By Erin Johnson, JCJ Insurance Agency
Scenario:
You had a great week. Projects are going smoothly, and clients are happy. You leave Friday afternoon for a relaxing weekend. You try to login on Saturday, but the computer network system is acting weird so you decide it can wait until Monday. When you get to the office Monday, you cannot access any of your files. You are hit with the sudden realization that your system has been breached. You get an email from a hacker demanding a ransom payment. Before you can process any of this, your phone starts ringing – employees at the office, employees that work remotely, and people coming into your office, all asking what they should do.
Well… what do you do? Your projects are stalled, employees are stressed, you are going to miss deadlines and proposals, and you have to begin the daunting task of getting back up and running. Do you pay the ransom, or try to recreate the work? How good are your backups? Do you have insurance or enough money to pay the ransom? Cyber breaches and ransom attacks are horrible. They are scary, time consuming, and can be very expensive. Wouldn’t it be great if there was something you could do to prevent them? There is. It’s called MFA – Multi-Factor Authentication. The use of multi-factor authentication (MFA) could prevent as much as 80–90% of cyber-attacks, according to figures cited by the US national security cyber chief.[1]
If you do not have Multi-Factor Authentication, you need to make it a high priority for your firm.
What is Multi-Factor Authentication?
Multi-Factor Authentication, or MFA, is a cybersecurity tool that requires multiple factors or proofs of identity before access to your network is granted. At a minimum, it should be used for remote network and email access. 80% of hacking-related breaches are due to weak passwords.[2] MFA adds a layer of protection to the sign in process and can prevent most cyber-attacks.
Cyber criminals are in the business to make money. In 2020, cybercrime cost the world over $1 trillion.[3] Professional services firms, like yours, have become a major target for cyber criminals with cyberattacks including ransomware, phishing, and social engineering. Hackers know that most smaller firms do not have dedicated IT teams or advanced security tools. With the pandemic, the increase in remote workers has made it even easier for systems to be breached. Employees working from home may not have secure systems which makes it easier for a cybercriminal to enter your system. Malicious emails have also become harder to recognize, with emails often looking like they came from someone you know and trust. Cyber criminals know the importance of your project files and your willingness to pay a ransom to get back up and running. However, if you are not easy prey, they will move on to their next target. MFA keeps cybercriminals out of your system and is your best defense for preventing all these different types of attacks. But no safeguard is 100% effective.
You have probably heard that it is not a question of if your firm will suffer a breach, but when. Since no cybersecurity tool can guarantee to stop all cyberattacks, your firm should also have Cyber Liability Insurance. Sixty percent of small companies go out of business within six months of falling victim to a data breach or cyberattack.[4] Cyber Insurance protects your firm from high costs of a data breach or cyberattack. Coverages vary with the different insurance companies, but most policies will cover the cost of the ransom demand, the cost of forensic investigators to help identify how the breach occurred, and can even provide coverage for loss of business income as a result of a breach. You will also have a team of experts that will help you through this difficult process. These experts know the reputation of the different hackers and can advise if paying the ransom should provide your firm with working files. They will work with your IT team to determine if your backups can produce undamaged files (unfortunately, we have seen backups compromised). These are just a few of the benefits a cyber insurance policy can offer.
In the past, cyber insurance policies for A/E firms were relatively inexpensive and very easy to obtain. There was not a lot of historical claims data for professional services firms. Unfortunately, the number of ransomware attacks and cyber breaches have skyrocketed recently and insurance companies are paying high claims. Realizing that their policies were underpriced, many companies have increased their rates and require higher deductibles. Understanding that many of these breaches could have been avoided, underwriters are also reviewing previous losses more closely and implementing stricter loss control and cybersecurity requirements. In fact, most cyber insurance companies will not offer a policy (new or renewal) if you do not have MFA.
Cybersecurity and Cyber Insurance are two investments you should make for your firm. From what we have read and what the underwriters are telling us, MFA is one of the best cybersecurity tools that can help prevent most breaches. Do not wait for a cyber incident to occur to evaluate your firm’s controls. Start the process now of implementing MFA. And if you want to discuss options for Cyber Insurance, we are happy to help.
[1] https://www.infosecurity-magazine.com/news/tech-execs-mfa-prevent-90-of/
[2] Email: Is the Digital Door Propped Open for Identity Hijackers? Multi-Factor Authentication Helps Shut Cyber Criminals Out.
[3] https://www.onelogin.com/learn/mfa-types-of-cyber-attacks
[4] https://cybersecurityventures.com/60-percent-of-small-companies-close-within-6-months-of-being-hacked/