Cybercriminals are increasingly spending extended periods of time infiltrating and expanding across corporate networks before they launch cyberattacks, which makes the eventual attack even more damaging. (Credit: Maksim Shmeljov/Shutterstock) Cybercriminals are increasingly spending extended periods of time infiltrating and expanding across corporate networks before they launch cyberattacks, which makes the eventual attack even more damaging. (Credit: Maksim Shmeljov/Shutterstock)

From Capital One to city municipalities, we’ve seen the devastating effects of cyberattacks in 2019. These will only continue in 2020.

In fact, many security experts believe that all businesses will at some point experience a cyberattack. This is not a question of if they’ll experience a cyberattack, but when. Breaches of well-known companies may dominate the headlines, but small- and mid-size businesses are facing the largest risk since an attack for them can be a company-ending event.

In the coming year, I predict that certain types of attacks and certain tools to combat those attacks will reign supreme. As budgets become finalized for the new year, these are five topics that businesses need to be aware of and work into their cyber strategy.

1. 2019 was the year of ransomware — 2020 will be too

Ransomware attacks became more prevalent this year, with a 118% rise in attacks in the first quarter alone. Because of the debilitating effects of ransomware on the United States economy, school districts, municipalities and more, cyberattacks are starting to be viewed as more common and personal.

This form of attack has become more accessible for criminals and more devastating for businesses as attacks become more sophisticated and ransom demands skyrocket. We’ve seen this firsthand from our policyholders with six-figure ransoms for BitPaymer, and Ryuk Attacks have also evolved from targeting one device to network-wide attacks to the ubiquitous use of ransomware-as-as-service. In 2020, we will continue to see the pervasiveness of these attacks.

However, by having the right basic security measures in place, businesses are far less vulnerable to an attack. Nearly 80% of ransomware attacks could be avoided if companies implement multi-factor authentication across all business services, and remove any remote access to their corporate network.

It’s common to look at a major breach like Capital One’s incident over the summer and think it will never happen to you, but with this year’s prevalence of local incidents, many businesses are starting to take a more serious look at their cybersecurity protection.

2. Find the “unknown, unknown”

The average cybercriminal is in a network 200 days before they’re identified, and those are just the ones that are discovered. Cybercriminals are increasingly spending extended periods of time infiltrating and expanding across corporate networks before they launch cyberattacks, which makes the eventual attack even more damaging. There is an unknown number of cyberattacks happening daily, and perhaps the broadest threat to small businesses is the “unknown, unknown” that could impact their operations. As we see an increase in attacks, the demand for cyber monitoring and cyber insurance will continue to grow.

3. Have a backup plan

Security software alone isn’t fixing the problem, and something must be done to protect small businesses. Unlike security software providers, insurers’ incentives are directly aligned with their customers since the insurer pays out in the event of a loss. In this way, insurers serve as a true risk management partner for their customers, rather than just peddling more security software. With continuous intelligence on the entire risk ecosystem, cyber insurance companies will make protection for businesses in 2020 easier and more accessible, while making hacks more difficult and more expensive for attackers.

Cyber insurance is headed toward an inflection point. There is a robust amount of capital going into cyber insurance, and policy language is improving, which will lead to an increase in buyers and claims. But, at some point — possibly in 2020 — this trend will meet an inflection point as is typical in the insurance industry. As cyber coverage becomes more common, scopes of coverage will converge. Furthermore, as losses become more pervasive, the average cost for a policy will increase.

4. Double-check your deals

Thinkful, an online education company, notified users this past September that it had experienced a data breach. To add insult to injury, this announcement happened just days after the site had been acquired by Chegg for $80 million in cash.

No business wants to acquire a business, only to immediately learn that they’ve also inherited a data breach and all of the damage that comes with it. Cyber vulnerabilities are increasingly being considered in the due diligence process for mergers and acquisitions, but for many businesses, cyberthreats are still a blind spot. In 2020, business leaders absolutely need to take cyber due diligence as seriously as they do financial, market, and employee analysis.

In an ideal situation, decision-makers would conduct a penetration test on the network of a selling company before signing any contracts. This helps the acquiring company more fully understand a company’s potential cyber vulnerabilities. A penetration test creates a simulated cyberattack and can signal technical deficiencies across a company’s network.

5. Prepare for CCPA just like you did for GDPR

Earlier this year, Google, one of the largest technology companies in the world, was fined $57 million for a General Data Protection Regulation (GDPR) breach in France. What is unique about this scenario is Google didn’t expose any customer data — rather, they were fined for failing to comply with their stated privacy policy.

In January 2020, the California Consumer Privacy Act (CCPA) goes into effect. As with GDPR, this doesn’t just affect California-based or EU-based companies — it impacts any business with customers that reside in that location. Now more than ever, U.S.-based businesses need to understand and adhere to privacy law, or else risk massive exposure.

If companies with as many resources as Google are facing fines, how can far smaller businesses address this risk? One effective solution is to mitigate the risk through cyber insurance policies that address both loss of customer data due to a security failure or data breach, and failure to comply with the regulation (as was the case with Google). Insurance helps businesses self-regulate their actions and acts as the last line of defense in the event of a major fine.

Looking forward

Cyberattacks aren’t just a top news story of 2019 — they’re here to stay. Businesses that have watched from the sidelines how breaches have affected other companies and organizations will need to take preventative action in 2020.

As ransomware continues to wreak havoc and the number of hackers continues to grow, business leaders need to get serious about investing in cyberattack prevention and securing a risk management partner.

Related:

Shawn Ram (shawn@coalitioninc.com) is the head of insurance at Coalition, a company founded at the intersection of the insurance and cybersecurity industries by a team of insurance, technology and intelligence community veterans. The views expressed here are the author’s own.