How to decrease security liabilities for SMBs: Look at cyber risks through the eyes of an insurer

Next story
Márk Szabó and James Shepperd

While not an option for all small and medium businesses (SMBs), cyber insurance is explored here as a catalyst to discuss security preparedness for today’s increasingly complex threat landscape. Companies have to find secure ways to navigate that landscape to conduct at least some of their operations: to stay relevant, manage commerce and logistics, and build and maintain their visibility and reputations. Cyber insurance, then, stands as a rear-guard precaution against risks that might periodically result in a security breach.
 
Many cyber insurance policies exclude specific security issues. In particular, insurance providers are more likely to stop coverage when a company fails to act on a known software vulnerability despite having access to industry-supported updates, leading to a security breach. IBM Security’s Cost of a Data Breach Report 2022 shows that 13% of security breaches are trackable to vulnerabilities in third-party software. As such, insurers have valid prejudices. Unfortunately, businesses that fail to address third-party software vulnerabilities leave themselves in a weak security state, including the time needed to identify and contain a breach, which averages 284 days. This saps the capacity of security admins and simultaneously raises costs — endangering business. So, while cyber insurance stands as a rear-guard precaution against acute risks, it is high-quality vulnerability and patch management that truly keep watch.

Vulnerability assessment and patch management help address the security shortcomings of SMBs

Vulnerability assessment and patch management are often a requirement of cybersecurity insurance offerings, which should be unsurprising, as the security landscape requires fast action whenever a threat arises. A core activity of IT security, managing vulnerabilities addresses a potential shortcoming of businesses that are otherwise focused on their core competency by making them less liable in the case of a cyberattack and less likely to experience an interruption of business continuity or a breach resulting from an unpatched known vulnerability.

This is important, as the average cost of a data breach in 2022 was calculated to be close to $4.35 million, with a recent ServiceNow study conducted by the Ponemon Institute finding that 62% of victims say they occurred because of unpatched vulnerabilities they weren't aware of. What’s worse, according to the same study, at least 60% were breached due to known vulnerabilities, in which case they would be directly liable and likely have their coverage waived.

To keep ahead of attackers, vulnerability and patch management provide the necessary tools to report on and manage issues. Many companies need help managing patches and updates across their entire network, often leading to delayed or incomplete patching, exposing their endpoints to potential attacks. Additionally, it can be difficult and time-consuming to identify and prioritize vulnerabilities based on severity, leading to inefficient allocation of resources and increased risk.

For SMBs looking for model practices to chart their vulnerability and patch management journeys, they need not search far; Managed Service Providers (MSP) have this at the core of their business model, where it has been central to their service offer even prior to their provision of endpoint security for clients. This fact demonstrates the necessity for high-quality administration of vulnerability assessment and patch management and why a majority of SMBs have opted to outsource this responsibility along with other complex security-related needs.

Indeed, since small businesses might not be inclined, or may fail to stay in the know about cyber liabilities and vulnerabilities that could devastate their business, a basic understanding of available coverage and the necessary (IT security infrastructure and process) alignments with the policies are a great starting point. Understanding this baseline demonstrates the musts of proper handling from the insurance provider’s and client’s side. From the client’s side, that role can be served by a mature IT security admin or, alternatively, via an MSP/MSSP, because they can offer enterprise-grade endpoint security and cover both critical V+PM tasks.

The growing burden of technology adoption vs. cybersecurity

Prioritization of cybersecurity must grow in line with the exponential adoption rate of digital technologies. A standout example is the continued march by business to the cloud, a reality demonstrated in IBM Security’s Cost of a Data Breach Report 2022, where they show an increased proportion of risks (45%) coming from cloud-based breaches. This shows that businesses managing security in-house must take seriously covering a growing number of basics, including at its foundations, vulnerability assessment and patch management. MSPs, which have demonstrated that they are adept at enabling digital transformation and administrating cloud-based applications, are also vital in growing the safety of their clients by covering this foundation. When implemented and maintained in league with endpoint security, VA and PM are frontline tools in mitigating cyberattacks, including supply-chain, zero-day, and phishing attacks, and with users becoming increasingly targeted.

As a reminder of both change and progress in handling the evolving threat environment, businesses of all sizes have increasingly focused on detection and response capabilities. However, areas connected with the prevention phase such as vulnerability assessment and patch management should not be neglected.

How ESET can help with vulnerability and patch management

The need for proper vulnerability and patch management (V&PM) solutions is ever-present, and for SMBs, whether making in-house investments or investing in outsourced MSP solutions, there are great opportunities to integrate potent automated and easy-to-use security solutions.
 
“As cyberattacks keep evolving and security demands become increasingly complex, we have been working hard to ensure that our enterprise-grade offerings are able to clearly reflect the changing needs of businesses of all sizes as they navigate the threat landscape,” said Michal Jankech, ESET Vice President of SMB and MSP Segment. “We are here to help. With the upcoming July launch of ESET Vulnerability and Patch Management for ESET PROTECT, we will provide a pathway to swift remediation, helping keep both disruption and costs down to a minimum for businesses,” continued Jankech.

Following the lead of insurers, addressing inefficiencies around detecting vulnerabilities, managing patches and executing updates across entire networks is a foundation of good security practice. SMBs want an easy-to-use solution that will keep them safe. The customizable patching policies in ESET Vulnerability and Patch Management will give businesses flexibility and control so that their endpoints can be optimally patched promptly, minimizing the risk of attack. Adopting this capability also ensures they can adhere to increasingly stringent cybersecurity insurance and regulatory requirements and meet the standards for various ISO requirements, which in turn provides an accurate reflection of your security environment.