SMALL BUSINESSES - YOU CAN'T DO YOUR OWN IT ANYMORE

Yeah. . .I said it. I’m sure it sounds pretty arrogant, coming from a provider of IT services. But as we are well into 2022, I’m absolutely convinced it’s true. Please hear me out. . .

A couple years ago, I wrote about the hidden costs associated with small businesses trying to do their own IT. In that article I focused on the pitfalls of turning your technology over to a hobbyist to manage, including lost productivity & opportunity costs. All still true. But like many other areas, the pandemic has accelerated changes that were already underway. Spcecifically, the cybersecurity landscape has changed dramatically. Malware & ransomware are up 35%. Phishing is up 50%. Most small businesses simply don’t have IT processes in place to adequately combat these threats. Those that did have some rudimentary processes in place got blindsided when things went to work-from-home. As a result, the minimum standard of care has gone up - way up. The level of IT acumen that you got by with in the past by tasking one of your employees just isn’t good enough anymore. The cyber threats you face today are just too prevalent and the risks to your business are way too high for that now.

BUT ISN’T THAT WHAT WE HAVE BUSINESS INSURANCE FOR?

Well. . .first, you have car insurance but you don’t use it as a reason for not wearing a seatbelt, right? The same logic applies here. Further, most standard business liability policies don’t cover cyber incidents (check with your broker/agent). Normally, cyber insurance is either a rider on your business policy or it’s a separate policy unto itself. If you’ve had cyber insurance coverage in the past, it’s tended to be a simple questionaire asking for some very basic information about your business and technology practices that were fairly easy to stipulate. Those days are over. With the rise in cybercrime, claims and insurance payouts have gone up exponentially. In 2020, cyber insurers saw loss ratios (percentage paid in claims vs premiums collected) rise to 73%. That’s simply not sustainable. So in response, insurers moved to make sure their customers were taking prudent steps to minimize their risks and exposures. Insurance is, after all, a risk-based business. That small basic technology questionaire has become a very detailed 2-5 page questionaire asking very speific questions about your technology processes. These questions include:

• How often is security awareness training conducted?

• If your staff can access e-mail through a web browser, do you enforce multi-factor authentication?

• Do you use a next-generation antivirus that monitors for behavior as well as signatures in your organization?

• Do you record and track all software and hardware assets deployed across your organization?

• In what time frame do you install critical and high-severity software updates across your company?

• Do you use a data backup solution?

  • Are backups encrypted?

  • How frequently is the ability to successfully restore data tested?

These are all pulled directly from cyber insurance questionaires that we’ve helped clients complete this year and are just a small sample to illustrate the level of detail insurers are looking for. Insurers are not going to ask if you’re using Macs or PCs or if you’re big or small. These are examples of the protections and processes they want to see that you’ve implemented. If you’re not able to demonstrate that you’ve invested in managing the risks your business faces, then insurers are going to set your premiums accordingly - if they even offer to extend coverage. And what’s worse, if you have a cyber incident and it’s determined that you were not implementing the processes you said you were, your insurer will likely deny your claim and leave you to foot the entire bill. Very large companies are generally able to just write a (very large) check and make these problems go away. If you’re reading this, you probably can’t do that.

BUT WE’RE A VERY SMALL BUSINESS. WHAT CHANCE DO WE HAVE AGAINST DETERMINED BAD GUYS?

It’s true that with the right combination of time, talent, and motivation, any system can be breached. But that doesn’t mean you have to make it easy. After all, car thieves are very good at what they do but you always lock your car when you leave it, right? The same principle applies here. You know that even with prudent and sensible protections and processes in place a determined and capable bad guy can get in. But. . .those same protections and processes increase the amount of time, talent, and motivation required, prompting all but the most determined & capable bad guys to move on in search of easier targets. This is the investment in risk management that insurers are expecting to see now. In 20+ years of supporting Apple products in small businesses, I have yet to come across a company doing their own IT who is implementing more than one or two of these risk mitigation practices. So besides keeping your staff productive, deploying new computers, and answering support requests, an outside IT provider should have a key role in helping your business manage ever-evolving cyber risks.

If your cyber insurance questionaire reads like it’s in a foreign language or you just don’t know where your company’s cyber risks lie, please feel free to reach out to us for a chat. But if you’re doing your own IT, please reach out to professionals to better understand your risks. The stakes are too high to leave it to a hobbyist.