Following up on our recent chat with Amy Goldsmith, today we sit down with Sean O’Rourke to discuss cyber resiliency for small- and mid-sized businesses.
Sean O’Rourke is a cyber liability consultant for Combs & Company, an insurance brokerage and consultancy headquartered in New York City. Sean works with small- and mid-sized businesses to mitigate the financial risks posed to their technology and data by internal and external threats. Sean spent 20 years in the IT arena, so he has a unique perspective on cyber liability and the potential disruptions faced by businesses today’s data-driven world. Sean is also the host of the YouTube channel interview series, Did You Know That?
What exactly is cyber resiliency?
At it’s most basic, cyber resiliency is the ability of a business to survive a cyber incident. My mantra is that when it comes to cyber incidents, it’s a matter of when, not if your business will experience one. So when business and IT talk about cyber, it’s more important, or just as important, to survive an event as it is to prevent one. THIS IS A BUSINESS PROBLEM.
In your estimation, are businesses ready to survive a cyber event?
So the pessimist in me will give you a blanket no. I mean the New York Department of Financial Services just released a report (October 14, 2020) on the Twitter hack that faulted Twitter for not having a CISO [Chief Information Security Officer], standard access controls, multi-factor identity confirmation procedures, among many other standard IT protocols you’d expect a multi-billion dollar enterprise to have in place. The realist in me, though, will tell you that some businesses are more prepared than others, but the majority in the SMB [small- and mid-sized businesses] market, are going to experience serious disruptions to their businesses even from the most basic of cyber incidents.
Before we get to what SMBs can do to be more resilient, can you talk about what types of cyber incidents you’re talking about?
Without getting into the minutiae of various cyber incidents, the ones that most plague SMBs are ransomware attacks, business email compromise fraud, email phishing, and digital data theft. Obviously that list could go on for days, but these are the ones SMBs are most likely to experience.
So why aren’t you advocating for better security to stop these incidents as opposed to surviving them?
Because there’s no way to stop them. If your business is targeted, there’s no amount of money you can spend or technology you can deploy that would stop hackers from getting in. Plus, according to some studies, the majority of cyber incidents are caused by human error. Someone clicks on an email attachment they shouldn’t, or visits a website they shouldn’t, or a myriad of other shouldn’t’s that expose the business. So, defend as best you can, but prepare to properly respond as well.
What does a cyber resiliency plan look like?
At it’s core, a resiliency plan is how a company will respond to a cyber incident. Those companies with a solid plan are a good example of cooperation between the business side of a company and IT.
So how I learned to build one, you first determine your vulnerabilities. Data, core systems, communication tools, and the like. You then prioritize them as to which would be most painful to lose, for whatever reasons. For some companies it will be data; others line of business systems; for some, it may be their phone systems. Once you have them prioritized, then business and IT meet to go over a series of “what if” scenarios for each identified vulnerability. And there will be multiple scenarios per vulnerability.
These tabletop exercises should assign processes, procedures, responsibilities, protocols, and on and on to all business and IT personnel and departments. The plan should take the company from the moment of discovery to the final resolution of a legal or regulatory matter.
And you say small- and mid-sized businesses can do this?
Absolutely. The less IT complexity, the more straight ahead the responses should be. It’s not a matter of cost to build a resiliency plan, it’s a matter of time and will. You have to want to do it and be committed to making it happen. Don’t get me wrong, it’s a lot of work. But at the end of the day, given the current state of cyber affairs, if I still owned a business, I’d sleep better at night knowing this plan was in place.
OK, final question. Where does cyber insurance fit into all of this.
Ideally, the insurance is part of your resiliency plan, not a substitute for it. That said, there’s a current disconnect in the SMB marketplace. Most stats I see say SMBs aren’t investing in cyber insurance and aren’t building resiliency plans, so they’re rolling the dice. That baffles me. Why would you gamble with such a high out-of-pocket expense like cyber when a moderate premium offers such expansive backup protection?
I think the old mindset of “it won’t happen to me,” or, “I have nothing anyone would want” still has a hold. It also doesn’t help that the media virtually ignores the hundreds of thousands of SMBs that have experienced destructive cyber incidents. So they don’t realize they are a target, whether on purpose or by accident. SMBs are in a tough spot, but they do have options. From here, it’s just a matter of whether they take advantage of any.
