Why Audits Are Essential Cybersecurity for Small Business Policyholders

Small and mid-sized businesses (SMBs) are increasingly in the crosshairs of cybercriminals. Because of their size, they often lack the cybersecurity resources and expertise of larger enterprises — making them attractive targets. In fact, a reported 90% of breached organizations were SMBs with fewer than 1,000 employees¹.

A single breach can result in serious financial loss, reputational damage and potential closure for SMBs. Insurers providing cyber protection coverage to SMB policyholders have a unique opportunity — and responsibility — to help mitigate these risks. A key recommendation to help lower the risk of cyber incidents is get your policyholders to commit to proactive cybersecurity audits.

What is a cybersecurity audit?

A cybersecurity audit is a detailed analysis of an organization's information technology (IT) systems, networks and procedures aimed at uncovering vulnerabilities threat actors could leverage in an attack. In addition to identifying potential security gaps in the software solutions used by the SMB, a cybersecurity audit also examines the organization’s security controls, training and procedures to gauge whether they comply with industry regulations and security best practices.

When potential gaps are found in an SMB’s IT infrastructure or practices, an audit helps inform the mitigation steps needed to strengthen the organization’s cybersecurity posture.

Reasons for a small business cybersecurity audit

While insurers should require policyholders to undergo a cybersecurity audit before issuing cyber coverage, small business clients also benefit from having an assessment. 

Internal cybersecurity audits assess digital defenses

One reason for the persistence of cybercrime is threat actors constantly evolve their attacks, embracing new technologies and developing new tactics. In response, SMBs must regularly test their defensive solutions and incident response plans.

Conducting an internal cybersecurity audit enables the organization to:

1. Catalog digital assets so it has a full inventory of the hardware, software and data repositories that make up its digital infrastructure.
2. Review security policies to ensure the efficacy of permission controls, password hygiene requirements, remote access rules, and cyber incident response.
3. Evaluate security solutions, assessing the effectiveness of firewalls, anti-malware software and endpoint protection tools.
4. Conduct penetration testing to simulate possible cyber attacks and uncover vulnerabilities attackers may exploit.
5. Train employees regularly to enforce the organization’s cybersecurity rules and raise awareness of cybersecurity best practices.

Tip for insurers: When advising your SMB clients about structuring internal audits, don’t leave their evaluations to chance. Encourage them to adopt a standardized framework from respected organizations like NIST or CIS Controls.

Vet vendors to reduce exposure to third-party breaches

The interconnected nature of how organizations operate today means cyber incidents rarely affect just one entity. These events can ripple through a business’s ecosystem.

Known as third-party breaches and supply-chain attacks, attackers often target companies that service other organizations — like payroll processors, IT providers, administrative staffing firms or software companies. Because these vendors have access to sensitive corporate information, employee records and customer data, they’re very tempting targets. A successful breach at one such vendor provides access to countless records for multiple client companies.

Vetting the cybersecurity posture of vendors is an important step to reduce the risk of third-party breaches. Commercial lines customers should conduct cybersecurity audits of vendors by:

1. Mapping the vendor ecosystem to identify all outside firms that can access sensitive company data, including proprietary research, employee records and customer information.
2. Assessing their security postures, requiring all vendors to answer detailed cybersecurity questionnaires or provide independent audit reports.
3. Incorporating clauses into contracts that detail requirements for minimum cybersecurity standards and breach notification timelines.

Tip for insurers: The severity of third-party data breaches jumped 34% year over year, so SMB clients will be increasingly at risk. Recommending their cyber insurance policies include third-party liability coverage can help ensure they’re covered if and when the worst happens.

Avoid hidden cyber liabilities in mergers and acquisitions (M&A)

The age-old phrase “let the buyer beware” is powerful advice for SMBs looking to merge with or acquire another organization — especially regarding cybersecurity. When two organizations combine customer records, employee data and computer systems, it’s vital they keep the security of those systems and records a top priority during M&A activities.

When conducting the due diligence required for M&A, companies should perform a cybersecurity audit to ensure the data they’re responsible for will remain safe and secure. These audits should include:

1. Pre-M&A audits to evaluate the cybersecurity posture of the target company and its employees.
2. Previous cyber incident reviews. By investigating past data breaches, it’s possible to gauge the effectiveness of the organization’s cyber response.
3. Security frameworks alignment to ensure the technologies and teams of both organizations are compatible.
4. Plans for integration using an IT roadmap to unify the systems and networks of both organizations following the merger.

Tip for insurers: When two organizations are merging but are still using independent networks and systems, an insurer can earn greater trust by offering specialized M&A cyber risk assessments as a valuable add-on to its cyber protection services.

For small business cybersecurity, audits help insurers thrive

It’s imperative companies of all sizes, including SMBs, make cybersecurity mission critical. For insurers, helping guide SMB clients through cybersecurity audits can not only reduce the risk of future claims but also deepen relationships with policyholders through expertise and commitment to their well-being.

By working with trusted cyber protection specialists to enhance cyber program effectiveness, insurers can deliver customized solutions designed to meet the specific situations and needs of their SMB clients.

Want to help SMB policyholders reduce the cyber risks they face? Learn how TransUnion^® can help by visiting TruEmpower_™ Cyber Protection.