Navigating cyber risks: Brokers' role in helping SMBs and where to start

By David Lynders, Head of Insurance at Coalition

Navigating cyberspace can be complicated and daunting for small and midsize businesses (SMBs). It seems like we hear about another cybersecurity breach every day, and a quick search for “cybersecurity” produces endless articles discussing new threats to watch for and technical solutions that promise to mitigate risk. But it’s not realistic—or affordable—for SMBs to buy every product on the market, nor do most SMBs have the time, people, or resources to implement every best practice or sift through endless information.

That’s where cyber insurance brokers come in.

SMBs don’t need to be destined for “cybersecurity survival mode” forever

SMBs are hungry for succinct, actionable information from a trustworthy source. It’s one thing to read an article about a new vulnerability or security threat, but another to learn about best practices from someone who has a firm grasp of their business and understands the cyber landscape.

Brokers hold unique roles as knowledgeable third parties who can help bridge the gap between what solutions and advice are available and what an SMB needs. They can help businesses navigate the complex landscape, avoid fatigue, locate the best resources, and improve their cyber risk profile while ensuring they find the best insurance solution possible. Brokers can also explain the financial impacts of certain decisions and direct clients to up-to-date claims trends and other data on their organization’s specific exposures to help inform decisions.

Wearing so many hats can put a lot of pressure on brokers, and they may experience some analysis paralysis. However, getting an SMB started on a better cybersecurity journey doesn’t need to be complicated. There are several easy-to-implement, practical steps SMBs can take to improve their cyber posture and choose the cyber risk and insurance solution that's best for them.

Here are a few important ones to educate clients on to start.

Access controls are the keys to the kingdom

Access controls manage who can get inside a business’ digital doors, and one way bad actors circumvent these protocols is through compromised credentials. To address this risk, organizations should implement multi-factor authentication (MFA) on email, cloud storage, and other vital technologies. With MFA, users need two or more forms of verification to access a system, application, or account, and many platforms already have it incorporated as a requirement to use their applications.

Typically, MFA follows a clear format: Accessing an account requires “something you have” (like a smartphone) or “something you are” (such as a fingerprint) in addition to “something you know” (a password). By mandating additional authentication factors, attackers can’t achieve their goals with compromised credentials alone.

SMBs could also turn to FIDO2, which uses biometric factors or hardware keys (passkeys) to enable users to access apps and websites without needing a username or password. While it may sound unconventional, it’s actually the gold standard for MFA, and it’s not expensive to acquire hardware authentication devices. If an organization uses MacBooks or high-end Windows systems, the feature may already exist in those devices’ fingerprint readers.

When a user signs up for a FIDO2-supported service, their device creates two encrypted keys: one private and one public. The public key is shared with the service, while the private key remains securely on the device. This way, when the user tries to access the service, only their device can log in since it is the only device that has the private key.

Email accounts are a critical place to focus defensive investments

Most cyberattacks originate in the email inbox, and it’s easy to understand why. Business email accounts are a treasure trove of valuable data for threat actors, rich with private conversations, customer information, and financial details. While spam filters can help defend inboxes by flagging suspicious emails that use keywords like “urgent” or ones that come from senders frequently associated with junk messages, the main risk still lies with an attacker compromising an employee or vendor.

Funds transfer fraud — a common cyberattack where bad actors redirect funds from their intended recipient for their own financial gain — used to be easier to recognize as users would receive emails littered with spelling or grammatical errors or strange formatting. But threat actors have evolved since then. Now, they use more advanced technology to locate personal information about employees and vendors and use it to trick businesses into thinking it’s someone they know and trust. Then, they leverage that relationship to create improved phishing attacks or send a fraudulent invoice.

Regular monitoring and auditing of email activity can help an SMB detect unauthorized access early and provide valuable records in the event of an attack. Managed detection and response (MDR) services can help businesses detect attacks faster by having a real human monitor their detection and response technologies 24/7 to manage any potential threat activity and mitigate the risk.

Data backups help safeguard businesses in the event of an attack

Reliable backups can be the last thing standing between SMBs and a hefty ransom payment, and ransomware gangs know this. Recent research found that 94% of organizations hit by ransomware said threat actors targeted their backups during an attack.

To protect against this, SMBs should follow the “3-2-1 rule,” which requires businesses to retain three copies of critical business data: one original and two copies. Both backups should be stored on two different types of devices, and one copy should be kept at an offsite location.

SMBs must prepare for an incident

As the age-old cybersecurity proverb goes: “It’s not if you experience a cyber incident, but when.” Even with the best preventative measures, no one is immune to an attack. However, when adequately prepared, an SMB can minimize the damage and bounce back faster.

An essential part of improving cybersecurity posture is having a blueprint for handling a potential attack. If one doesn’t exist already, there’s no better time than the present to put together an incident response plan. It’s never too late for an SMB to review its current posture and budget for tools and training.

By assessing their current cybersecurity processes, SMBs can confirm whether they have the right protocols in place, evaluate whether their employees are familiar with reporting steps, and identify gaps they need to address. Tabletop exercises also present an opportunity for SMBs to contact their broker and determine where their cyber insurer could help fill in the gaps as they pressure test their processes. 

With cyber insurance coverage, businesses get access to breach counsel, crisis communications, digital forensics and incident response vendors, and more, who can help coach them through an incident if it does escalate into a full-blown attack. These services are often expensive on their own but more affordable if the business has an insurance provider that can help shoulder some of the financial burden.

Brokers help SMBs cut through the noise and remain cyber-secure

Brokers are invaluable assets for SMBs navigating the world of cybersecurity. They can sift through the vast amount of cybersecurity information available and identify practices that will genuinely enhance a business’ security posture, ultimately benefiting their cyber insurance premiums.

While the responsibility of helping organizations mitigate cyber risk—especially those with limited resources—can seem daunting, it doesn’t have to be. Brokers can collaborate with cyber insurance carriers to further cut through the noise and determine which actions will provide the most significant benefits to their clients.

David leads Coalition’s Portfolio Underwriting, Actuarial, Claims and Insurance Operations organizations. David draws upon 30 years of insurance experience, in underwriting leadership and as a broker. He is known for assembling high-performing teams, a strategic and proactive approach to the business, and a track record of prioritizing and delivering profitable results. Prior to Coalition, he held various roles at Falcon Risk Services, AIG, AXIS Capital, and Marsh.