Cyber threat defense for mid-sized businesses in today’s digital landscape
Cyber and TechnologyArticleSeptember 26, 2023
By Robert Malone, VP, Head of Middle Market Professional Liability and Cyber, Zurich North America
Defending against cyber risks is no longer a matter of choice for mid-sized businesses; it's a necessity in today's digital landscape. While headlines often focus on cyberattacks against Fortune 500 companies, mid-sized and smaller organizations are equally susceptible, if not more so due to their limited cybersecurity resources.
Sadly, cyberattacks on mid-sized companies are increasing even as these businesses continue to underestimate their risks. According to a report by the National Center for the Middle Market, cyberattacks on mid-sized firms have been steadily increasing, with many breaches going undetected for extended periods.
Safeguarding mid-sized businesses from data theft, ransomware and disruptions
Cyberattacks take various forms, from data theft and ransomware to disruptions in specialized industry software. Most often, a network incursion is intended to steal and misuse customer or business information for financial gain. Email attachments containing malicious code can launch malware designed to invade and corrupt data. Ransomware locks access to network data until a ransom is paid. An attack on software running highly specialized equipment used by a particular industry — such as CAD equipment used in construction or diagnostic medical equipment used by hospitals and clinics and made by just one or two manufacturers — could disrupt an entire business segment at once. Network access that you provide to your essential service providers also poses certain vulnerabilities to your business.
GDPR and the CCPA impose strict reporting requirements and potential fines for breaches
Magnifying the risks is mounting regulation designed to protect citizens against the impacts of cyberattacks on personal data within the systems of businesses and other organizations. With the advent of Europe’s General Data Protection Regulation (GDPR) in 2018, U.S. companies of any size that collect personally identifiable information on EU citizens, such as online merchandise orders, may be subject to potentially huge fines if breaches are not reported within very strict timeframes. In the U.S., the restrictive California Consumer Privacy Act of 2018, slated to take effect in 2020, may become a template followed by other states.
Among the factors exposing middle market businesses to growing cyber risk is that many hackers correctly view smaller firms as backdoors into the networks of larger organizations. This may be the case when a client relationship requires the smaller firm to have access to a larger entity’s network. Because hackers know that mid-sized firms probably do not have defenses as effective as their larger partners, the smaller enterprise represents a softer and more attractive means to an end.
Steps to strengthen cyber defenses for mid-sized businesses
Strengthening cyber defenses should be a priority for all mid-sized businesses. This begins with accepting that a cyberattack is not a matter of "if" but "when."
Developing cyber incident response plans with the guidance of cybersecurity professionals is crucial. Regular vulnerability scans can identify potential weak points in the network, while employee training is essential to raise awareness of cybersecurity best practices. When considering cyber risk, it remains unfortunately true that the human factor remains the weakest link. Employee training will raise awareness of cybersecurity best practices, such as identifying phishing attempts and practicing good password and internet security protocols. Cyber risk training needs to be formalized and given the same emphasis as safety and operational training on critical business equipment, with the assistance of outside expertise if necessary. Such assessments can bring mid-sized firms up to at least a minimum level of resilience and security awareness.
Encrypting data and implementing strong authentication protocols are critical measures. Even if hackers penetrate network security, any encrypted data they access will be unusable without the appropriate key. Networks should also have strong authentication and authorization protocols, be they username/password combinations, certificates, tokens, or other techniques to help assure only authorized users may gain access. And, of course, keeping antivirus and malware defenses up to date is essential to counter the ever-evolving tactics of cybercriminals.
Moreover, mid-sized businesses should consider professional cyber risk insurance solutions, like the Zurich Cyber Insurance Policy – Concierge Suite. Zurich's Cyber Risk Management team offers a comprehensive approach to cyber risk management, aligning with industry standards those found in the NIST Cybersecurity Framework. This holistic approach combines in-house expertise with trusted external vendors, providing a multi-dimensional view of cyber risk management.
In a world where new cyber threats emerge daily, proactive measures and effective planning are essential for mid-sized businesses to enhance their cyber defenses and resilience. Recognizing that every business, regardless of size or industry, is at risk is the crucial first step toward comprehensive cyber risk management. By taking these steps, mid-sized businesses can safeguard their networks, data and overall business viability in an increasingly digital and interconnected world.
Cyber risk management solutions for mid-sized businesses: Enhanced protection and resilience
Zurich North America has taken proactive steps to address the pressing issue of cyber risk management for mid-sized businesses by introducing the Zurich Cyber Insurance Policy – Concierge Suite. This innovative offering is tailored specifically to cater to the unique needs of middle market businesses, which often lack the extensive cybersecurity resources of larger corporations but face equally serious cyber threats.
Zurich’s policy not only provides Cyber Insurance coverage but also offers valuable loss-prevention and resilience services. These services include access to a breach coach and a 24/7 cybersecurity hotline, making it a turnkey solution that simplifies and enhances cyber resilience for this growing and vital segment of the economy. Middle market businesses are particularly vulnerable to cyber threats, and Zurich’s solution aims to bridge the cyber resource gap by providing cost-effective protection and essential services.
By offering this solution, Zurich is not only addressing a crucial need but also helping safeguard the future of middle market companies in an increasingly digital world.
Middle market companies interested in Zurich’s cyber policy should contact their broker or visit the Zurich Cyber webpage for more information.
The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.