Article
Can Insurance Bring Order to the Cybersecurity Chaos?
The SMB cybersecurity gap threatens the world economy
Cybercrime used to be something only the largest enterprises had to worry about, but that’s no longer our reality. Cybercrime is projected to cost businesses $10.5 trillion annually by 2025, with automated, at-scale attacks on the rise that increasingly target small and mid-sized businesses (SMBs).
The World Economic Forum reports that small and mid-sized businesses make up about 70% of the global GDP, 70% of worldwide employment, and 90% of the world’s companies. Despite their obvious and outsized importance to society at large, these businesses are extremely vulnerable to cyberattacks. Yet, conversations around cyber risk continuously fail to prioritize SMBs.
This issue is systemic, urgent, and potentially detrimental on a global scale — yet software vendors, security providers, and regulators overlook the mounting cyber risk and resulting losses plaguing small and mid-sized businesses.
Software Vendors Are Responsible for Significant SMB Cyber Risk
Most cyberattacks exploit a vulnerability in a technology product to gain access to a victim’s network. The unfortunate reality is that the industry accepts the occurrence of these critical vulnerabilities with little expectation from the vendor beyond providing notification and making a patch available. The average small to mid-sized business depends on dozens of technology products that each require software updates multiple times a year.
On top of that, tech vendors tend to prioritize functionality over security, leaving businesses responsible for adjusting the default security settings on their software. If those businesses don’t know what changes to make, or even that changes are needed — and most of them don’t — they unknowingly leave themselves vulnerable to simple, repetitive cyberattacks that take advantage of the software tools they rely on.
Correcting the shortcomings of default software settings — a change that would add minimal work for vendors (who simply need to change already available security settings to the default) has a huge potential reduction in risk for businesses (who no longer need to opt into basic security). This is a practice the United States Cybersecurity and Infrastructure Security Agency (CISA) is promoting as “security-by-default” principles, meaning software does not require additional action or payment from the user to be secure; instead, it comes with security best practices already enabled and configured out-of-the-box.
Outside of large enterprises, most businesses simply don’t have the dedicated security resources and expertise required to pay attention, understand the issues, take action, and maintain regularly. Additionally, the security industry has always prioritized large enterprises with big budgets. With the growing sophistication and cost of tools, that trend is only increasing, leaving small and mid-sized businesses behind.
This doesn’t even account for the frequent instances of zero-day attacks when businesses are hacked before a patch is available, which leaves those businesses completely without protection or recourse for a vulnerability they didn’t know existed.
Who Can Create and Enforce a Security Standard for Software?
It’s a straightforward concept: the burden for security should fall onto the developers of software, not on the users. Government regulation is the candidate of last resort when market participants are unable to create the right incentive system, but it comes with a high price. Luckily, I don’t believe we need heavy government involvement as a new stakeholder in security – the insurance industry – is best positioned to regulate the security industry.
Historically, insurance has created and enforced risk mitigation standards in every domain of risk it covers, including work safety and fire safety standards. Car passengers owe a lot to the insurance industry: In the 1980s, despite objections from automobile manufacturers, the insurance industry took the U.S. Federal Government to the Supreme Court to make the installation of airbags a legal requirement in every new vehicle.
There’s a similar opportunity for the cyber insurance industry to leverage underwriting standards, pricing and availability of insurance coverage to hold software vendors accountable for the risk they create. If customers using high-risk or badly configured software pay higher premiums or receive more restricted insurance coverage, this will influence the market, decreasing demand for insecure software and creating accountability for the choices made by the vendor.
Governments and policymakers should then intervene to turn these insurance standards into compliance requirements, thus codifying the protection of businesses and moving the entire economy to a more secure future.
[Read More] At-Bay at World Economic Forum: Sharing the Cyber Insurance Perspective
InsurSec: Creating a More Secure Future for All Businesses
Software vendors must understand what’s at stake for small businesses and the economy at large. Caring about security for everyone — not just large enterprises — is a necessity that will not only benefit their customers, but also their bottom line.
Until then, as SMBs continue to struggle with expensive and complex security tools they can’t operate, InsurSec can help them bridge the gap.
This end-to-end approach combines cybersecurity and insurance into a singular risk management approach. Since acquiring the right security tools and expertise is difficult and expensive, insurance has become the most important risk defense mechanism to which SMBs can turn. That’s why it’s crucial that they partner with an insurance provider who doesn’t just help when things go wrong, but who actively helps them build a strong security posture throughout the life of their policy, helping stop attacks before they ever happen.
Insurance and security create a natural feedback loop. Through claims data, insurance has the unique ability (and the financial incentive) to quantify and mitigate risk, which is a critical input into security. Security then enables companies to stay ahead of risk and take the right actions to reduce their exposure, which helps keep losses down and productivity up.
At-Bay is at the forefront of InsurSec. We are already helping thousands of businesses close their cybersecurity gaps through At-Bay Stance™, our managed risk solution that combines mission-critical products and services that reduce cyber risk.
Learn more about insurance + security from At-Bay →
About the Author
Rotem Iram is the Co-Founder and Chief Executive Officer of At-Bay, the world’s first InsurSec provider designed from the ground up to help businesses tackle cyber risk head on. By combining industry-leading insurance with world-class cybersecurity technology, At-Bay offers end-to-end prevention and protection for the digital age.
Before founding At-Bay in 2016, Iram spent two years as Managing Director and Chief Operating Officer at K2 Intelligence, a leading global risk management firm focusing on cyber intelligence, cyber defense strategy, and incident response. He began his career as a captain in Unit 8200 of the Israeli Intelligence Corps and was a consultant at McKinsey & Company. Iram holds a BS in Computer Engineering from The Hebrew University of Jerusalem and an MBA from Harvard Business School.