Smaller Business, Bigger Risk

By: | December 1, 2013 • 3 min read
Ara Trembly is founder of The Tech Consultant and The Rogue Guru Blog. He can be reached at [email protected]

More and more hacking incidents and identity thefts are reported in the mainstream media, and most of us are thus uncomfortably aware of the fact that such attacks are increasing. What may not be as obvious, however, is that more and more cyber criminals are targeting smaller enterprises — because they tend to have fewer defenses and because they may provide a gateway to larger, more profitable targets.


In its 2013 Internet Security Threat Report, Symantec Corp., a provider of security software, found that the largest growth area for targeted data attacks in 2012 was businesses with fewer than 250 employees (31 percent of all attacks targeted them).

“This is especially bad news because based on surveys conducted by Symantec, small businesses believe they are immune to attacks targeted at them,” the report noted.

Indeed, the same may be said for smaller insurers and a plethora of insurance brokers. As the report pointed out, however, “While small businesses may assume that they have nothing a targeted attacker would want to steal, they forget that they retain customer information, create intellectual property and keep money in the bank.”

Confidential customer and industry data ripped from smaller enterprises are just as valuable to identity thieves as information stolen from larger systems.

And while some may argue that larger enterprises present more profitable targets, it could also be said that smaller operations — with smaller operating budgets — will tend to have less sophisticated defenses, and thus be easier to attack, the report added.

“Criminal activity is often driven by crimes of opportunity. With cybercrimes, that opportunity appears to be with small businesses,” stated Symantec.

“Even worse, the lack of adequate security practices by small businesses threatens all of us. Attackers deterred by a large company’s defenses often choose to breach the lesser defenses of a small company that has a business relationship with the attacker’s ultimate target, using the smaller company to leapfrog into the larger one.”

This last point cannot be sufficiently emphasized. A large insurer’s system defenses may be adequate to deal with direct attacks from unknown sources, but what about things that seem to walk in the door from an agency or broker that does business with the insurer on a regular basis?

It is certainly conceivable that a cyber criminal would be able to steal the email addresses and other information about legitimate employees of an agency or brokerage — then use those addresses as a safe entry into the insurer’s systems. Once past the insurer’s “palace guard,” the intruder could then plant malware to take control of the network, or simply begin stealing information.


But would a cyber crook really go to all that trouble? If the end reward is sufficient, the answer is most certainly in the affirmative. From a larger insurer’s or broker’s point of view, then, the key is to make certain that the defenses of our smaller business partners are up to snuff. That may mean making site visits to evaluate the security profile of those partners (and of vendors, for that matter), or it may mean investing in commercial systems defenses that are then given to our partners — truly a win-win, since it protects both insurer and business partner.

Should a larger insurer or broker be forced to help fund defenses for its smaller partners? Probably not, but the investment certainly seems worth it.

More from Risk & Insurance

More from Risk & Insurance

2018 Risk All Stars

Stop Mitigating Risk. Start Conquering It Like These 2018 Risk All Stars

The concept of risk mastery and ownership, as displayed by the 2018 Risk All Stars, includes not simply seeking to control outcomes but taking full responsibility for them.
By: | September 14, 2018 • 3 min read

People talk a lot about how risk managers can get a seat at the table. The discussion implies that the risk manager is an outsider, striving to get the ear or the attention of an insider, the CEO or CFO.


But there are risk managers who go about things in a different way. And the 2018 Risk All Stars are prime examples of that.

These risk managers put in gear their passion, creativity and perseverance to become masters of a situation, pushing aside any notion that they are anything other than key players.

Goodyear’s Craig Melnick had only been with the global tire maker a few months when Hurricane Harvey dumped a record amount of rainfall on Houston.

Brilliant communication between Melnick and his new teammates gave him timely and valuable updates on the condition of manufacturing locations. Melnick remained in Akron, mastering the situation by moving inventory out of the storm’s path and making sure remediation crews were lined up ahead of time to give Goodyear its best leg up once the storm passed and the flood waters receded.

Goodyear’s resiliency in the face of the storm gave it credibility when it went to the insurance markets later that year for renewals. And here is where we hear a key phrase, produced by Kevin Garvey, one of Goodyear’s brokers at Aon.

“The markets always appreciate a risk manager who demonstrates ownership,” Garvey said, in what may be something of an understatement.

These risk managers put in gear their passion, creativity and perseverance to become masters of a situation, pushing aside any notion that they are anything other than key players.

Dianne Howard, a 2018 Risk All Star and the director of benefits and risk management for the Palm Beach County School District, achieved ownership of $50 million in property storm exposures for the district.

With FEMA saying it wouldn’t pay again for district storm losses it had already paid for, Howard went to the London markets and was successful in getting coverage. She also hammered out a deal in London that would partially reimburse the district if it suffered a mass shooting and needed to demolish a building, like what happened at Sandy Hook in Connecticut.

2018 Risk All Star Jim Cunningham was well-versed enough to know what traditional risk management theories would say when hospitality workers were suffering too many kitchen cuts. “Put a cut-prevention plan in place,” is the traditional wisdom.

But Cunningham, the vice president of risk management for the gaming company Pinnacle Entertainment, wasn’t satisfied with what looked to him like a Band-Aid approach.


Instead, he used predictive analytics, depending on his own team to assemble company-specific data, to determine which safety measures should be used company wide. The result? Claims frequency at the company dropped 60 percent in the first year of his program.

Alumine Bellone, a 2018 Risk All Star and the vice president of risk management for Ardent Health Services, faced an overwhelming task: Create a uniform risk management program when her hospital group grew from 14 hospitals in three states to 31 hospitals in seven.

Bellone owned the situation by visiting each facility right before the acquisition and again right after, to make sure each caregiving population was ready to integrate into a standardized risk management system.

After consolidating insurance policies, Bellone achieved $893,000 in synergies.

In each of these cases, and in more on the following pages, we see examples of risk managers who weren’t just knocking on the door; they were owning the room. &


Risk All Stars stand out from their peers by overcoming challenges through exceptional problem solving, creativity, clarity of vision and passion.

See the complete list of 2018 Risk All Stars.

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]