Cybersecurity is critically important for all businesses in all industries, including self-storage. And the increasing number and types of cyberattacks worldwide make cybersecurity even more important.
Cybercrime costs the global economy nearly $1.5 trillion a year, according to San Francisco-based Coalition Inc. It provides cyber insurance and cybersecurity tools designed to lessen vulnerability to cybercrime. Despite these costs, more than half of all businesses are underinsured and ill-prepared to manage and reduce risk, the company says.
Cyber Shockwaves
Coalition offered a webinar Feb. 15 on the cybersecurity industry and how increased cyberattacks, increased governmental regulations, and insurance capacity constraints “have sent shockwaves across the industry.” It also highlighted its offerings to mitigate these effects, including its:
- Online platform to “rate-quote-bind” in under four minutes
- Industry-leading policy form
- In-house breach response and forensics
- Risk management tools for all policyholders
Coalition’s production marketing manager, Sophia Kudlyk, and Kirsten Mickelson, who works in cyber claims, conducted the webinar. Mickelson described the state of the cyber market as “the cyber perfect storm.”
The winds in this storm include more brazen and sophisticated cyberattacks, including the high-profile Colonial Pipeline ransomware attack; increased regulatory actions requiring stronger privacy protections and quicker breach responses, and a ransomware executive order; and insurance carries pulling back because of capacity constraints and raising prices, as well as limiting coverage and adding endorsements, or both. All this is showing faster market effects from an insurance perspective.
These developments are occurring in the context of weakened protection of technology systems. The COVID-19 pandemic has increased the risk because it prompted more remote working, which opened the door to threats to unsecured technology.
Minimizing Risk
Coalition’s approach is to “underwrite like an adversary” from the cyber criminal’s opportunistic perspective and search for critical vulnerabilities, Kudlyk says.
“We look for what the threat actor does, for low-hanging fruit,” she says. “We’ve integrated technology to fight it. … We know a lot of threat actors may not specifically target industries … (but) we know certain industries that are more reliant on technology are more susceptible. We approach it from holistic technology perspective. We want to bring that information to our insureds and broker partners to reduce their risk. We provide continuous monitoring and support. We scan for threats and notify clients so they can mitigate before an attack.”
Mickelson discussed social engineering, accounts receivable invoice manipulation, and funds transfer fraud coverages. Transfer fraud is when funds are lifted from a business account either through a business email compromise on the part of a vendor or the business in question regarding a wire payment. It happens when you’re “tricked into parting with funds.” When Coalition is told this has happened, a big concern is money lost, but a bigger concern, and harder to find, is where it originated and the possibility it could happen again. The organization first helps get the money back as soon as possible.
Coalition has contacts at the FBI, CIA, and other law enforcement agencies, and it has the policyholder fill out a report of a breach. Coalition also has relationships with banks and either helps the policyholder with the required process or does it for them. If money has been stolen, the organization contacts the receiving bank immediately.
“Our goal is to make our policyholder whole,” she says.
Damage Control
An example of social engineering is when a bad actor spoofs a company’s LinkedIn profile and lists a job announcement, and someone applies for the fake job, Mickelson says. This impersonation of a business damages its reputation, which requires repair.
Calculating lost income from business downtime from cybercrime involves several factors. Does the organization have good backups outside its network? If so, this is the “biggest savior” because it minimizes downtime. Coalition provides coverage to get the business back up and running. If the breach involves “mission critical” data, “we need to consider paying the ransom,” because sometimes paying yields the least downtime for the policyholder.
Zach Fuller knows a lot about downtime caused by cybercrime. He sees a mixed landscape of protection against it and vulnerability to it across all industries, including self-storage. Fuller is a partner and head of business operations and strategy for Phoenix-based cybersecurity company Silent Sector and co-author of Cyber Rants: Forbidden Secrets and Slightly Embellished Truths About Corporate Cybersecurity Programs, Frameworks, and Best Practices.
In its introduction, the book says it is “for all those looking to implement a cybersecurity program, improve their current program, or simply learn what is involved in protecting the organization and people they serve. Regardless of your technical background or lack thereof, ‘Cyber Rants’ will take you through a highly productive journey deep into the important topics that most in the industry only gloss over.”
In a late-February interview with Mini-Storage Messenger, Fuller noted he had seen in the past year that organizations of all kinds have worked more proactively to improve their cybersecurity, even those industries that are not as much driven by compliance requirements as others. Compliance-driven business sectors include those that do business with the Department of Defense, including the aerospace industry. Software, health care, and financial services are also among the most proactive in addressing cybersecurity.
According to Fuller, the world’s “turmoil and recent events,” including Russia’s cyberattacks, the pandemic and the transition to remote working it spurred, and high-profile corporate cyberattacks (often on common technologies many companies use) have prompted these greater efforts to focus on cybersecurity.
“These are systems that companies have invested hundreds of thousands to millions of dollars in, and now they’re under a lot of scrutiny,” says Fuller. “There’s just a general lack of trust that has built and accelerated in the past year in technologies that were otherwise considered trustworthy,” though media exposure of the problem has also helped people realize “it’s time to do something about it, and their leadership is behind it more than I’ve ever seen.”
Implementation Of Security Programs
Many organizations are implementing the fundamentals of security programs. Others are at least assessing risks to understand exposure as a first step toward that goal.
But others are “very far behind,” including brick-and-mortar businesses such as real estate, construction, and self-storage, and any others that are not regulated, such as many law firms, CPA companies, and other professional services companies.
“We can’t really trust individual technologies just because they’re a big-name brand,” Fuller says. “We’re all at risk. Each organization is responsible to take action to minimize risk. We have to use these technologies. It’s just part of business, so we have to embrace technology. Criminals [are] getting more aggressive and sophisticated. … But if an organization has a good cyber risk plan in place, they can use controls to mitigate damage.”
Such a plan that follows industry standards, especially the National Institute of Standards and Technology, the Center for Internet Security and ISO/IEC 27001, will greatly reduce damage by limiting what attackers can do, “and that’s what makes all the difference.”
Most calls Silent Sector gets involve email phishing for usernames and passwords. An email that appears to come from Microsoft, for example, arrives and invites the recipient to reset account information but takes the user to a fake website where they become victims.
Fuller advises clients to always use multifactor authentication on company accounts, never use mobile phones for texts for this purpose because of their vulnerability to hacking, and always use password manager software to remember passwords and create them for other accounts.
“It’s probably true that everything is hackable,” says Fuller, “but still, put protections in place.”
As an example, Fuller recently heard from a company with many devices across multiple offices that had been infected with ransomware because it had no security program in place. Another company had one machine infected with the same ransomware, but the company shut off the infected machine from its network, which stopped the damage from spreading. Silent Sector has blog posts and podcasts on its website that detail various cybersecurity solutions for different niche areas.
Cyber Rants sums up the cybersecurity task: “Remember, nobody goes it alone and succeeds,” according to the book. “Proactive cybersecurity starts with a leadership decision and commitment. It requires a team of people who bring different knowledge, experiences, and resources to the table. It takes planning and process development, testing and assessment, continuous review, and improvement. … It will also bring the realization that people are more important than tools and that cybersecurity is an asset to organizations that make it one.”
Jerry LaMartina is a freelance reporter and editor based in Shawnee, Kansas. He is a regular contributor to all of MiniCo’s publications.