Cybersecurity is a critical and dynamic component for Kenyan businesses in today’s digital age. Threats are increasingly coming up every day; that’s where cyber insurance comes in. Ah, the dreary, dreaded word: Insurance! The word we all love and think of with a smile, not!

Why should I pay a sum “just in case” something happens? Chances are, nothing will, as fearmongering sensational news articles blow things out of proportion. So I will probably end up with a good bag of monies out of pocket, and the house—insurer—wins, and I walk away with nothing. Would I blame anyone for thinking the above? Pretty much every word is sensationalized by the media these days, to the point where the tragedy of war gets the same media coverage and importance as a YouTube influencer getting triggered over getting the wrong order of soy double shaken latte with half a pump of nutmeg flavoured sugar-free syrup (that was a mouthful!). The problem is cybercrime is actually—if anything—grossly underreported and isn’t receiving the right amount of coverage and detail it deserves. Let’s be honest: If you cannot feel it, it does not exist. Right? It has to be that way.

Cynicism and sarcasm aside, the problem exists and is one of mammoth proportions. For example, in Kenya (as of June 2022), small businesses saw a 47% increase in internet attacks, and the number of Trojan-PSW (Password-Stealing Ware) increased by 16% compared to 2021. So, it is a problem, and if we are being realistic, an attack could succeed with any victim: From the ironclad mega-corporate down to the smallest neighbourhood kiosk, especially. 

Like large corporations, most small businesses count almost entirely on IT or IT-enabled operations: From Point-of-Sale machines, inventory, financial records, and vital records to even simple business email communication. As a result, compromising such systems (or, say, a ransomware attack that encrypts all data and prevents access) can cripple businesses, causing a ripple effect of a business outage that most companies cannot come out of.

Many small businesses need help to afford enterprise-grade cyber security kits or the fees for an enterprise-grade managed service. And even with such investments, attackers may still succeed one way or another. So, what does one do in that case? Just succumb to fate and fall to the knees in a pitch-black room with a down-shining spotlight and a camera zooming out? Nah, that’s too much drama, and you know it. If only there were a means of “transferring the risk” to someone else, hmmm…

In the security world, we can deal with risk in four ways: avoidance, transfer, mitigation/reduction, and acceptance. Since avoidance is not really possible (you cannot simply “not have data so that no one attacks it”), mitigation or reduction is possible via cyber security hardening. However, as we know, attacks can still happen with great severity, and acceptance is not an option when 60% of businesses fail within six months of being victim to a cyber-attack. So that leaves one option: Risk transfer.

How can cyber insurance help with risk transfer?

By purchasing insurance, a company can set up a policy that covers them in case a cyber attacker is successful despite the business proving that it has taken sufficient protection measures. 

These policies vary (as do the premiums) but can make or break a business in the case of a cyber-attack. It covers aspects from loss of revenue, reputation damage, repair and restoration of affected software and hardware, and one of the essential aspects of a business: Liability.

1. Assessing the risk: The first step in developing a cybersecurity strategy and obtaining cyber insurance is to evaluate the level of risk that the business faces. It includes identifying potential vulnerabilities in the company’s computer systems and data and assessing the likelihood of an attack.
2. Developing a cybersecurity plan: The business should develop a comprehensive cybersecurity plan based on the risk assessment results. This plan should include policies and procedures for protecting sensitive data, identifying, addressing vulnerabilities, and responding to cyber-attacks.
3. Obtaining cyber insurance: Once a cybersecurity plan is in place, businesses should consider getting cyber insurance to help mitigate the financial impact of a cyber-attack. It will cover legal fees, data recovery, and business interruption losses.
4. Regularly updating cybersecurity measures: Cybersecurity is an ongoing process, and businesses should periodically review and update their cybersecurity measures to stay ahead of potential threats. Implementing new security technologies, empowering your employees through training, and performing regular security audits will be included in the package.
5. Partnering with cybersecurity experts: Finally, businesses should consider partnering with cybersecurity experts to help develop and implement a comprehensive cybersecurity plan. We are internationally certified cybersecurity professionals that can fill this gap. Feel free to contact us here.

Like dealing with a fire crisis, cyber-attacks are time-critical, and their effects could be devastating. The businesses’ first aim would be to assess and contain the damage and get back into regular operation as soon as possible to avoid further damage and losses. Cyber insurance coverage may be the key to enabling a business (notably smaller businesses) to get back on its feet and restore the normality of its operations.