Read on for more information about whether or not CMMC allows for remote work and how to safely integrate this into your CMMC-conscious cybersecurity processes.

Can DoD Contractors Work Remotely?

Remote work is permitted for Department of Defense (DoD) contractors in accordance with CMMC requirements and NIST 800-171 guidelines. Specifically, Control 3.10.6 requires implementing safeguarding measures for CUI at alternative work sites, including satellite offices, customer sites, and home offices.

It’s important to note that additional controls may be put in place to ensure the protection of CUI while working remotely.

CMMC Remote Access Requirements

Multiple NIST 800-171 controls deal with remote access of CUI. Of course, not all remote employees will need to access CUI outside of the company HQ, but for those that will, these controls are important to review or ensure your organization is fully compliant.

• Control 3.10.6
  Enforce safeguarding measures for CUI at alternate work sites.

• Control 3.1.12
  Monitor and control remote access sessions.
• Control 3.1.13
  Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
• Control 3.1.14
  Route remote access via managed access control points.
• Control 3.5.3
  Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
• Control 3.13.7
  Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

Best Practices for Personal Technology

Nowadays, finding someone who doesn’t own a personal smart device is uncommon. Of every cellular device in use today, nearly 77% of them are smartphones. This is important to consider when building your company’s remote access policy.

The National Archives CUI Program Blog outlines steps remote employees should take to protect access further:

1. Make sure to change the default username and passwords for all internet-connected devices.
2. Make sure you regularly update the firmware on your router, modem, and all connected devices. Many of these updates are pushed out to address known security vulnerabilities. Check with your company’s IT department or your service provider if you aren’t certain of this.
3. Turn off and unplug unused devices, and consider disabling or covering cameras when not in use.
4. Keep any security software or firewalls updated to the latest version.

Assessing the Risks and Benefits of Remote Work for DoD Contractors

Remote work can bring many benefits to companies, but it is important to consider the additional efforts and safeguards that may be required to ensure compliance with CMMC. If your company’s Department of Defense contracts outweigh the costs of compliance, it may be worthwhile to extend your scope to include remote access. However, with implementation of CMMC 2.0 in May 2023, it is crucial to start planning for compliance now.

SSE is Here to Help

Our experts are trained on the latest DoD requirements and can help assess your remote access and compliance standing. NIST 800-171 is law now and CMMC will be here before we know it. SSE, recognized by the CYBER AB (formerly the CMMC Accreditation Body) as a Registered Provider Organization (RPO), will help your organization achieve and manage CMMC compliance.

Schedule a complimentary CMMC Readiness Assessment today to get started!

While these third parties are essential, they have potentially significant cybersecurity risks. When cybercriminals are on the hunt for client data and networks, they most often target the third-party providers – not the company itself – so you must work with third parties you trust and those serious about security. 

Defining Third-Party Risk

Before choosing a third-party provider, you must understand how to evaluate third-party risk. Third-party risk is the likelihood that your company will experience an adverse event when choosing to outsource certain services or utilize software built by third parties for specific tasks. These adverse events may include data breaches, operational disruptions, and reputational damage. While outsourcing is often necessary, it’s risky as you do not have control over that entity’s business practices or processes. 

Third-party risks can vary depending on the type of business they work with and the information they are tasked with. The six main areas of third-party risk include: 

• Cybersecurity | Attackers may access supply-chain links to silently infect systems and devices, then use third parties to launch further attacks against companies considered of higher value.
• Regulatory/Compliance | This often results in data loss and data privacy violations, leaving principal enterprises open to punishment and liability. 
• Financial | An action by a third party may damage the financial standing of an organization due to substandard vendor work or a defective component that slows business and reduces revenue.
• Operational | An action by a third party causing an operational shutdown from a network hack or even a natural disaster. These can cause system lockdowns and disrupt usual operations.
• Reputation | Choosing the wrong third party can create a negative public opinion of your company because of publicized security breaches, legal violations, poor customer interactions, labor practices or unfair treatment of workers.

Understanding these potential third-party risks can help you choose the right vendor. You can ask the right questions, look for any potential security gaps, or know what to be wary of when researching if an entity will be a good fit for your company or if you should steer clear.

What is TPRM?

TPRM, or third-party risk management, is the practice in which you can better understand the risks they may pose to both your organization and the supply chain. Vendor risk management (VRM) programs can help identify, assess, and mitigate financial assets and data that could be caused by a third-party vendor within the supply chain. Because there are many roles that third parties fill, TPRM is used as an umbrella to cover VRM as well as Supplier Risk Management, IT vendor risk, anti-bribery/anti-corruption (ABAC) compliance, contract risk management, and more.

Why Should I Care About TPRM?

TPRM should be top-of-mind for any business looking to outsource anything, as it will keep your company safe and profitable and help protect your customers and clients. The truth of the matter is that supply chain disruption risks are increasing as more third-party vendors are spread out around the world. Your business is subject to disruptions caused by whatever may be happening within that part of the globe, whether it’s major flooding, a hurricane, an earthquake, or a labor dispute. A business continuity plan must be in place to prepare for an unpredictable event. Otherwise, your business can suffer from monetary loss and loss of customers to the competition.

Caring about TPRM means you ensure the third parties you work with comply with regulations, protect confidential information, avoid unethical practices, strengthen supply chain security, and effectively handle disruptions to help sustain high performance and levels of quality. Some key trends in business practices today are helping drive the focus on ensuring your company has robust third-party management: 

• Globalization – Organizations utilizing a global third-party network face many rules, policies, data, standards and regulations. 
• Virtualization – Technology is dramatically changing operations, with companies choosing vendors to process critical business information through the cloud, virtual data centers, and hosted apps. Unfortunately, this transfers data outside the firewalls, leading to potential data breaches and security incidents. 
• Social Media – Social media helps improve transparency, collaboration and efficiency across third-party networks, but it also brings security risks and privacy concerns for business-critical information. Social media should be leveraged to gather third-party intelligence while identifying and mitigating any risks. 
• Mobility – It’s virtually impossible to go anywhere without seeing a mobile device, and for businesses, they make accessing data even more accessible. Unfortunately, this data spread across devices means it is more at risk for a security breach. 

Third-Party Risk Best Practices

Luckily, several third-party best practices can be incorporated into your onboarding processes to ensure your business stays protected and uninhibited. Read on to discover the steps to take for better TPRM.

Assess Your Risk and Conduct Due-Diligence Checks

To efficiently handle your third-party risk, you must assess your current risk landscape. Take inventory of all the third-party vendors your company does business with. Examples of third-party service providers can include, but are not limited to:

• Marketing companies
• Consultants and advisors
• Collaboration software
• Project Management software
• Manufacturers
• Short and long-term contractors
• Telephone companies
• Delivery companies

Keep in mind that individual departments or teams may be using third-party vendors that all teams might not be aware of. In this case, consult your Finance department to get a comprehensive list of all vendors your company pays invoices to.

To aid your research, use content from sources like Regulatory DataCorp (RDC), Dow Jones, D&B, and Regulatory DataCorp (RDC), which curate adverse media reports, sanction lists, Politically Exposed Persons (PEP), and other third-party data. Vetting your vendors against these resources is invaluable in identifying and flagging potentially high-risk third parties before they cause an issue.

Ideally, every third-party vendor should be vetted and go through due-diligence checks before a contract is signed.

Don’t Forget About Fourth-Party Vendors

It might feel like overkill, but it’s important to determine whether the vendors you’re engaging with are subcontracting their work to another company. These companies are Fourth-Party Vendors. Knowing whom your vendors rely on for goods or services is essential to maintain consistency and reliability in your supply chain.

Further, knowing if Fourth-Party vendors pose a risk to your company will prevent costly supply chain issues in the future.

Get Buy-in From Leadership

C-Suite and Upper Management’s buy-in for your company’s TPRM approach will set the tone for the diligence of the rest of the company to mitigate third-party risk. Making sure the powers-at-be are practicing these best practices, and enforcing them, will perpetuate a culture of good risk management.

Continuously Monitor Your Vendors

Simply performing third-party due diligence checks pre-contract or during onboarding is insufficient. 

Once you’ve assessed your current risk landscape, maintaining a consistent monitoring schedule is imperative to stay informed and ahead of third-party vendor disasters.

Many companies will rely on data screening providers, such as an experienced Managed IT Service Provider (MSP) or a Cybersecurity provider.

It is also a best practice to reference the industry standards for third-party risk management. Referencing TPRM leaders, like those listed below, will be invaluable information to incorporate into your company’s TPRM process:

Cybersecurity Maturity Model Certification (CMMC 2.0)

NIST 800-171

Partner with Cybersecurity Experts to Catch Third-Party Risk Before It’s an Issue

Mitigating third-party risk can feel daunting, especially in our current economic landscape. SSE provides best-in-class cybersecurity and managed IT services, so your data stays protected, and your vendors are actively monitored.

Contact us today to schedule a consultation and learn more about how our expertise and services will protect your business and your supply chain!

Despite higher cyber insurance premiums, having a policy is crucial in protecting your company in the event of a breach. But what factors impact the cost of cyber insurance for your company? Below we’ll discuss the most common factors that will have an effect on how much your cyber insurance premiums could be.

Common Types of Cyber Liability Claims

Cyber insurance claims typically fall under the following categories: hacking, social engineering, and malware attacks. Hacking is a relatively widespread cyberattack that results in insurance claims. Depending on where a hack has taken place, you could incur multiple losses, causing several damages and costs.

Factors Impacting Cyber Insurance Policies

When you apply for cyber insurance, insurance companies are looking for basic facts like your company size or location to determine the appropriate coverage and the level of risk the insurance company would be covering. Several considerations are taken into account, including:

Industry

Your industry is considered when determining the risk level for cyber insurance policies. Some industries, by nature, store more confidential data than others, and those organizations are considered to be a higher risk for targets of cyberattacks, which can result in higher premiums.

Revenue

Companies with larger revenues have more to lose in a ransomware attack. Even though attacks can happen to companies of any size, larger companies can anticipate paying higher premiums for cyber insurance.

Amount of Sensitive Data Being Stored

Insurance companies might ask about the amount of sensitive customer data you’re storing and the number of transactions your company may process or banking activity. Generally, the more sensitive the insured company’s data, the higher its premiums.

Security Protocols Already in Place

If you’re a well-fortified organization, insurance companies see you as a lower risk. Having the correct tool or technologies in place is important, but implementing and enforcing them properly will increase your security and protection.

Below are some cybersecurity controls to strengthen your company’s defense against a data breach.

Source: https://www.marsh.com/us/services/cyber-risk/insights/cyber-resilience-twelve-key-controls-to-strengthen-your-security.html

Why You Need Multi-Factor Authentication

Multi-factor authentication (MFA) is a security measure that requires two or more credentials to verify someone’s identity. It can be used to create a layered defense against unauthorized access to information, accounts or even physical locations.

This simple step can massively reduce the likelihood of becoming the next victim of cybercrime. You should use MFA whenever possible, especially regarding your most sensitive data—like your business and personal email, your financial accounts and your health records.

There’s no one like you in the whole world…except the cybercriminal with your password.  Don’t get hacked. Use multi-factor authentication. https://20740408.fs1.hubspotusercontent-na1.net/hubfs/20740408/MFA%20Video%20Infographic.mp4

Who Needs Cyber Insurance?

A common misconception is that cyber criminals only target large companies with deep pockets. However, there’s been an alarming increase in ransomware attacks on smaller businesses since 2020 due to the COVID-19 pandemic.

In short, any company that stores information about clients or customers and performs electronic payments needs a cyber liability insurance policy.

Protect Your Company and Keep Cyber Insurance Costs Down with SSE

Staying on top of the latest cybersecurity tools and technologies is a daunting task for most companies to manage independently. By partnering with the cybersecurity experts at SSE, you’re ensuring your company’s protection while potentially saving you money on your cyber insurance premiums.

Schedule a consultation with us today to help identify any gaps and see how we can help protect your business.

What is Mobile Security?

Any device that connects to the internet could be subject to hacking by a cybercriminal. In short, mobile security ensures your business and employees are safe from these potential dangers and helps prevent the risk of asset or data loss when using mobile computers or communication devices. Mobile security is essential, even on a personal level. Still, mobile security for business is even more so given the amount of data and information stored within the servers. Typically, devices are secured with perimeter constraints when employees are in one location, leaving smaller windows of vulnerability. By moving authentication and authorization to mobile devices, a variety of new capabilities increase the number of endpoints that require protection from threats.

6 Best Practices for Business Mobile Security

Before any mobile devices are considered for your business, it’s important to determine how mobile security will be handled. There are several best practices to put in place that will help your organization remain secure, whether you provide devices to employees or have a bring-your-own-device (BYOD) policy in place for people to use their personal equipment.

1.   Enable Multifactor Authentication

Anything we have the ability to move around is subject to getting lost or stolen. Setting up multifactor authentication (MFA) can help add another layer of security, ensuring that the person logging into the device is who they claim to be. The parameters for this MFA can be determined by IT based on the device’s risk conditions.

2.   Manage Devices with MDM

Mobile Device Management (MDM) allows organizations to enforce specific security compliance controls on devices. Some common profile and compliance settings include: 

• PIN code and device encryption
• Certificate-based authentication
• Email configuration
• WiFi configuration
• Device feature permissions and restrictions
• Block List and Allow List applications
• Enforcement and automation of iOS and Android updates
• Data loss prevention (DLP) configurations

MDM, in most cases, can manage various devices, whether using iOS, Android, Windows, macOS, and occasionally Chrome OS.

3.   Keep Device Software Updated

Software updates are essential, not just for new features and capabilities but for security patches. Outdated software puts your devices at higher risk of being hacked. Many businesses simply encourage employees to update computers and phones regularly, but unfortunately, those updates don’t always happen, whether an employee gets busy or doesn’t usually restart their device regularly.

You can more easily implement regular updates by enforcing controls through an MDM. A member of the IT team can simply schedule a regular update across all similar devices simultaneously.

4.   Develop and Implement Remote Lock and Device Wipe Policies

When an employee decides to leave the company, or when a device is lost, what do you do to protect the business’ information? For those who quit and were using a company device, you’ll need to collect any and all equipment, allowing IT to restore it for the next user. However, if the device is not returned, it’s been stolen, or lost, your company needs to have the ability to lock the device, or remotely wipe any data or information.

This policy may be more difficult to enforce with those using their own devices, but there are platforms available for both iOS and Android that keep enterprise and personal data separate so if a lock or data wipe is necessary, it will not effect any of their personal files they may have stored.

5.   Utilize Cloud Backup

Cloud backup will allow your employees to still access data and information even if a device has been lost or stolen. Be sure the cloud backup service you utilize allows you to access version history of the files so you can go back to earlier versions if you suspect a file has been compromised.

You can also further safeguard your company’s information by setting up a cloud-to-cloud backup solution, and ensure your cloud network is properly secured, too.

6.   Keep End Users Informed

Even with excellent security and the best technology, your company’s mobile security best practices will only be the most successful when end users are kept informed. Users must be informed about the importance of regular updates on their devices, as well as given information about current threats and vulnerabilities to keep an eye out for potential attacks.

Understand Your Mobile Security Vulnerabilities with a Risk Assessment

Excellent mobile security for business requires various levels of protection. The best practices for mobile security require many vulnerabilities to be monitored, and if you don’t have the resources to handle or experience to implement these on your own, we can help. Consider a risk assessment of your current mobile security to determine your current, critical vulnerabilities and what you may need over time.

 At SSE, we’re cybersecurity experts, including mobile security. Our comprehensive solutions will support your team as much or as little as you need. Interested in partnering to enhance your business’ mobile security? Let’s schedule an initial consultation.

Review Supply Chain Asset and Access Inventory

Keeping accurate and comprehensive documentation of hardware, software, updates, patches and the corresponding traffic habits is a critical first step in planning effective mitigation tactics, especially in the present remote work landscape.

On the other side, it’s important to audit and map all vendors, third parties and employees who have access to your company’s supply chain data and assets. Failing to do so creates a blind spot in security management, so putting in place clear, finite parameters will decrease your supply chain cybersecurity risk.

Strengthen Third-Party Risk Management

Internal security management is unfortunately no longer enough to ensure a secure supply chain ecosystem. Having security protocols and parameters in place with your third-party partners will lower your supply chain risks, while also protecting your critical suppliers.

Some examples of what third-party risk management can look like:

• Include security policies in vendor contracts
• Require validation of vendors’ security posture with NIST 800-171 or the Cybersecurity Maturity Model Certification
• Conduct ongoing inspections, questionnaires and simulations to test incident response capabilities

Perform Vulnerability Management and Penetration Testing for Supply Chains

Sometimes, we don’t know where our supply chains are vulnerable until something attacks them. Fortunately, you don’t have to be a sitting duck to determine your weak spots. It’s recommended to run vulnerability scans to fix bad database configurations, poor password policies, eliminate default passwords and secure endpoints and networks.

These tests and scans reduce risk with minimal impact on your supply chain’s productivity or downtime.

Plan Incident Response and Execution for Supply Chains

When it comes to efficient supply chain management and cybersecurity, being proactive is the name of the game. Building an incident response plan for breaches, shutdowns or disruptions, and what to do in response is vital for any cybersecurity plan.

Not to mention, the metrics and learnings are useful to make decisions that can prevent attacks or incidents from occurring again.

Additional Supply Chain Risk Resources:

NIST: Best Practices in Cyber Supply Chain Risk Management

Keep Your Supply Chain Secure with SSE

Mitigating supply chain attacks can feel daunting, especially in light of recent news. SSE provides best-in-class cybersecurity services so your data stays protected with our cybersecurity services.

Contact us today to schedule a consultation and learn more about how our cybersecurity services could help protect your business and your supply chain!

Read on for ways to fortify your remote workforce cybersecurity practices.

Restate Your Standard Operating Practices

Your company most likely has a remote workforce security policy, so it’s important to refresh your team’s memory on what that is. Take some time to implement regular cybersecurity training that restates your security policies. This way, it’s top of mind for employees who might have gotten lax with their security practices.

However, if your company had to build a remote workforce security policy quickly, it’s possible that policy has not been revisited since its inception. If that’s the case, NIST provides wonderful resources for building comprehensive policies that help your organization mitigate the risk associated with a remote workforce. Cybersecurity, as a whole, has changed drastically from just a couple years ago. Familiarize yourself with the changing landscape and update your security plan as necessary.

Secure your VPN and Home Networks

Most companies utilize some type of VPN, but it’s a good idea to remind employees that they should be connected to the company VPN at all times when working.

It’s advised to upgrade to layer two tunneling protocol (L2TP) if your company has been using point-to-point tunneling protocol to further protect against security breaches.

Educate Employees on Phishing

Phishing is a widely popular tactic for gaining access to sensitive business data, but the nationwide adoption of remote work has increased the number and severity of phishing attempts.

Most employees are foundationally aware of what to look for when it comes to phishing attempts, but it’s crucial to maintain consistent communication of the risks associated with careless email practices. Check out our blog posts on “Email Security Best Practices For Employees” and “Don’t Fall For These Classic Email Phishing Tactics” and feel free to share them with your team.

Stay On Top of Security Updates

One of the best ways to fortify security is to update devices regularly with the latest security updates. It can be difficult to coordinate mass updates cross-company, but it’s important to maintain an efficient patch management program.

Upgrades are optional. Updates are not, or at least they shouldn’t be. An update that is not applied places your computer, network and critical data at risk.

Don’t Opt for the Hands-Off Approach to Patch Management. SSE’s Network and Security Services can help you manage the process and handle the software updates for you.

That’s one less thing for you to worry about.

Work With SSE

We realize that staying on top of all of these best practices presents quite a challenge for most internal IT teams. SSE provides best-in-class cybersecurity services so your data stays protected and your employees stay safe with our all-in-one managed IT service offering – a complete technology solution for any small to mid-sized business.

Contact us today to schedule a consultation and learn more about how our cybersecurity services could help protect your business!

Share this easy reference guide on the email security best practices with your team to ensure your company’s network stays secure.

Create Strong Passwords

Your password is like the front door lock. All hackers have to do is pick the lock, and they’re in. Having a strong password is a no-brainer these days, but the password game has become what can feel like an Olympic sport. Coming up with new, complicated passwords every 3 weeks can take up a lot of time, and require a fantastic memory to maintain.

With more than 180 million people defaulting “12345” or “123456789” as their password, there’s a reason password requirements are so essential to follow.

Ingredients for a Secure Password

There’s a fine line between a good, strong password and a password that’s too difficult to remember. Studies have shown that a passphrase versus a password, or long string of various symbols and numbers, is more user-friendly and harder for hackers to crack.

Some requirements to keep in mind when coaching employees on password selection:

• Avoid using birthdays, student IDs, hometowns or anything else personal
• Use both upper and lower case letters
• Include numbers and special characters
• Use phrases instead of words

Establish Password Reset Schedules

Find what works best for your organization, but establish a schedule in which employees should reset their passwords for their email accounts.

A rule of thumb is that employees should change their passwords every 90 days; however, at least annually is highly recommended.

Use Two-Factor Authentication

If your password is the front door look, two-factor authentication is the 2nd deadbolt. Two-factor authentication is a unique code that usually comes in the form of an SMS, email, voice call or time-based one-time password (TOTP) app.

This extra layer of security has become the norm for many applications, software and websites and helps keep company data out of the hands of hackers.

Know the Signs of Phishing

Spam, spoofing, phishing, spearing and whaling. We’re all familiar with those predatory emails that occasionally pop up in our email inboxes. As the years pass, phishing emails continue to get more sophisticated. Therefore, it’s important to brush up on the current phishing tactics being used and keep your employees educated.

Never Access Emails While on Public Wi-Fi

Public Wi-Fi and business laptops don’t mix. The issue is that every cell phone out today typically can function as an “on-demand” Wi-Fi hotspot. This means the person sitting next to you could have shared their own hotspot and named the SSID the same as a nearby business.

As a result instead of connecting to Starbucks, you may inadvertently be connecting to their hotspot. This allows them to be a “man-in-the-middle” between you and your email provider where they can potentially capture all traffic including your passwords.

The simple solution is to use public Wi-Fi for accessing non-password sites such as news or entertainment sites. Encourage your coworkers and employees to leverage their mobile hotspot when in public, and always as a last resort utilize your company’s VPN when connecting remotely. VPN software does not prevent your data from being intercepted however it does encrypt all data from your device to your destination.

Take Cybersecurity Seriously

When educating your employees and coworkers, highlight the importance of not only email security, but cybersecurity as a whole.

Establish cybersecurity training processes and develop cybersecurity awareness initiatives to educate and motivate employees to follow best practices.

Work With SSE

Simply put, we’re cybersecurity experts. From email security to network security, we help companies across all industries fortify their networks and protect their data from whatever gets thrown at them.

Contact us today to schedule a consultation and learn more about how our cybersecurity services could help protect your business!

You’re only as secure as the company handling your IT services, right? If they’re vulnerable to cybercriminals, then so are you. You can’t only be thinking about your cybersecurity. You have to consider your MSP’s cybersecurity as well.

You hear about small businesses and massive enterprises getting hacked on nearly a daily basis. It’s regular news at this point, so you probably tune it out, right?

Even still, ransomware is a big threat to businesses like yours:

• 39% of malware-based data breaches worldwide are caused by ransomware.
• 70% of businesses aren’t prepared to defend themselves.

As dangerous as ransomware is for you, unfortunately, your security isn’t all that matters…

 Is Your MSP A Target For Ransomware?

It’s especially dangerous when an MSP gets hacked, because they often have access to all their clients’ data. In effect, all their clients are hacked as well. Third-parties involved with your business — either directly, or in concert with your MSP — are a part of your supply chain. How they perform affects how you perform.

Is Your MSP Secure?

You need to be confident that your MSP can protect you, as well as themselves. If you’re at all unsure, then do your due diligence and inquire about their security standards and practices. Ask how they are protected from cybercrime, and what makes them different from other IT companies that have been hacked.

SSE Delivers Cybersecurity Expertise You Can Rely On

The SSE team understands that our cybersecurity is just as important as the cybersecurity we manage for our clients. Over our 30+ years in business, we’ve gained extensive experience in protecting both our business and our clients’ businesses against cybercriminal attacks.

Our team provides cybersecurity and technology services for organizations across the United States across multiple, highly regulated industries — we are available to help you develop a robust cybersecurity defense.

Cybersecurity Is About More Than Just Your Cybersecurity

If you truly have your success in mind, you need to manage your third parties effectively — or your MSP should be doing it for you.

You can find out about our cybersecurity standards in three simple steps

1. Book a meeting with our team at a time that works for you.
2. Let us assess your cybersecurity, and demonstrate our own.
3. Get back to focusing on your business instead of worrying about your cybersecurity.

Playing the waiting game is dangerous — once it’s too late, there’s no going back.

Are you hoping you won’t get hit by a cybercrime attack?

That’s a dangerous hope to hold on to. After all, 43% of all breaches involved small businesses in 2019.

We recently talked to a local business owner that experienced an IT nightmare — they got hit by ransomware and had no way to protect themselves.

For some time, they had been considering investing in cyber insurance. You hear about it more and more these days — it’s essentially a policy that covers your costs of recovery after you get hit by malware.

Needless to say, this business owner is sorry they waited to invest. They just kept assuming they’d have more time, that they could budget it in the next quarter or the next year.

This is the kind of assumption a lot of businesses make — since they haven’t been hit yet, they never will.

If that sounds familiar, then you should start thinking about your cybersecurity and investing in cyber insurance sooner rather than later.

What Is Cyber Insurance?

Often referred to as cyber liability or data breach liability insurance, Cyber Insurance is a type of stand-alone coverage recommended by any professional cybersecurity company.

Cyber Insurance is designed to help businesses cover the recovery costs associated with any kind of cybersecurity incident including:

• Breach And Event Response Coverage: A very general and high-level form of coverage, this covers a range of costs likely to be incurred in the fallout of a cybercrime event, such as forensic and investigative services; breach notification services (which could include legal fees, call center, mailing of materials, etc.); identity and fraud monitoring expenses; public relations and event management.
• Regulatory Coverage: Given that a range of organizations (such as The Securities and Exchange Commission, the Federal Trade Commission, the Department of Homeland Security, and more) have a hand in regulating aspects of cyber risk in specific industries, there are usually costs that come with defending an action by regulators. This covers the costs associated with insufficient security or “human error” that may have led to a privacy breach. Examples may include an employee losing a laptop or e-mailing a sensitive document to the wrong person.
• Liability Coverage: This type of coverage protects the policyholder and any insured individuals from the risks of liabilities that are a result of lawsuits or similar claims. Put simply, if you’re sued for claims that come within the coverage of the insurance policy, then this type of coverage will protect you.
• Cyber Extortion: This type of cybercrime event is generally a form of a ransomware attack, in which a cybercriminal keeps encrypted data inaccessible (or, alternatively, threatens to expose sensitive data) unless a ransom is paid. Coverage of this type addresses the costs of consultants and ransoms, including cryptocurrencies, for threats related to interrupting systems and releasing private information.

Do You Actually Need Cyber Insurance?

You may not be required by the law to have cyber insurance. However, certain compliance regulations, depending on the industry, do recommend it. Cyber Insurance policies are offered by a variety of insurers and policy prices and exclusions vary widely among different providers.

Odds are, it’s more likely you’ll need cyber liability insurance in one form or another at some point, which is why it’s wiser to invest now. At the very least, you should get a quote on a policy so you can make a properly informed decision.

Don’t Overlook Proactive Cybersecurity Protection

As important as cyber insurance is, don’t forget that it’s simply one part of an effective cybersecurity defense. You also need to protect your organization proactively.

SSE Inc. can help. Our team provides cybersecurity and technology services for organizations across the United States — we are available to help you develop a robust cybersecurity defense, minimizing the chance that you’ll ever have to make a claim on your cyber insurance.

You can start improving your cybersecurity in three simple steps:

1. Book a meeting with our team at a time that works for you.
2. Let us assess your cybersecurity and address any vulnerabilities we find.
3. Get back to focusing on your core business instead of worrying about your cybersecurity.