, ,

Cyber Insurance Preparedness for Small Businesses

Having the right technology controls in place can vastly impact the cost of cyber insurance and claims eligibility.

Hackers are aggressively targeting small and medium-sized businesses: One in every three SMBs was hit with ransomware in 2024, according to research from Microsoft.

The luckiest businesses will never get breached or will have the incident response and backup and recovery plans in place to walk away unscathed. But even they are at risk of liabilities such as business disruptions, exposed data and fines. Not to mention, 94% of all ransomware attempts against SMBs in 2024 targeted backups, according to Sophos.

Enter cyber insurance. As more SMBs investigate first- and third-party coverage, they’ll encounter a slew of technical prerequisites. It’s crucial that they know what risks to cover and the requirements to qualify for that coverage in order to ultimately be eligible for a payout. 

Upfront Risk Assessments Save Time and Money

Many cyber insurance providers provide free risk assessments for businesses, but John Candillo, field CISO at CDW, recommends doing a little upfront work to smooth out the process and avoid getting blindsided.

“Insurers want to know how your business looks from the outside looking in,” he says. “A focus on this ahead of time can greatly improve your situation when it comes to who’s willing to underwrite your policy, but also what your premiums are going to be and how you’re answering questionnaires,”

Conducting an internal risk assessment and engaging with cybersecurity ratings companies such as SecurityScorecard or Bitsight can help SMBs be more informed policy shoppers.

“If you understand what the auditor is going to ask you and you’re prepared for it, the results of the audit are going to be way different than if you’re caught off guard,” Candillo says.

These steps get stakeholders thinking about what type of risk requires coverage. Cyber insurance can broadly be put into two categories. First-party coverage will protect against things such as breach response costs, cyber extortion costs, data-loss costs and business interruptions. Third-party coverage insures against risks such as breach liabilities and regulatory penalties.

The more you know up front about your risk profile, the easier it is to advocate for yourself during the underwriting process.

Proper Security Controls Are Necessary for Coverage

Inadequate cybersecurity controls can be a dealbreaker for cyber insurers, resulting in outright rejection or prohibitively expensive premiums.

“They’re going to have anywhere from 15 to 30 controls they’re going to ask about,” Candillo says. “But we call the most common things they ask about the big 12.”

  1. Multifactor authentication
  2. Privileged access management
  3. Remote access controls (such as VPNs)
  4. Endpoint protection and response
  5. Security information and event management
  6. Incident response plan
  7. Business continuity plan and disaster recovery
  8. Backup strategy
  9. Email security
  10. Security awareness training
  11. Third-party risk management
  12. Patching and vulnerability management

“They’re going to ask you no very pointed questions,” Candillo says. “For example: Is every application accessible only through multifactor authentication? And they’re going to expect a yes or no answer.”

Phrases such as “yes, no, always, never, every and all” fall into a category Cardillo calls absolutist language. Covering your bases isn’t just a matter of getting coverage; it’s also a matter of meeting certain requirements should you need to submit a claim.

“Don’t just answer yes or no,” Candillo says. “Take the PDF they gave you with the yes or no questions, export it into another format where you can actually qualify your answers and give as much information as possible.”

This added context helps businesses have a more complete picture of the controls they have in place and can round out answers in questionnaires as a possible defense in the event that an insurer attempts to deny a claim.

In terms of implementing the prerequisite technology, Candillo recommends working with a partner such as CDW with access to solutions from a variety of vendors.

“There are cheap ways to do it and there are expensive ways to do it,” he says. “SMBs are probably going to opt for the affordable way, as long as they know what that looks like.”

Cyber Insurance Isn’t a One-Time Thing

Most cyber insurance policies will need to be reviewed on an annual basis. Businesses will therefore have to complete questionnaires annually, and the questions being asked could change depending on shifting conditions in the threat landscape.

What’s more, many businesses will create an “insurance tower,” as they may require more than one insurer to achieve the desired level of coverage. While a common practice, this does multiply the work that goes into renewing policies each year. Candillo says this further underscores the importance of adding context to checklists.

“It’s something they have to deal with every year, and you may only hear about it once a year,” he says. “Without that additional context, it’s hard to get a lot of knowledge and experience around how the answers you give impact insurability, not to mention premiums.”

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from BizTechMagazine.com SOURCE

/by
Decryptors
,

You’re Not Imagining It: Phishing Attacks Are Rampant

Does it feel like your inbox is constantly bombarded by phishing scams? You’re not imagining it; phishing emails saw a dramatic uptick in the first half of 2024, a trend expected to be matched in the second half of the year.

Phishing Emails Are Laying Siege to Your Inbox

A report from security research firm Egress found a massive 28 percent increase in phishing emails between April 1st and June 30th, 2024, compared to January 1st and March 31st, with millennials being the most targeted demographic.

The constant rise in phishing emails is likely not a surprise to you, even considering seasonal phishing trends that attempt to use specific events to trick us. But what might be more of a surprise is that in some phishing campaigns, a malicious attachment is no longer the preferred method of catching you out.

Egress found that the number of phishing emails using a malicious attachment dropped by around 30 percent from 2021 to 2024 while phishing hyperlinks grew to become the most popular phishing method. The research puts this change down to a few key changes in security practices, but in short, most folks know about malicious attachments, and organizations have gone to great lengths to block them. Whereas it’s easier to mask a malicious hyperlink and slip through malware and phishing detection tools.

Impersonation Phishing Scams Are Also Rampant

My inbox receives its fair share of faceless, nameless phishing attempts, but there are also slightly better-quality impersonation phishing attempts. Egress calls these impersonation phishing attacks “commodity” attacks, but it’s just a new name for the same threat: “mass-produced, malicious campaigns that typically mimic spam by impersonating brands on a large scale.”

Between January 1st and August 31st, 2024, over a quarter of phishing emails impersonated brands, with a further 16 percent attempting to impersonate the recipient’s company (as part of spear phishing campaigns). As you might expect, the most impersonated brands are the biggest in the world, with Adobe, Microsoft, DHL, and others topping the lists.

But scammers are taking impersonation phishing to the next level, too. Instead of firing out millions of emails and hoping for a hit, some use multi-channel attacks to create a stronger illusion. In one example, Egress found scammers sending a phishing email impersonating Evri (a UK courier service), then following up the email with a malicious SMS (known as a smishing attack). The combination of messaging from a single source using related terms, tracking numbers, and so on is much harder to ignore than a random phishing email or SMS.

How to Spot Phishing Emails and Keep Your Inbox Safe

Egress’ findings are backed up separate research from Abnormal Security, who’s H2 2024 Email Threat Report saw a bonkers 350 percent increase in phishing attacks from 2023 to 2024.

And with the majority of these phishing scams attempting to exploit legitimate domains and email services and impersonate global businesses, it’s important to take a moment to familiarize yourself with how to spot a phishing email.

  • Unofficial Email Addresses That Look Legitimate: Phishers often use email addresses that closely resemble those of reputable organizations. For example, they might use “support@yourbank-secure.com” instead of the official “support@yourbank.com.” Always verify the sender’s address carefully.
  • Generic Greetings and Lack of Personalization: Legitimate companies usually address you by name. Phishing emails often use generic salutations like “Dear Customer,” indicating they don’t have your personal details.
  • Urgent or Threatening Language: Scammers create a sense of urgency to prompt immediate action, such as claiming your account will be suspended unless you verify the information. Be cautious of emails pressuring you to act quickly.
  • Suspicious Links or Attachments: Phishing emails may contain links that appear legitimate but direct you to fraudulent websites. Hover over links to see the actual URL before clicking, and avoid downloading unexpected attachments.
  • Poor Grammar and Spelling Errors: Many phishing emails contain noticeable grammatical mistakes or awkward phrasing, which can be a red flag. Professional organizations typically proofread their communications.
  • Unsolicited Attachments: Be wary of unexpected email attachments, especially if they prompt you to enable macros or contain executable files, as they may install malware on your device.
  • Mismatched URLs: Ensure that the URL in the email matches the legitimate website’s address. Phishers often use URLs with slight misspellings or additional words to deceive users.

With these tips, you’ll spot heaps more phishing emails and boost your security.

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from MakeUseOf.com SOURCE

/by
,

Critical errors to avoid in your business continuity planning

A business continuity plan (BCP) can help your business mitigate the impact of unexpected disruptions such as natural disasters and cyberattacks, and keep your operations running smoothly. However, crafting an effective BCP requires careful consideration and planning. In the following sections, we’ll look at business continuity errors business owners should know and avoid.

Incomplete risk assessment

Make sure to conduct a comprehensive risk analysis that takes into account natural disasters, cybersecurity threats, supply chain disruptions, and other potential hazards.Failure to do so can leave your business vulnerable to unforeseen disasters that may arise from unidentified potential risks.

Lack of employee training

Your business continuity plan is only effective if your employees understand their roles and responsibilities during a crisis. Insufficient training can lead to confusion, delays, and critical errors when trying to implement the plan. Conducting regular training sessions and drills will ensure everyone knows what to do in different scenarios.

Not testing the plan

Creating a robust continuity plan is not enough; it must be tested regularly. Unfortunately, many organizations overlook this crucial step, assuming that the plan will work when needed. Performing drills and simulations will help identify weaknesses in your BCP and provide opportunities for improvement.

Ignoring technology dependency

If you fail to address technology dependencies in your BCP, you can experience prolonged downtime and substantial financial losses. To ensure smooth operations in the event of a technology failure, identify critical systems and data, implement data backups, and have contingency measures in place.

Overlooking communication protocols

During a crisis, communication becomes paramount. Not having clear and effective communication protocols can hinder your ability to coordinate responses and relay critical information to stakeholders, employees, customers, and suppliers. Creating efficient communication strategies in the event of emergencies will ensure that everyone is aware of your company’s situation.

Neglecting supplier and vendor relationships

Your BCP should not be limited to your organization alone. Collaborating with important partners will allow you to develop joint business continuity strategies that will ensure your critical business operations will continue even when experiencing unexpected disruptions.

Insufficient insurance coverage

While insurance can’t prevent disasters, it can provide financial protection and aid in recovery. But relying on inadequate insurance coverage can expose your business to significant financial risks. Review your insurance policies regularly and revise them if necessary to ensure they align with your business needs.

Overcomplicating the plan

Another common error is developing a complex business continuity plan that is difficult to understand and execute. Keep the BCP concise, clear, and easy to follow. A straightforward plan is more likely to be effective during emergency situations.

Not adapting to change

Business environments are dynamic, and new risks can emerge over time. That’s why it’s imperative to stay vigilant and continuously improve your plan to stay resilient against evolving threats.

Protect your business from potential disasters by taking proactive steps toward a robust business continuity plan. Call us today to learn more.

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from TechAdvisory.org SOURCE

/by
,

Protecting against distributed spam distraction

Distributed spam distraction (DSD) is a growing concern in today’s digital landscape. With the proliferation of spam emails and messages, individuals and organizations need to be aware of this disruptive cyberattack. In this article, we will explore the concept of DSD, its implications, and ways to mitigate its effects.

How DSD works

In a DSD attack, spammers employ various tactics. One common approach is to distribute the spam load across a large number of IP addresses. By sending relatively small volumes of spam from each source, spammers aim to avoid triggering alarms or raising suspicion. This technique is often referred to as “snowshoe spamming” due to the analogy of distributing the load across multiple points to minimize detection.

Another tactic used in DSD is the utilization of compromised computers or botnets. Spammers hijack a network of infected computers and use them for spamming activities. This approach not only increases the volume of spam, but it also makes detection more difficult because it involves multiple IP addresses and geographical locations.

Furthermore, spammers may employ techniques that mimic legitimate email traffic that make it harder for spam filters to distinguish between real and spam messages, increasing the chances of spam slipping through.

The implications of falling victim to DSD attacks

DSD can disrupt normal operations, drain network resources, and undermine trust in digital communication channels. This can lead to financial losses, identity theft, unauthorized access to sensitive information, and even compromise the security of entire networks.

Mitigating the effects of DSD

Addressing the challenge of DSD attacks requires a multifaceted approach. Advanced spam filters that employ machine learning algorithms and behavioral analysis techniques can help identify patterns and characteristics associated with spam messages. These filters can adapt and learn from new spamming techniques to improve their detection accuracy over time.

Collaboration and information sharing among organizations and security experts are also crucial in combating DSD. By sharing cybersecurity insights, threat intelligence, and best practices, organizations and experts can stay updated on emerging spamming techniques and collectively develop effective countermeasures.

Additionally, user education and awareness play a vital role. Individuals should be cautious when sharing their email addresses online, and avoid clicking on suspicious links or downloading attachments from unknown sources. Businesses should also regularly update their security software to mitigate the risk of falling victim to spam and other cyberthreats.

By understanding the intricacies of DSD and implementing robust security measures, organizations can minimize the impact of this cyberattack and ensure their inboxes remain free from unwanted messages. For more information about spam prevention, give our experts a call today.

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from TechAdvisory.org SOURCE

/by

Upgrade Your Network And Quickly Experience These 4 Amazing Benefits

If you own or operate a business, you’ve probably adapted to a number of changes over the years. As you inch closer to year-end, it’s time to figure out what still needs to be done. One of those potential changes might be an upgrade to your network infrastructure.

When you look at making updates or adjustments to your business, you’re probably doing so in an effort to bring in a greater profit than the previous year. While updating your software or hardware might not provide an obvious benefit to your sales goals, it can help save your business quite a bit of money in the long run. It can even boost your sales and overall productivity when the right updates are put in place.

Here are four major benefits that come with updating your network infrastructure.

Faster Internet Connection

New technological advancements are made every day, and failing to keep up with them can hinder your business operations. This can be seen clearly with Internet connectivity. If your Internet speeds are slow, your employees will work at a slower pace. Client-facing applications will also lag and can be detrimental to your customers’ satisfaction with your business. Investing in a new network will allow you to utilize faster Internet speeds so you and your employees can work quicker with fewer interruptions; this will improve productivity and help more clients in a efficient manner.

Better Network Security

We talk about the importance of cyber security a lot, and it’s because one successful cyber-attack could bring irreparable harm to any business, regardless of reputation or size. Cyberthreats are more complicated than ever before, and cybercriminals can easily navigate old and outdated networks. Newer networks are built with more defenses to thwart would-be hackers. Even if you’ve recently upgraded your network, you need to continually update your software. New patches are continually released that help plug the holes cybercriminals are exploiting.

More Compatibility

An upgraded network provides business owners with more options than they could ever dream of. You’ll have access to countless applications that will benefit your business and give you a step ahead of your competitors, but your network needs to be as strong as possible to get the most out of them.

Less Time Maintaining Your Network

If you upgrade your network on old infrastructure, you will put more strain on your system, and your IT person or company will have to step in to help out. Investing in modern infrastructure will help fix many problems in your business and will give your employees more time to be productive, including your IT specialists.

Now that you’re aware of the benefits of upgrading your network infrastructure, when should you do it? As your business grows, your network needs to grow with it. You will also need to upgrade if you’re experiencing any issues with your current network. If you work in an industry that deals with sensitive client information, like a law firm, you may be legally required to keep your network up-to-date as much as possible.

Upgrading your network and keeping it up-to date-will come with many benefits and few drawbacks. If it’s been some time since your last upgrade or update, it’s time to reevaluate your needs.

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from TechAdvisory.org SOURCE

/by