Vulnerable is one of those words that seems to get thrown around a lot without much attention being paid to what it actually means. Everybody knows Superman is invulnerable (except for Kryptonite, of course). But what about the rest of us?

We don’t have to go any farther than the first definition at to find out how vulnerable we really are:

vulnerable (adjective):
1. capable of or susceptible to being attacked, damaged, or hurt

We’re susceptible to being attacked, damaged, or hurt even as we get out of bed in the morning. And it certainly doesn’t get any better after that.

Not You?

We could suggest your drive to work in the morning is fraught with vulnerability and go on from there. But given our line of work, we’re much more concerned with what happens at work, what could happen to your business, and how vulnerable your networks, your data, and your people are every day. And that vulnerability has nothing to do with the size of your business.

According to Byars Wright:

With more than 70% of cyber-attacks hitting small businesses, companies need to realize that it’s not just multimillion-dollar industries these hackers are going after. Small businesses are now a prime target since they’re less likely to have the infrastructure or security measures in place to prevent an attack. Whether this is due to a lack of budget needed to beef up cyber-security, or not believing anyone would want to hack them in the first place, the fact remains that even if the hacker obtains 30 personal information records, it’s a win for them …

  • 54% of small businesses had data breaches involving customer and employee information in the past 12 months.
  • 52% experienced a ransomware attack, and 53% had more than two ransomware incidents in the past 12 months.
  • The average cost due to damage or theft of IT assets and infrastructure was $1,027,053, in addition to $1,207,965 for disruption to normal business operations.

Is there a cost to cybersecurity protection? Yes. But what’s the cost of not having it?

The Bottom Line

The bottom line that could affect your bottom line is that hackers are like pickpockets at the carnival: They’re there because you are. They want what you have. However underhanded or illegal it might be, they’re just doing their jobs. And they’re getting better at it all the time.

It’s your job to protect yourself.

That’s why we’re here.

There’s an old saying that goes like this: “Wherever you are, that’s where you are.” We could never decide whether that’s really profound or really obvious. But it doesn’t matter. What does matter is a question we get all the time.

Whenever we talk to companies about cybersecurity, someone always asks, “Where do we start?” The answer is, “Wherever you are.” That means — whether you’ve done a little or a lot to protect your company from cyber attack — the best place to start is with the next logical step.

If you haven’t done anything, we’ll start with a gap analysis: How prepared are you for an attack? What’s your ability to recover? We’ll assess the level of vulnerability of your remote access points and the ease with which your networks and systems could be compromised. Then we’ll categorize your risks and prioritize our remediation efforts.

Next, we’ll act like hackers and do our darnedest to breach your environment. That will enable us to evaluate your network, your software, your security controls, and your defenses. Beyond that, we’ll keep an eye on your IT infrastructure to make certain it remains secure and compliant. We’ll even monitor dark web data for evidence of data theft, immediately reporting breaches or abnormalities. And we’ll help you prevent or minimize risks to your operation and your reputation from hacked or exposed credentials.

If You Already Have Some Protection

If it ain’t broke, there’s no need to try to fix it. Start from the most recent thing you’ve done and build on it. Fortify your defenses. Shore up your firewall. Replace your end-of-life network equipment. Check all of your perimeter and internal defenses and system configurations to ensure they’re as tight and secure as they were when you put them in place. And make sure you keep them up to date.

Attempted cyberattack is no longer if. It most definitely is when. You owe it to yourself, your company, your people, and your customers to make sure you’re prepared to ward off those attacks and to recover from them should they occur.

Wherever you are on your journey to cybersecurity, that’s where you start your efforts to become more secure.

We don’t know if that’s profound. But it’s necessary, now more than ever.

If you’re an insurance company — especially if you sell cyber liability coverage — and if you’re not yet awake to the fact that your data, all of your digital assets (including personally identifiable information or PII), and some of your hardware are at risk, this would be a good time to get up and at ’em.

The September/October edition of Claims Magazine features an article entitled, “CYBERSECURITY: Key Threats Endangering Insurers“. We don’t mean to be alarmist, but it’s alarming:

Insurers are smarting from the relentless attacks on their computer networks by hackers … 82% of the world’s largest insurers are vulnerable to phishing … During 2021 alone, hackers exposed the PII of 1.5 billion users … insurers specializing in cybersecurity insurance find they are of even greater interest to hackers, given that the stolen details of cyber-insurance policies also offer hackers a bird’s-eye view into the amount of ransom an insurer has agreed to pay for its insured.

Three aspects of this are particularly alarming to us: (1) That it’s happening at all. (2) That it’s happening to this extent. (3) That it’s so preventable, but so few companies are preventing it.

Forewarned is Forearmed

Conventional wisdom says knowing you have a problem, and admitting it, are the first steps to resolving it. They’re also the first steps to protecting your business and its digital assets. Cybercrime is. It exists. That’s a problem. There’s no denying the evidence. Since there’s so much evidence, you can’t claim not to know it. And if you know it and admit you’re at risk because of it, you can fix it.

Start with an audit. Examine your environment and your infrastructure to determine your level of preparedness and to determine your ability to recover from cyberattacks or data breaches. If you discover weaknesses, identify compliance gaps in your IT infrastructure. Evaluate your points of remote access. Assess your authorization levels for access to networks and systems. Analyze your perimeter and internal defenses and system configurations. Categorize the risks and prioritize remediation efforts. Then conduct penetration testing: Use scanning tools and act like hackers to evaluate your network, your software, your security controls, and your defenses.

Better yet, call us and we’ll do all that for you. That’s we’re here.

And that’s why our customers trust us.

Some instances of cause and effect are easier to see than others. Case in point: The proliferation of cloud computing and the corresponding rise in cybercrime. Add a global pandemic and the necessity for remote work and the networks, the cloud-based infrastructures, the file sharing, and the digitalized service required to enable that remote work, and you have a world-class recipe for hacks, breaches, and data thefts.

According to VMware, cloud networking is defined as:

a type of IT infrastructure in which some or all of an organization’s network capabilities and resources are hosted in a public or private cloud platform … and available on demand … These network resources can include virtual routers, firewalls, and bandwidth and network management software, with other tools and functions available as required.

Public or private cloud platforms — servers — are vulnerable enough. But the means by which those cloud platforms transmit data to the devices on which software and applications are used are an even bigger liability.

Do the Tighten Up

You can reduce the risks of cloud computing significantly with a few simple steps:

  • Prioritize. Not everyone in the organization needs access to everything. Limit the (number of) authorizations you allow and manage them carefully.
  • Use a password auto-generation and management tool. If you think Herb in accounting might use Herb123, you won’t be the only one to think so.
  • Use MFA. Multi-factor authentication (MFA) schemes like usernames, passwords, and auto-generated authentication texts will stymie hackers and protect your data.
  • Encrypt. Translating your data into unreadable code that requires a key to unlock ensures only authorized users have access to it. Use encryption to protect email, as well.
  • Become a control freak. Third-party apps can be gateways to trouble. Know which ones you’re using. Read all the reviews you can before using them. Read the fine print. Then read it again.
  • Watch the phish. Remote workers especially can be susceptible to phishing attacks, malware, viruses, and other threats. Rule #1 is be suspicious. Rule #2 is don’t open anything you don’t recognize. As Dr. Johnny Fever from WKRP in Cincinnati once said, “When everybody’s out to get you, paranoid is just good thinking.”
  • Back it up. Make sure all of your data is backed up, preferably in multiple locations. If you act as if a breach is inevitable, you’ll never be sorry.
The Moral of the Story

Cloud computing requires you to keep your head out of the clouds.

If you’re not sure how to do that, we’re here to help.

Those of you who remember the 1975 film, Jaws, likely remember the line from one of its trailers: “Just when you thought it was safe to go back in the water.” Along similar lines, just when you thought it was safe to imagine the cyber insurance market was coming under control, there was this from […]

We remember a wise man once saying to us, “Never trouble trouble, till trouble troubles you.”

We thought of that during a conversation with a prospect the other day. He asked if we thought adding cybersecurity protection — and buying the cyber liability insurance for which his protection would qualify him — was inviting trouble.

“How so?” we asked.

“Well,” he said, “if hackers know I’ve gone to the trouble of securing my network and my data — and if they know I’ve purchased cyber liability insurance — they’ll think I have something valuable to protect.”

“You do have something valuable to protect,” we said, “your business, your assets, and your working relationships with your customers and partners.”

“Yeah,” he said. “But if I advertise that fact with all these cybersecurity measures and an insurance policy, won’t they think I’ve thrown down the gauntlet?”

“No,” we said. “They’ll think you’ve gotten smart and safe.”

Better Safe …

We also remember the line from Batman, in which Bruce Wayne says to Vicki Vale, “It’s not a perfect world.”

The fact is the world becomes less perfect as it becomes more complex. It also becomes more dangerous for the vulnerable and more advantageous for those who choose to prey on the vulnerable.

According to Statista:

Between November 2020 and October 2021, there were almost 24 thousand cyber security incidents worldwide. from this total, 2,065 incidents were detected in small companies. The professional and public administration sectors were the most targeted with 3,566 and 2,792 reported incidents respectively.

Also according to Statista:

Between November 2020 and October 2021, 5212 organizations worldwide experienced data breaches. Among selected industries, financial firms saw the highest number of data violations. Regarding organization size, smaller ones were victimized by data breaches more than large companies.

The common thread there is smaller companies.

Don’t Settle

If you’re a smaller company, you don’t have to settle for inadequate cybersecurity protection. You don’t have to settle for the exorbitant cyber liability insurance premiums you’ll be charged if you’re not adequately protected. You don’t have to settle for being vulnerable in a world of increasing risk and proliferating cybercrime. And you don’t have to be like the guy in the comic strip at the top of this post.

Be smart. Be safe. Be protected.

On August 29th, NU PropertyCasualty 360 ran an article called, “Mitigating the effects of a malware attack”. It said this, in part:

When cyberstalkers go phishing, it can lead to ransomware attacks and the loss of valuable information … The goal of any cybercriminal is to make money through an attack. Access can be gained through systems that have not been updated or patched, but frequently these bad actors get into networks through phishing attacks … attacks are definitely on the rise and cybercriminals are accessing targets through email, phone calls and text messages.

Well, yeah. And we wondered what took so long for an article to present those facts.

The Threat is Real

According to the Federal Trade Commission, phishing is defined as:

a type of online scam that targets consumers by sending them an e-mail that appears to be from a well-known source – an internet service provider, a bank, or a mortgage company, for example. It asks the consumer to provide personal identifying information. Then a scammer uses the information to open new accounts, or invade the consumer’s existing accounts.

That threat is real enough for personal accounts and financial data. So, imagine the magnitude of the threat as it pertains to your business accounts and financial data. But you can take a number of steps to protect your assets from phishing attempts:

  1. Back up your data regularly and system and application patches and updates current.
  2. Install a firewall, use spam filters, and encrypt your data.
  3. Install anti-malware, anti-virus and anti-spying software and security monitoring applications.
  4. Teach your people to ignore suspicious email and to report suspected breaches.
  5. Control access to your data and your systems, and keep a record of all system interactions.
  6. Use alerts, flags, or banners to warn people when an email originates outside of your company.
  7. Train your people to spot phishing attacks and run tests to see who can tell a spoof from a legitimate phishing scheme.
  8. Use a password manager that will only allow domains stored in the password manager to auto-populate credentials.
  9. Report imposters to your IT security team so they can find internal compromises and block further inbound emails from look-alike domains.
  10. Notify business partners and remind them not to accept changes in payment instructions without calling you first to validate.
Or …

All of those 10 things will help protect you and your company from phishing attacks.

But the fastest and easiest thing you can do is call us.

Supply chains seem to be making news these days, especially since the COVID-19 pandemic threw a monkey wrench into them. But physical supply chains may be the least of your worries. Here’s why:

A simple definition of supply chain is this: A network between a company and its suppliers and partners. The operative word in the definition is network, and that network is presumed to be physical. On the other hand, defines a digital supply chain like this:

A digital supply chain is a set of processes that use advanced technologies and better insights into the functions of each stakeholder along the chain to let each participant make better decisions about the sources of materials they need, the demand for their products and all of the relationship in between.

The operative phrase in that definition is advanced technologies. And that makes all the difference.

You Ain’t Seen Nothin’ Yet

Supply chain attacks had probably been around for a while. But, like everything else, it took the proverbial Big One to bring the threat to prominence. In this case, the Big One was the SolarWinds hack that left 18,000 — including Fortune 500 companies and myriad federal government agencies — vulnerable. That was followed by the Kaseya hack and others, signaling the fact that there would be more to follow. Since technology is constantly evolving, so are the methods by which innumerable bad actors defeat security measures and leave your business, your customers and partners, and your digital supply chain exposed.

Does that mean you should panic? No. It means you should be prepared and vigilant.

Safety First

To determine your level of preparedness, you should perform a vulnerability assessment to identify the weaknesses in your network. Conduct penetration testing to determine how easily your network can be hacked. And monitor your entire infrastructure to detect potential points of exposure as hackers become more adept at breaching networking environments.

The bad news is, just as there are no guarantees in life, there’s no such thing as a completely impregnable network. But here’s the good news: You don’t have to be smarter than everybody else. You just have to be smarter — better prepared and more preemptive — than the guy who’s trying to hack your system and wreak havoc on your digital supply chain.

And as it turns out, that’s exactly why we’re here.

Okay. We admit the title of this post is a gotcha. But it’s also relevant to cybersecurity. How? We thought you’d never ask.

Consider: If the earth were flat — and unless it was two-sided like a sheet of plywood — it would always be daylight because it would never turn away from the sun. We suppose, on the other hand, that if the earth were more like a flying carpet and the sun rotated around it, the top would be light at times and the bottom would be light at other times. This is exactly why we’re not astronomers.

But because we’re cybersecurity professionals — and even if we weren’t reasonably sure the earth is round (we are) — the fact is while it’s light here, it’s dark there (wherever here and there are) and vice versa. And that brings us to relevance.

Let There Be Light
There’s a common misconception that the majority of cyberattacks are undertaken at night. That’s not true. But even if it were, it means somewhere in the world, in broad daylight, bad dudes are working hard to hack your digital environment while you’re sleeping. Since that’s true, the reverse is also true: Somewhere in the world, under cover of darkness, bad dudes are working hard to hack your digital environment while you’re wide awake.

To us, it really doesn’t matter if it’s dark or light. We don’t want bad dudes breaching our customers’ digital environments at any time of day or night. That’s why we do what we do.

Here are a few more thoughts: Viruses and ransomware don’t carry watches. They don’t care what time it is or that the earth is round. Neither does risk. That’s why it’s constant. You shouldn’t care, either. Regardless of what time it is, breaches and data theft are devastating and costly.

The actual time of day notwithstanding, if your environment is hacked, it’s going to be 0-Dark-30 for you, your business, your reputation, and at least some of the companies with which you do business.

We grant our bias, but that’s not a risk worth taking, day or night.

It is now.

Some people think IT and cybersecurity measures inhibit or reduce the efficiency of their businesses. At one point, that may have been true. That was then. This is now.

Given the proliferation of hackers and the corresponding numbers of cybersecurity attacks, cybersecurity is now a necessity. It’s also a competitive advantage. Here’s why:

First, keeping your systems, your data, and other assets secure makes it easier for others to do business with you, especially those others are sharing access to their own systems, data, and other assets. Second, being certifiably secure makes it easier for you to get cyber liability insurance, which adds another layer of protection to your assets. Third, IT and cybersecurity protection also adds protection to your reputation. The last thing your business needs is publicity about cyber vulnerability, an attack, or the theft of data.

On the Fence

If you’re not sure about your business’s need for cybersecurity, ask yourself these questions:

  • What’s your data-exposure risk?
  • How much of your data or data about you do your partners possess?
  • Is it protected?
  • Does communication with your partners put you at risk?
  • Is their email access secure?

Evaluating and asking these hard questions creates at least four opportunities for you:

  1. You can turn cybersecurity into a competitive advantage by protecting all the data for which you’re responsible.
  2. You’ll engender the trust of your customers with your your ability to deliver on your commitments and to keep their data secure.
  3. You’ll be able to include a cybersecurity assessment or certification in your bids and proposals.
  4. You’ll qualify for more favorable cyber liability insurance premiums.

Cyber threats are a matter of when, not if. Even if you haven’t had any breaches yet, your business is under attack. But luck doesn’t last forever. And hope isn’t a strategy.

If you’re ready to secure your business from cyber threats, we’re ready to help.

Don’t leave your business or your customers at risk.