that the cost of cybersecurity seems daunting.

Many companies haven’t invested in an enterprise-level solution or even budgeted for ongoing cybersecurity work. But they need to.

Cybersecurity has become a normalized expense for business operations, like paying payroll taxes or carrying insurance. If you’re struggling to see the ROI of cybersecurity consider three things.

1. Small businesses are the ideal target for ransomware hackers.

Cybercriminals know you have fewer resources and staff to prepare for, defend against, and recover from attacks. Attacks have doubled in the last year because they are incredibly lucrative and you’re a great testbed to prepare for larger attacks.

2. The average cost for a data breach in a small company is $108,000.

But money isn’t the only thing at stake. The disruption, recovery, and unanticipated costs — plus customer frustration — have been shown to take a far greater financial toll on companies. This can total as much as $3 million per incident for companies with fewer than 500 employees.

3. Cybersecurity can be a competitive advantage.

While others delay, you can cash in on customer and partner trust built on the strength of your cybersecurity program.

There is an easy way to begin.

A slow roll is still a step in the right direction. We advise small businesses to do several things right now to get things started. Most of them won’t cost you a dime!

Talk real numbers.

A realistic estimate is the first step toward developing a compliant security plan.

A good cybersecurity services company will provide a basic assessment and estimate free of charge. A great cybersecurity services company will further your education, explaining the standards you will need to follow, where you stand now, and the scope of a solution.

Real numbers allow you to plan ahead and budget for security. Very often, we surprise small businesses when they learn that cybersecurity compliance doesn’t cost as much as they expected.

Understand your attack surface.

The physical front door isn’t the only way people are entering your business.

All of your web apps, portals, and bill pay systems are entrance points too. Identifying all of your assets is the first step in securing them.

Now is the time to conduct a thorough audit of your digital ecosystem to understand your attack surface and plan for ongoing monitoring.

Revisit your incident response plan…and practice it!

In case of a security incident, every employee with network access should understand the plan.

Above all, your Incident Response Team, encompassing leadership, IT, HR, legal, and communications, should also practice their first steps. Similarly, it may be helpful to have written procedures and a printed phone tree that clearly spells out whom to contact and under what circumstances.

Back up your data.

Put together an ironclad schedule for backing up all data. Likewise, it’s valuable to test the procedures for restoring information, too, in case you are hit with ransomware or another cyberattack.

A good look at cybersecurity realities can help small business owners and leaders change the game. Therefore, there’s no need to gamble with your company’s future and reputation.

Cybersecurity-building steps often start with a slow roll and pick-up speed as companies understand more about their requirements and the business benefits of a robust security stance.

Derek Kernus is the director of cybersecurity operations at DTS and holds CISSP, CCSP and CMMC RP certifications. DTS provides tailored, scalable cyber solutions for small- and medium-sized organizations leveraging top resources and the expertise of talented individuals with a passion for excellence to help protect our clients’ people and data.

The post Waiting on Security: The Real Cost appeared first on SmallBizTechnology.