Cybercrimes are now common headlines. From the healthcare industry to education systems, bad actors are finding ways to make money off unsecured networks, too-easy-to-guess passwords and social engineering fraud tactics a.k.a. good, old fashioned con work.

While people may be more aware that cybercrimes are happening, it seems like we all struggle to do something about it. Earlier this year, the FBI’s Internet Crime Complaint Center reported an estimated $16.6 billion lost globally in 2024, which is up 33% from 2023.

Such a big increase is both disappointing and frightening, as there have been concerted efforts from the government and private sector to educate consumers on how to secure digital assets and recognize scams. From personal assets wired because of fraud, to a productivity shutdown due to a ransomware attack, it appears there are no bank accounts or businesses too small to target or too big to tackle.

“The landscape is always changing,” said J.P. Kennedy, Director of Technology and Cyber Insurance at Hub International New England, an insurance broker that guides businesses through risk management and employee benefits. “Sometimes the ‘bad guys’ are winning, sometimes the ‘good guys’ are,” he continued. 

Is it time to change the locks?

Despite the staggering FBI numbers, Kennedy feels confident in his slice of the world, where he helps businesses understand their exposure and be more proactive about their cybersecurity. “We are seeing a surge of attacks,” he said, “but we are also seeing lower success rates because the use of defensive measures has continually improved.”

Kennedy says small businesses that want to improve their security right now can make use of free resources from the federal Cybersecurity and Infrastructure Security Agency (CISA). “Cyber Hygiene” services that scan for internal and external vulnerabilities are available for U.S.-based public and private sector critical infrastructure organizations, and any business can put CISA’s strategy documents or action plans to work, like defining roles for leadership in the fallout of a security breach and training staff to identify and appropriately respond to ransomware.

Even people who are good with technology benefit from the fact that software companies are making their products safer from the start. For example, many services now automatically use end-to-end encryption for messages or require multi-factor authentication for logging in. “Multi-factor authentication can seem like a hassle for users, but it’s a bit like locking your car or wearing a seatbelt—just an extra step you take to keep yourself safe that becomes a habit.  It makes your accounts harder for hackers to break into,” said Kennedy.

Kennedy also highlighted the emerging use of cloud computing software, which more businesses are moving toward, as secure by design. “In that environment, updates to eliminate vulnerabilities generally happen more quickly than if they were being made on all local devices,” he explained.

Another way for companies to protect themselves financially is through cyber insurance, which Kennedy says has never been so readily available. When deciding whether to offer you coverage, insurance companies want to know how you are keeping your business safe—especially when employees access your systems from outside the office. They expect to see security steps in place, like multi-factor authentication, to make sure it’s really your employees trying to log in, especially for email accounts. They also want you to keep an eye on your network’s endpoints—where your network connects to the internet—using various tools, commonly known as Endpoint Protection. Even if you don’t have these protections in place, some insurance companies offer solutions that include security tools built into the coverage.

Once you have a cyber policy, Kennedy highlights that most cyber insurance companies offer free or discounted services to customers to help them improve cyber security out of enlightened self-interest to reduce the possibility of a claim. Similarly, when data breaches do inevitably happen, most policies allow the insurance company to coordinate the response in order to minimize any resultant damage or disruption from the data breach. If you experience a data breach, your insurance provider will help you recover from losses including making sure you follow all the different state law requirements for notification to affected customers and steps to protect them from additional harm.

Staying ahead of the game

Kennedy finds it interesting that two of the biggest areas of concern to the insurance industry are the oldest—human error—and the newest—Artificial Intelligence.

“Some sources say 95% of all data breaches are traceable to human error,“ Kennedy says. Training employees about good cyber security habits is still one of the best ways for a company to limit the number of attacks they experience. “Good security starts with awareness.  Using good passwords, thinking twice before clicking on a strange email, picking up the phone to call and verify an unusual request—these little things can sometimes save companies from huge problems.”

In addition to finding businesses quality cyber insurance, Hub International New England will support educational efforts, regularly reviewing best practices and how to identify common attempts to gain access to devices and data. And Artificial Intelligence is definitely on the radar screen. Kennedy said that historically, bad actors would spend up to 180 days in a network once they had gained access, exploring to find weaknesses before, say, installing ransomware. The use of Artificial Intelligence tools appears to have cut that time at least in half, and it has also made the search for and exploitation of vulnerabilities faster.

Deepfake audio and video have been successfully used in social engineering scams. Just like you would for a classic “Your car loan is overdue” phone call scam, Kennedy reminds people to trust their gut, think twice, never act in a rush, and seek independent confirmation before entrusting someone new with information or transferring funds from an account.

The good news is that Artificial Intelligence tools are being put to work to improve defensive responses and limit the damage being done by malware attacks. It’s a cyber arms race that doesn’t look like it will end any time soon.

 Start taking cyber risks seriously

Hub International’s 2025 Outlook Executive Summary surveyed 900 business leaders across the U.S. and Canada, and only 40% said they had some sort of cyber coverage. “A lot of people don’t appreciate the risk because it hasn’t happened to them yet,” said Kennedy. “But consider that it’s a wallet or your bank account and it can be accessed virtually from anywhere in the world if you don’t protect it properly.”

Whether it’s stolen data, faked identities or frozen operations, the damage from a cyberattack can be just as devastating as a fire, flood or break-in. Business leaders must start treating their digital assets with the same urgency and protection as their physical ones and help make sure “the good guys” always have an edge.

HUB International’s employee benefit specialists work with employers of all sizes in all industries on every aspect of employee benefits program planning and management. Contact them today to improve your hiring and retention strategies.