Why Cybersecurity for SMBs is Broken and Only InsurSec Can Fix It

Cyber crime used to be an issue that enterprise businesses mostly grappled with, but it has slowly grown into the greatest threat small businesses face today. The rapid adoption of technology by small businesses over the last few years, coupled with their lack of investment in cybersecurity tools and resources, has made them easy targets. For example, 82% of ransomware attacks in 2021 targeted companies with fewer than 1,000 employees.¹

Our claims data shows that most ransomware attacks in the mid-market are not sophisticated and could have been prevented with the right intelligence and tools. Attackers looked for predictable and easy-to-identify security issues and attacked whatever they found. For example, email incidents accounted for 41% of our customer claims in the first half of 2022. 

A single security incident can have a catastrophic impact on the financial stability of small businesses. And yet, many of them lack the know-how and expertise needed to prevent and mitigate risk, or don’t even realize² what their risk exposure is. 

This much is clear — cybersecurity for small businesses is broken and the status quo isn’t cutting it any longer.

InsurSec Is What Insurance Needs To Be Today

InsurSec is an integrated, end-to-end approach to protecting business from cyber threats by bringing insurance and security together. It combines the best prevention and detection technology, the expertise of cyber professionals, and the backing of an insurance company, to protect a business in a way that neither of these solutions could do alone. It’s a force multiplier that provides security, threat intelligence, and human experts to bridge a business’ capability gap, all as part of their insurance policy.

What makes an InsurSec approach to risk management so powerful is that the provider has the same incentive as the businesses they cover — to avoid financial loss — and uses its claims experience and data to help customers make better security decisions that have the biggest impact on their risk. 

The InsurSec provider identifies issues and works with the business to help address threats proactively. Not only does this approach prevent an attack, it also covers financial losses and helps the business get back on its feet if an attack does impact them.

The core belief that InsurSec is built on is that insurance shouldn’t only help when things go wrong. By combining insurance and security, InsurSec providers have visibility into the vulnerabilities AND the fixes. By reducing risk, they can reduce attacks and losses.  

Cybersecurity for Small Businesses is Fundamentally Broken

Along with the commercialization of cryptocurrencies, AI, and connected workplace technology, we’ve seen an increase in risks related to data privacy and cyber crime. According to the Centre for Strategic and International Studies (CSIS), cyber attacks cost businesses an estimated ∼$600 billion (USD) annually,³ or 0.8% of global GDP. 

Internal auditors⁴ and business owners recognize that technology is both the single largest driver of growth and risk, at a magnitude never previously imagined. This new digital risk is complex and constantly evolving. In 2022 alone, there were 236 million ransomware attacks⁵ worldwide. 

In the digital age, no organization is safe from cyber threats, but when it comes to who is more impacted size does matter. A significant number of small business owners feel unprepared and understaffed for responding to evolving threats, and face challenges in securing cyber insurance and security training for their workforces.⁶ They also struggle with deciding what security tools to use, and what expertise is needed to establish a robust security posture.

When a business is attacked, sales are interrupted, websites and stores shut down, and customers lose trust in the brand. In a 2022 CNBC survey, 55% of U.S. respondents said they would be less likely to continue doing business with companies that are breached.⁷  

There are multiple reasons why small businesses are easier targets:

• They often don’t take a proactive stance before an attack becomes a real threat. 
• They lack threat intelligence and expertise to strengthen their security posture. 
• They have fewer security protections in place compared to large enterprises. 
• They tend to use free or low-cost security tools designed to protect consumers, not businesses, due to smaller IT budgets.
• They often hold large volumes of customer payment data that hackers can benefit from financially.
• The opportunity to receive smaller amounts of money from numerous businesses is lucrative to attackers.
• These attacks are less likely to attract media and law enforcement attention compared to those on larger companies.

Software and technology have placed an unfair burden on emerging businesses: It’s too hard for them to keep up with evolving vulnerabilities and threats, and when they suffer an attack, they’re often left to pick up the pieces on their own. Security products are complex, and require expertise they can’t afford. They need their security managed by a vendor which comes with a hefty price tag. Business owners want to focus their time and resources on growth, not cybersecurity.

On top of all these concerns, third-party software and service providers are potential sources of vulnerabilities as well. Businesses today use multiple types of software and tools, across every department. Just keeping track of them all can be a challenge, let alone ensuring they are up to date and secure — especially for a smaller team with limited resources.

Small Businesses Need Security Confidence, Not More Tools

Let’s look at a common scenario we hear about from many business owners today. They paid a security vendor a lot of money for advice and monitoring software. Turns out it isn’t actually making them safer as they’re still on their own facing an avalanche of threat alerts without the in-house expertise, time and resources to figure it out. Most small businesses are slow to react to threats, and reports show that more than 20% of systems remain unpatched up to five months after a patch is available.⁸

An InsurSec approach can help shrink the window of opportunity for an attacker by more than five times. Our research shows that active risk monitoring and proactive alerts help businesses stay ahead of risks, by reducing their time to patch from 5 months to less than 2.5 months.

Nearly half the small businesses in North America lack a cyber attack response plan.⁹ On the other side, organized, tech-savvy criminal organizations have emerged that can routinely launch attacks at scale, against thousands of companies at once. It’s no surprise that businesses are struggling to fight back on their own.

• What if they could adopt better security measures, easily and quickly? 
• What if they had someone watching their back who was just as financially incentivized as them to prevent attacks in the first place? 
• What if they could get the expert help they need, before they’re attacked, without spending thousands on headcount or pricey MSPs? 

A Data-Driven Approach to Tackling Cyber Risk

You get reduced home or car insurance rates if you have smoke alarms or air bags. InsurSec takes this idea one step further—by using a combination of software and services to find and fix vulnerabilities, all as part of their insurance policy. 

It’s insurance + security working together to minimize your risk exposure and maximize your security confidence.

Taking an InsurSec approach means your business can draw from a deep well of data that goes far beyond typical ransomware vectors to help you continuously adapt. With this approach, the InsurSec provider brings all the relevant security point solutions and data together with their broad, widely-correlated claims data (across every kind of cyber risk). 

This helps businesses:

1. Focus on the protection and fixes that provides significant ROI (by using financial data from past breaches)
2. Improve their security posture more easily (by providing guidance and expertise)
3. Recover and mitigate losses if they ever get attacked (by providing incident response and insurance)

Delivering Higher ROI and Security Confidence

This biggest problem hiding in plain sight is that these businesses don’t know how to consume cybersecurity technologies, intelligence and services to lower their risk of cyber crime. As a result, they’re not making the most of their insurance and cybersecurity investments.

According to a 2022 study conducted by At-Bay—where we interviewed 350+ U.S. customers with revenue of up to $500 million — SMBs spend an average of $125,000 per year on security, and yet they’re not necessarily safer because of it. 

Let’s face it: No one has definitively solved the riddle of cybersecurity. Attacks have too many permutations, there are too many bad actors in too many countries. 

Large companies have the resources to fight the good fight but small and medium businesses don’t. They can’t afford the security they need—and they can’t afford not to have security. 

While achieving “perfect security” isn’t realistic, businesses should still aim for a high level of confidence in their security efforts, within the budget and resource limitations they have. Gaining Security Confidence requires having access to expertise and risk monitoring that continually tests their exposure, validates their security posture and/or highlights opportunities to strengthen their confidence further.

The bottom line is that for most fast-growing private companies, the only practical solution is to manage this end-to-end with a holistic approach like InsurSec that’s effective and easy, while saving them money.  

The InsurSec Framework – How it All Works Together

Managed Prevention that delivers an active, actionable, aggregated view of each business’s potential exposure. This requires:

• An Exposure Management System – A purpose-built software platform that centralizes threat and vulnerability data from internal and external sources, evaluates and prioritizes areas of exposure, increases visibility, and empowers businesses to take action faster.
  
• Expert Guidance from real humans on how to prioritize vulnerabilities, stay up to date on threat intelligence, and improve their security posture.
  

Managed Security that includes regular monitoring of a business’ security posture by experts to continually find new threats and stop attacks before they happen. This requires:

• Validation Tools to help confirm if a threat has been resolved.
• Security Expertise to steer the business towards the best ways to resolve an issue or threat. This team offers “on-demand” services to help with remediation, and proactively shares advice and recommendations for new security solutions with a strong track record of preventing risk.

Response & Recovery that includes an incident response service to help a business if and when it is impacted by an attack. These services should:

• Quickly detect the threat, halt the attack, minimize total business impact and help prevent future attacks of the same type.
• Provide access to timely assistance from experts who can help the business get back on its feet after an incident occurs.

Insurance which acts as a financial backstop in the event that an incident does occur. Cyber insurance should provide:

• Protection from the financial impact of the attack on the business.
• A high-touch claims process that works with the business from the first report of a claim, and is closely aligned with incident response services to help customers bounce back after an attack.

A Smarter Risk Intelligence Engine for Better Outcomes

For an InsurSec solution to keep up with continually evolving threats and risk factors, the data from prevention, detection, response, recovery, and insurance claims should be fed back continuously into all these processes in a closed loop, so the entire system can continuously learn and make better recommendations. 

This creates a powerful data and feedback loop that improves security outcomes for all of the provider’s customers, not just a few that are at risk. This also ensures that as new threats arise they can be quickly addressed, and ultimately improves both coverage and pricing for policyholders.

Small businesses lack the data needed to choose the right security solutions that drive better outcomes. They can get a better ROI on both their insurance and cyber spend when these solutions work together (and share data), not in isolation, all delivered by an insurance company that provides the protection from financial and reputational impact.

Best of Both Worlds – Why a Unified Solution Works Better

When it comes to managing cyber risk, businesses can mitigate it in one of two ways: 

1. By implementing technology and processes to prevent a loss from occurring.
2. By purchasing insurance to provide coverage if you are impacted by an attack.

Since accessing the right tools and expertise is incredibly difficult and expensive for most small businesses, insurance has become the single most important risk defense mechanism that they turn to. But that comes with its own limitations.  

The insurance industry already sets standards for its policyholders and generates legislation to make people and businesses safer. That’s one of the core functions of insurance. And due to the rampant growth of cyber risk most insurers already require policyholders to have a basic set of security protections in place in order to insure them. As a result, many small businesses who have been priced out of the security market are also being priced out of insurance. 

With an InsurSec approach, an insurer can make it easier for businesses to meet the requirements needed to reduce their cyber risk AND get the coverage they need in the event of an attack.

Small businesses can sometimes spend twice as much on insurance than on security. If an insurance company makes their in-house security experts available to customers, the data already shows that the insurer AND the business save big. 

For example, At-Bay’s nearly 30,000+ policyholders already experience 80% fewer ransomware attacks compared to the industry average.¹⁰ 

An insurance company can afford to provide managed security services because they save millions by reducing the number and size of claims from their policyholders. 

Fortune 500 enterprises and cyber insurers already know a risk-based approach to security works best. But this has traditionally been a manual, time-consuming process that requires expertise, a lot of manpower and a variety of disconnected security, BI and reporting tools. An insurer like At-Bay can streamline this complexity into a managed-risk solution, underpinned by a broad, widely-correlated cybersecurity and claims data layer that reduces incidents and drives better security ROI for businesses.

If you were to build a security company from scratch today, it would be an insurance company. 

We help you avoid damages, and help pay out if there’s an issue. We can leverage our scale and resources to bridge our customer’s technology and expertise gaps. 

Most importantly, we are driven by our mission to help small businesses not just survive, but thrive. They are critical to the economic and social fabric of our society, enable other small businesses to thrive, attract tourism, create local jobs, build communities, and inspire the next generation of entrepreneurs. 

The solution to protecting our small businesses is an end-to-end prevention and protection framework which helps prevent attacks before they happen, and also offers financial protection so they can recover quickly from any loss. 

Investing in security is only half the strategy needed to empower a business to face cyber risk head on. An InsurSec provider shares your incentive to avoid financial loss, and uses expertise and data to help you make better security decisions that will have the biggest impact on your risk.

Managing cyber risk doesn’t have to be expensive and complicated. With the right tools, insights and some expert assistance, you can keep your business running smoothly — and securely.

See how our new InsurSec solution, At-Bay Stance, can help you gain visibility and peace of mind. So you can focus on what you do best: growing your business.

Footnotes

1. Source: https://www.coveware.com/blog/2022/2/2/law-enforcement-pressure-forces-ransomware-groups-to-refine-tactics-in-q4-2021

2. Source: https://www.zdnet.com/article/smbs-dont-see-need-for-cyber-insurance-since-they-wont-experience-security-incidents/

3. Source: https://www.csis.org/analysis/economic-impact-cybercrime

4. Source: https://web.theiia.org/cn/atxbg/2023Pulse

5. Source: https://www.statista.com/statistics/494947/ransomware-attacks-per-year-worldwide/

6. Source: Huntress

7. Source: https://www.cnbc.com/2022/05/21/americas-small-businesses-arent-ready-for-a-cyberattack.html

8. Source: https://www.kennasecurity.com/resources/prioritization-to-prediction-report-volume-six/

9. Source: Huntress

10. Frequency based on Primary and Excess Cyber and Tech Errors & Omissions losses reported and exposure earned through 9/30/2022, evaluated as of 10/1/2022, and 2020-2021 industry analysis.