When it comes to cybersecurity, Andrew Laubmeier, Senior Vice President and Midwest Cyber Practice Leader with Lockton Companies, is a true expert. Over the last few years, cyberattacks have risen astronomically, leaving thousands of companies’ information and employees vulnerable. Laubmeier provided insight on the increased volume of cyberattacks, as well as the benefits of cyber insurance, and how BSCs can better protect themselves against threats.
Laubmeier asserted that all companies are at risk for cyberattacks and that many business owners may not even recognize major risks.
Just because you don't have data, it doesn't mean you don't have cyber risk,” said Laubmeier. “There's a connotation that cyber risk is a risk that's only for the IT experts to handle, when in reality, it's also a human risk. On the technical side, there are a few big areas of focus right now, including multi-factor authentication and access management. On the human side, you need to execute phishing training and build a culture of security awareness to minimize risks.”
With the rise in cyberattacks, many have wondered why there has been such a stark increase in breach events. Laubmeier explains that the transition to remote work during the pandemic lent itself to more attacks.
“Right when the pandemic hit and remote work became more common, we saw ransomware devastate companies of every size and industry class,” said Laubmeier. “It's really been a giant wake up call for corporate America. Boards of directors and C-suite executives are now asking a lot of questions. We’ve seen a stance shift from reactive to proactive.”
According to Laubmeier, some companies may be more vulnerable than others when it comes to cyberattacks.
“Various industry classes have treated cybersecurity with varying levels of seriousness. Those big three industry classes, retail, financial institutions, and healthcare, have been worrying about cyber for a decade because of the breaches from 2014 to 2016,” said Laubmeier. “Hackers are looking for low hanging fruit from a cybersecurity standpoint; they have the capabilities to scan organizations’ networks for unpatched endpoints and systems. So, making sure your systems are not out of date is really the first line of defense in ensuring your company and employees aren’t vulnerable to cyberattacks.”
In addition to carefully managed system updates, Laubmeier speaks to the myriad benefits of cyber insurance as an extra layer of protection.
“The first point of coverage with cyber insurance is risk transfer. If you have a hack or a ransomware incident, the insurance will pay the claims defense damages. The second main factor is access to vendors. Cyber insurers have a vested interest in keeping the costs as low as possible for their insurance when they get hacked. Most of all, almost all cyber insurance policies come with a panel of vendors that you can choose from in the event that you have an incident so you're not scrambling.”
Additionally, Laubmeier spoke to some of the most common cybersecurity threats relative to BSc business owners.
“There are really three big threats right now. The first, unsurprisingly, is ransomware. Regardless of what you do, you're going to rely on systems and technology to get things done. What may vary is the amount of time until an outage hits. The second is connectivity with customers’ networks. If one of the BSC business owners happens to service a customer who has smart building technology, and you may have access to that system, that can be a very quick way into your customer’s network. The final one is business—compromised emails and social engineering. This is not as much of a cybersecurity issue as it is a human minute manipulation issue. An example would be if one of your employees receives an email claiming to be from the CFO requiring a quick wire transfer for an acquisition that's going on over the weekend, and the finance department has to wire those funds, only to find out that that wasn't your CFO.”
Laubmeier concluded by speaking to the ways in which BSCs can better protect themselves against cyberattacks moving forward.
“There are five main things. The first is having access management under control, and access management is simply preventing individuals who shouldn't access critical systems from accessing them. The second would be having a strong backup strategy in place, so when a ransomware incident hits, the first thing everyone recommends is restoring from backup. The next would be phasing out end of life software. As soon as an organization stops issuing updates to software, it becomes a vulnerability. Then there would be patch. Microsoft rolls out their patches for their system, which is a quick fix to systems or critical software that have been identified over the last week. The last is to educate and train. Training and educating people about what to look for regarding potential wire transfer frauds, regarding potential phishing emails, is really important, because all it takes is one click. All we can do is educate and communicate. It's incumbent upon organizations to make sure their people know what to look for and how to prevent things.”
_______________________________________________________________________________________________________________________________________________
Andrew Laubmeier, Lockton Companies