12 must-have cybersecurity controls to lower your insurance costs

Insuring your small business is one of the best ways you can protect yourself from the unknown. But everyone likes to save money where they can.

Here, we’ll give you some actions you can take—including risk mitigation strategies—to help lower your premiums when it comes to cybersecurity insurance.

You don’t have to wait very long for reports of data breaches to show up in the news. They're pretty commonplace these days. Unfortunately, despite that awareness, many small business owners feel they’re immune to becoming future victims of a cybersecurity event.

A recent Microsoft Security report detailed the following mindsets of small- and medium-sized businesses (SMBs):

• 44% said “We’ve already been attacked, so we probably won’t be attacked again.”
• 26% said “We’ve never been attacked, so we’re probably safe.”
• 26% said “We’re too small to be targeted by hackers.”

Cybercrime was historically a major concern primarily for large corporations because of their higher revenue and greater amounts of sensitive data. However, in recent years, cybersecurity has become an increasing menace to all businesses – no matter the size, industry, or worth.

That same Microsoft Security report showed one in three SMBs have experienced a cyberattack. A reason noted for the higher incidence is smaller companies typically don’t have the resources and training that bigger companies have to prevent, detect, and respond to attacks.

That means even if they’ve been victimized before, they could be again. And if they haven’t yet been, there’s a high chance they will be. Data protection has become a major concern for businesses of all sizes.

If you’re involved in a data breach, it can be expensive. The Microsoft Security report found the average total cost of an attack on an SMB was $254,445 but ran as high as $7 million. For many small businesses, figures like that could be catastrophic.

These days, digital dangers pose as great a threat as physical dangers. The insurance industry has responded by creating products designed to protect you if you suffer a cyber event.

Just like you’d take out a commercial property policy to guard against a fire in your office or warehouse, or a general liability policy to cover legal fees for third-party bodily injuries, cyber insurance jumps in when you’re the target of things like denial of service (DoS) attacks and cyber extortion.

First-party cyber liability insurance helps your business recover from financial losses caused by cyberattacks, data breaches, and other cyber events. It can help pay for ransom demands, credit monitoring, attorney’s fees, fines, data recovery, and other costly expenses.

Because almost every business is a potential victim of cybercrime, it’s important to have the protection cybersecurity insurance offers.

While most insurance types don’t have specific requirements for getting a policy, you’re probably familiar with qualifying discounts. For example, you can get a lower auto insurance premium if your car is equipped with safety features like airbags and anti-lock brakes. In the same way, your property insurance cost will decrease if you have a sprinkler or security system.

With cyber or data breach insurance, you can also get discounts for taking proactive measures to shield yourself from attacks. However, some insurance companies go a step further and insist you put those safeguards in place.

Cyber events have become so common and costly insurers have made the underwriting process much more stringent. In almost every case, before approval, insurance providers will conduct a risk assessment to determine if you qualify. If you do, that’ll also help the insurer decide how much coverage they’ll offer and what your cost will be.

Depending on your insurance company and what your needs are, you may be required to have specific risk management or loss control systems in place before they bind cyber coverage. These protocols and security measures safeguard you against becoming a victim in the first place or help with remediation if you’re targeted.

Below are a range of common information security controls some insurers demand or would like to see before approving cyber coverage:

Multi-factor authentication is often the first step to preventing unauthorized access to your accounts. It’s an easy and low-tech way to protect your business, even if passwords are compromised. MFA works by requiring people who are signing in to confirm their credentials through a secondary means.

For example, after putting in a password, the user may have to then type in a code that was texted to their phone or sent to a third-party app. Biometrics, like fingerprints and facial recognition, can also be used. These are an especially secure type of access control because they can’t be easily stolen.

PIM and PAM are ways for businesses to control and monitor who can enter sensitive systems like servers, databases, and applications. This ensures only authorized users can perform high-level tasks.

It helps mitigate the risks of insider threats, because you limit how many people in your organization can even access certain company resources. And since fewer people have the necessary credentials, there’s less likelihood of those being stolen, so the chances of external attacks go down, too.

VPNs and ZTNAs are remote access solutions that help provide secure connections to company networks. These have become especially important with the rise of hybrid and work-from-home jobs.

VPN stands for “virtual private network.” They provide an experience very similar to direct connections, such as when an employee is in the office. An encrypted channel is created and all your data migration is sent over it, providing assurances against eavesdropping, tracking your movement, and identifying you.

ZTNA stands for “zero-trust network access.” As implied by the name, it has a more rigorous security standard than VPNs. With VPNs, users have access to the entire network once they’re in. But on a ZTNA, users have to be authenticated on each device, and then they’re only granted permission to a specifically requested application.

Endpoint detection and response is a proactive strategy meant to protect your organization from cyber threats. Endpoints are remote devices—like cell phones, laptops, desktop computers, or virtual machines (VMs)—that connect to a network and thereby create an entrance or exit for data.

EDR uses real-time monitoring, threat detection, and automated response to protect endpoints from malware and other cyber events. Basically, EDR systems log activity on endpoints 24/7. If something suspicious turns up, then an alert will be sent for IT security teams to investigate.

SIEM is similar to endpoint detection and response in the way it works. It uses continuous monitoring to provide early threat detection. However, while EDR just focuses on analyzing the behavior of endpoints, SIEM logs the activity of all network traffic, including firewalls, servers, and cloud services.

Because it’s much more comprehensive, SIEM can help detect sophisticated attacks before they occur. They can even be set up to take corrective action if there’s a suspected breach.

Unlike the previous tactics, the incident response plan is something that’s used not to prevent a cyberattack, but to respond to one. It’s a documented policy for what to do after data breaches. It should outline how your business can quickly contain, mitigate, and recover from security incidents.

An IRP is particularly important to insurers because they want to know in the event of a hack, you’ll be properly equipped to handle it. This includes procedures such as data breach notifications, which are regulated by each state and can carry stiff fines and penalties if they aren’t reported correctly.

Business continuity and disaster recovery plans are a bit broader than incident response plans. BCPs and DRPs are designed to make sure critical business functions can continue during and after a disaster or cyberattack. They can cover a range of adversities, from hurricanes and fires to pandemics and ransomware attacks. The goal is to minimize downtime and get you back up and running as quickly as possible.

Business interruption following a hack can be a costly expense. In fact, IBM’s Cost of a Data Breach report in 2024 found “75% of the increase in average breach costs in this year’s study was due to the cost of lost business and post-breach response activities. The lesson: investing in post-breach response preparedness can help dramatically lower breach costs.”

Like the plans mentioned above, a backup strategy is something businesses utilize after a cybersecurity incident has occurred. But, for it to work, the process has to be ongoing at all times.

A backup strategy delineates how data should be alternately stored so there isn’t just one trove of information that can be destroyed or stolen. Strong backup plans minimize the risk of data loss and aid in quick recoveries.

Since email is a common form of communication for almost every organization, and it’s also a preferred method of criminal cyber schemes, it’s critical to institute methods to protect users and safeguard sensitive information.

Spam filters, phishing defenses, and secure email gateways help prevent data breaches and other attacks.

According to a 2024 Verizon Data Breach Investigations report, 68% of breaches “involved a non-malicious human element, like a person falling victim to a social engineering attack or making an error.”

As the saying goes, knowledge is power. Equipping your employees with information about cybersecurity—from learning to update operating systems (OS) for crucial security patches, to not clicking on suspicious links—can be one of the best ways to protect your business from becoming a victim.

This human element (which costs much less than some of the technical controls outlined above) will help your bottom line, too. IBM’s Data Breach report found employee training was the greatest factor in reducing average data breach costs and called it “an essential element in cyber-defense strategies, specifically for detecting and stopping phishing attacks.”

The Verizon report also stated “15% of breaches involved a third party or supplier, such as software supply chains, hosting partner infrastructures, or data custodians.”

So it’s important to manage the risk of these vendors. Vigilant onboarding and continuous monitoring can serve as a solid backbone for securing interactions with your outside partners.

A cybersecurity rating is much like a credit score. While a credit score shows creditors how much of a risk you are to lend to, a cybersecurity rating indicates an organization’s level of vulnerability to a cyber threat. The two are comparable in terms of what the numbers mean as well – a lower score equals more risk or vulnerability and a higher score equals less.

Cybersecurity ratings are helpful to internal security performance management teams, because they help pinpoint areas of concern. If those issues are addressed, then much like a credit rating, the organization’s cybersecurity rating could go up.

It can also be used by companies to assess third parties. If a potential vendor has a low score, then a business may choose not to go with them or may require them to fix the problems before signing a contract.

Insurers can also use your rating to help assess your cybersecurity risks and determine coverage options. The higher your score is, the lower your premium could go. So, by adopting any—or all—of the preventative controls we listed above, you can reduce your insurance bill.

The previously discussed tactics are great steps toward protecting your business from cyber risks.

You can also work with a cybersecurity consulting firm to establish a digital infrastructure which will protect your small business as much as possible.

Lastly, training your employees to identify and avoid social engineering hacking techniques will help prevent many of the most common scams.

If all the things we listed above seem like a lot of requirements, don’t worry! Insureon is here to help. We have licensed insurance agents available to determine how much cyber insurance you qualify for.

We can even help you figure out exactly what risk management steps you may be missing to help the underwriting process go more smoothly.

Start a quote by answering some simple questions and we’ll get back to you with options from top insurance providers. You’ll be able to compare rates to find cheap insurance that gives the coverage you need.

Approval takes very little time and we set you up immediately in our customer portal to be able to receive your policy documents, including the ability to download and print a certificate of insurance (COI).