Experts say small businesses should take cybersecurity seriously in a broader environment in which the National Association of Insurance Commissioners’ (NAIC) latest statistics reveal an average 66.9% cyber loss ratio for the top 20 insurance groups providing cybersecurity insurance in 2020, a significant increase from 44.6% in 2019.
Steven W. Teppler, chair of the cybersecurity and privacy practice at the law firm of Mandelbaum Barrett PC in Roseland, highlights the importance of both cybersecurity and data breach prevention/response. He explains, “You want to keep [operating] your business and you don’t want to be run into the ground [and have] a quarter-million-dollar liability out-of-the-box if you have a data breach [as a] small business.”
He also advises, “There’s no return on investment for security, but like insurance, the look-back makes it look very, very cheap.”
As for countless businesses that believe they have already properly addressed cybersecurity, FBI statistics show that issues clearly remain: For example, there were 19,954 business e-mail compromise (BEC) incidents in 2021, virtually holding steady from 19,369 in 2020. Last year’s BEC losses hit a staggering total of nearly $2.4 billion.
“[Threat actors] are becoming much more sophisticated [and] acting against small as well as large companies,” explains Mandelbaum Barrett’s Teppler. “[For example, they] will find out when your HR or finance person goes on vacation and if they can hack [that person’s] e-mail, they will then wind up spoofing their identity [and] causing a wire transfer to be made to a fraudulent account. That’s the sort of thing that you have to look [out] for.”
The FBI’s 2021 Internet Crime Report details that at least since the onset of the COVID-19 pandemic, BEC criminals will, for example, compromise a financial director’s e-mail account and then request a virtual meeting with a company’s employee(s) in which the criminals insert a still picture of the CEO/CFO. After claiming that audio isn’t working or by “deep faking” the CEO’s/CFO’s audio, the criminals then ask for a fraudulent wire transfer either through the virtual meeting itself or via the financial director’s compromised e-mail.
What are other common cybersecurity scenarios? Michael Geraghty, the State of New Jersey’s chief information security officer and director of the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) (a component organization within the New Jersey Office of Homeland Security and Preparedness), tells New Jersey Business Magazine that “human error,” including not changing passwords, not using multi-factor authentication (MFA), failing to patch software/operating systems and falling victim to phishing e-mails are key cybersecurity areas in which criminals succeed.
Geraghty says overall, “The way we look at cybersecurity here [at NJCCIC] – especially [with] attackers from anywhere in the world, at any time of the day [and] with any skill set (whether it’s a very novice attacker to a nation-state actor) – it’s not necessarily how valuable you are, it’s how vulnerable you are.”
And vulnerability can exist in a nearly endless array of iterations. For example, Rashaad Bajwa, the founder and CEO of Cranbury-based Integris – a national provider of premium IT and cybersecurity services to small- and medium-sized businesses – cautions that businesses should not leave computer equipment unattended in remote-work offices.
“There are a lot of computers, switches and Wi-Fi devices sitting in offices that are unsecure and employees are not using them,” he explains. “[These devices] are going unpatched and unmonitored, and they can be taken advantage of.” He adds, however, that adverse incidents (such as janitors or others accessing computers) have not yet become “mainstream with the bad guys.”
With these and other cybersecurity dangers at hand, there are at least two broad, preventative approaches small businesses can take: The first is to contact a cybersecurity attorney, who – under attorney-client privilege – can recommend a cyber insurance company, cybersecurity experts and possibly a crisis PR firm, the latter useful if a cybersecurity incident arises. Attorneys can additionally assess both risk and cybersecurity policies, act as point people during unfolding cybersecurity incidents and engage trusted cyber forensics experts as appropriate.
Mandelbaum Barrett’s Teppler says of preventative tactics overall: “Under cover of attorney-client privilege, we ‘go through the car’ and make sure that it’s functional and that there aren’t any leaks or malfunctions. We then present [the findings] to the client and say, ‘Look, this is where you have gaps, and this is where you don’t.”
Another method for addressing cybersecurity includes simply contacting a managed services IT provider and then hiring an attorney, if necessary, for contracts and documentation.
However, not any attorney will always suffice. Intergris’ Bajwa explains, “Before [businesses] go out and get their own attorneys, companies should talk to their cyber insurance providers because they often have attorneys with whom they will require you to work.”
He adds, “The same thing applies for companies like ours. We help with response and business resumption after a [data] breach, but not every insurance company works with every IT provider. A lot of them have their own … breach coaches, cybersecurity specialists and forensic folks with whom they work. Just like if you had a car accident, [the insurance company] doesn’t necessarily work with every repair shop.”
What specific cybersecurity steps can small businesses take? Again, these – in part – include using multi-factor authentication (MFA), keeping all software up to date, and also training employees for cybersecurity awareness (e.g., teaching them not to click on unknown e-mail links, open unknown attachments or fall prey to social engineering schemes). Preparedness also means properly configuring firewalls, closing ports (including Remote Desktop Protocol (RDP)) and using cloud configurations correctly. Experts additionally say that good endpoint protection is key, such as with Extended Detection and Response (EDR) and Managed Detection and Response (MDR), which essentially relate to detecting and responding to threats as opposed to traditional pattern-based anti-virus software.
But there is more to the equation: Mandelbaum Barrett’s Teppler explains that companies should not only account for all their computing devices, but also understand the flow of information both within and to/from their organization, who has access to it – and to what degree. Cybersecurity gaps can then be detected.
A company’s broader approach can include formulating policies for cybersecurity, backups, incident response, disaster recovery, and business continuity. Teppler explains, “Basically, it’s what do you do when something happens: Who does what? Have it in a way that’s understandable and testable, and make sure that you have practiced … an exercise with a fake intrusion.”
While no cybersecurity plan is 100% secure, Integris’ Bajwa says, “We’re getting to a point [in time] when there are multiple layers of protection to keep people safe from their own [cyber] mistakes … unlike in the past, where one accidental click, one accidental mistake [would mean] there was a huge price to pay.”
He adds, “We’re moving in a good direction. … Technology has, I think, improved faster and better than the bad guys’ capability in finding vulnerabilities.”
However, clear and present hazards remain for all companies, especially those that do not avail themselves of proper prevention methods.
NJCCIC’s Geraghty concludes, “We’re becoming [increasingly] dependent on connected systems for everything that we do, both in business and in our personal lives. Obviously, we’ve got to take the precautions that are necessary to prevent ourselves from becoming victims.”
To access more business news, visit NJB News Now.Related Articles: