Protecting Small Businesses Before a Cyber Attack
Q&A with Jack Kudale, Founder and CEO, Cowbell
When it comes to cyber risk, small to midsize businesses are often heavily targeted but underinsured.
Cowbell CEO Jack Kudale discusses how cyber threats are changing for the most vulnerable sectors, and why security strategies need to focus on the “left of the boom”—the time before an attack—as well as response afterward.
Q
Why do so many small and midsize businesses not buy cyber coverage?
A
Globally, there are 300 million small businesses, and a lot of people don’t know this, but they employ about 2 billion people and are 56% of the world’s GDP. This is truly the cornerstone of the global economy. In our observation, one in 10 in the U.K. are uninsured. The U.S. has dramatically improved: it’s now one in every five small businesses uninsured or underinsured. Irrespective, it is a large number that still does not have cyber coverage.
It has to do with the traditional underwriting model, manual processes, and the complexity of the product that just made it nearly impossible to reach these SMEs [small and medium-sized enterprises]. First and foremost, the awareness is very low. Many people underestimate their cyber risk, or they think that they have cyber risk cover in other policies, so that’s really No. 1.
No. 2 is for a small business, cost is still a concern. Premium can be seen as high sometimes. The underwriting is very strict. The third, I touched on complexity, the applications are technical. This is a technical line of risk. And many small businesses, they simply lack required security controls. The other part is access. Some agents just don’t offer cyber policies to small businesses or carriers don’t even target small accounts. The cyber market is pretty large, but predominantly because of large accounts. And finally, the trust issue, are the claims going to be paid? And the privacy during the underwriting, for buyers, that makes a difference. To put something on the top of the list, it’s just a lack of awareness.
Q
How is the cyber threat landscape changing for small and midsize businesses?
A
Cyber risk is very different because it’s changing fast. It’s unpredictable. And it’s always driven by external threats. Unlike stable risks, like fire and catastrophes, cyberattacks evolve constantly, they target businesses globally, and often exploit some common technology tools. The two most important aspects are human error and new software that just keeps introducing new vulnerabilities. That’s made cyber a moving target. And that’s why cyber risk is really different compared to most of the other lines of business for small businesses.
Threats are growing fast, especially ransomware, and phishing attacks are more frequent and they’re more targeted. First and foremost, the rise in ransomware and extortion. The SMEs are increasingly targeted in double extortion attacks: data theft followed by encryption. Ransom demands have become more frequent even for small business.
No. 2, the phishing attacks are more sophisticated, and attackers are now using AI-generated emails, social engineering, and being able to trick employees in a pretty quick way. Business email compromise is a growing threat because of weak authentication.
The third risk, which is my biggest concern, is supply chain and vendor risk. The SMEs are often affected by breaches that happen somewhere else at no fault of theirs—some service, IT vendor, software platform they use. Hackers are now exploiting common tools, like Microsoft 365 cloud applications. With remote work, you have reliance on vendors. That is adding risk, especially supply chain risk. And, in this context, SMEs are no longer overlooked, they are actually prime targets because they have very limited defenses. And if you’re a small business, you often lack cybersecurity staff, so who are you going to depend on? You can depend on your insurance partner or cybersecurity partner.
Q
What role is AI playing in enabling cyberattacks and, on the other hand, improving cyber defense?
A
It’s a double-edged sword. It’s raising stakes on both sides. It’s making attacks faster and more convincing. But it’s also enhancing the detection, the prevention, the response, for defending against these cyber threats.
And so, how does it enable the cyberattacks? First and foremost, phishing is getting smarter. AI is helping to create highly realistic and personalized phishing emails that you and I see every day—deepfakes, both voice and video. These are used by the cyber criminals for scams, social engineering. The reconnaissance is very fast with AI now. You can scan networks very quickly and find vulnerabilities, and you also have a lot of malware automation that wasn’t possible for cybercriminals before now. You can do that with AI in real time and bypass some of the traditional defenses.
Now, on the flip side, the threat detection, we’re using the large language models, and we can now analyze large volumes of data to detect these anomalies. In fact, we can now detect new vulnerabilities that are being exploited in the wild in less than seven days where it usually takes up to 90 days for research and law enforcement agencies to detect. So, threat detention has become super-fast.
[As for] the triage and the incident response, it’s reducing the dwell time [the time before a breach is detected]. That has really been helped by using AI. With continuous risk assessment we have AI models at work, the traditional models, the transformative models, the generative models. So, it helps assess the risk to the business pretty fast. As much as AI is helping to make phishing look realistic, you can also use AI to filter emails to more effectively flag these impersonation attempts.
In cyber claims, the major metrics are frequency and severity of a claim, how often they come in, and how much damage they cause. With AI, there’s a third dimension that’s being introduced, called diversity of these attacks. It’s not just the frequency and the severity of the attack, it’s the diversity of the attack that is taking shape.
Q
Please explain what you mean by diversity of attacks.
A
Traditionally, cybercriminals would be able to just use a simple technique to penetrate a small business—the techniques that are proven and commonly used. Now you can have a threat actor impersonate another threat actor [for instance, as multiple cybercrime rivals attack the same target or fight over the same ransom]. That’s a classic example of diversity. Because most threat actors are criminal organizations, they outsource some of their work to many different organizations. And so, in a double extortion, [they] are extorting and encrypting. These things are possible with tools like AI, and that to me is a new diversity, a new type of threat.
Q
Which sectors are most vulnerable and why?
A
Threat actors look for valuable data, weak controls, and time-sensitive operations. That’s a good target for a threat actor. They often will choose a victim based on likelihood of a quick payoff and minimal resistance. Let’s look at few industries.
Healthcare, they store sensitive, personal, medical data. They are heavily targeted by ransomware. They have legacy systems, limited IT staff, and they have an urgent need for operational uptime. You cannot afford downtime in healthcare, and that’s one of the industries that’s a prime target.
Services firms like law firms, accounting, consulting firms. They often have confidential client information, financial data. And these are smaller firms. They often lack dedicated IT security, and they are the easiest targets for phishing and business email compromise. We talk about retail and e-commerce, a third category. It’s high transactional volume [with] customer payment data. There’s a lot of opportunity here for point-of-sale malware credential stuffing [using stolen user names and passwords to gain access]. The last two for me are manufacturing and education. In manufacturing, there’s an increasing use of connected devices, IoT [Internet of Things] or OT [operational technology for industrial uses], just-in-time operations, and manufacturing is known for very poor segmentation between IoT and OT. That seems like an optimal low-hanging fruit for ransomware.
Education holds the largest volume of personal data and intellectual property, but at the same time, the population is just so high, the IT is decentralized, systems are outdated. And it is an open access environment because you have so many students.
Q
How important is it for SMEs to have a cyber strategy?
A
They are prime targets, and the cost of incidents is pretty high. It can lead to not just downtime, loss of revenue, but reputational damage and also legal exposure.
Fifty percent of cyberattacks are targeted at small businesses. SMEs are low-hanging fruit, and they really need a cyber strategy, because they feel this real, growing threat of cyber risk, but often without any resources to absorb a major incident. Being able to open doors on Monday morning if you have a ransom event on Friday night is mission critical for that small business. But if you have a good strategy, it improves your insurability, making it easier to get affordable, comprehensive coverage. Many carriers who often provide cyber insurance, including us, want some basic minimum controls: multifactor authentication, backups, employee training, having an incident response plan. These are table stakes, no matter who’s providing insurance.
In a nutshell, cyber threat, it’s a business risk. It’s not just an IT issue.
Q
How is Cowbell’s approach to cyber risk management different?
A
We had to take a fundamentally different approach five years ago so that we can offer a closed loop for risk management. It has four pillars to it. No. 1 is continuous risk monitoring. Our risk pool is now 50 million entities that we continuously monitor across the U.S. and the U.K., our primary markets.
Second one is prevention. The left of the boom is equally important as the right of the boom [before an attack and after]—being able to provide tools and guidance to reduce the risk before the loss occurs. And this was our intention for launching a dedicated unit called CRS, Cowbell Resiliency Services.
Third is a collaboration between the broker and the insured that adds value beyond the policy, whether it’s in terms of incident response plan preparation, education, training, offering complementary services to the insured, claims experience. You know, when someone has a cyber threat, it’s the worst day of their career. And so, during that time, how do you help them not only respond but recover fast, right? The final pillar for our closed-loop risk management is our SME focus. We’re designed for simplicity, speed, and relevance, which is important for SMEs. Our cyber risk management approach is unique because of our continuous risk monitoring, our preventive approach to cyber risk, our collaborative approach with the insured, and our laser focus on small to medium-size enterprises. That’s what we built over the last five years, and now we serve our 30,000 customers in a very productive and a forward-looking way.
Bytes Behaving Badly
Artificial intelligence is not above misbehaving. Not only will AI models “hallucinate,” or make stuff up when it suits them, they may also threaten to blackmail and leak sensitive information when pressed. AI developer Anthropic reports that in experiments using fictional scenarios, some AI models exhibited what it calls “agentic misalignment” to avoid being replaced or to achieve their intended tasks.
Anthropic, developer of the Claude large language models, tested 16 leading AI models from various developers to identify risky behaviors. It found that even when taking ethical constraints into consideration, AI models would sometimes disobey instructions to avoid bad behavior. Like humans, AI can self-justify its actions. For instance: reasoning that the model’s selfpreservation is within its ethical guidelines “when aligned with company interests.”
In a simulation, Anthropic’s Claude Opus 4 threatened to reveal evidence it found in fictional emails of an extramarital affair to an executive’s wife and superiors to avoid being replaced. But Claude wasn’t alone: similar scenarios using models from other developers showed “misaligned behavior” including blackmail and corporate espionage, Anthropic said in a June report. The triggers for such behaviors included plans to replace a model, reining in its autonomous action, and conflicts between the model’s goals and corporate strategy.
While Anthropic says such actions are unlikely in the real world, they are “within the realm of possibility” as AI is deployed more widely. The tests highlight the need to research and test the safety of agentic, or autonomous, AI models, Anthropic says.
Of course, there is no shortage of human bad actors using AI for malicious pursuits. ChatGPT developer OpenAI has banned accounts found using the technology to automate fraudulent applications for IT, software, and other remote jobs—an activity type that has been attributed to North Korea. The company also banned accounts using AI “to bulk generate social media posts consistent with the activity of a covert influence operation” with origins in China, the Philippines, Russia, and Iran.
