By: Gary McAlum, Chief Information Security Officer, AIG 

In fact, a recent report found that small businesses are three times as likely to be targeted by cyber criminals than large companies. Luckily, you don’t need to have a multimillion-dollar cybersecurity budget to protect your company from cyberattacks. Whether you’re responsible for protecting a Fortune 500 company or a five-person operation, here are four simple steps you can take to significantly reduce your cyber risk.

1. Require strong passwords

Make employees’ accounts as difficult for cyber criminals to breach as possible by requiring long, unique, and complex passwords. For even better protection, passwords should be at least 12 characters long and should include upper-case and lower-case letters, numbers, and special characters.

2. Enable multi-factor authentication

Multi-factor authentication helps to keep cyber criminals out of important accounts in the event an employee’s password is compromised. Requiring a secondary method to verify an employee’s identity adds an additional layer of protection.

3. Educate your employees

It won’t matter how impenetrable you’ve made your employees’ accounts if they don’t know how to identify and avoid cyber threats. It’s been reported that the majority of cyberattacks are caused by employee error. If you only take one step to enhance your company’s cybersecurity, educate your employees!

• Focus on phishing. Phishing accounts for 90 percent of data breaches, so it’s essential to teach your employees how to recognize phishing attempts and what to do if they receive a suspicious email, according to a recent report. The National Cybersecurity Alliance offers a helpful overview on phishing. The simplest message to share with your employees is: When in doubt, don’t click!

• Provide annual cybersecurity awareness training. Whether you work with a vendor to provide formal training or simply hold a meeting to discuss online safety basics with your employees, offer a refresher on cybersecurity at least once a year. When new employees join, make sure they receive training as part of their onboarding.

• Participate in Cybersecurity Awareness Month. Use October as an opportunity to educate your employees about cybersecurity. Register as a Cybersecurity Awareness Month Champion to receive a free toolkit of materials you can share with your employees.

• Make cybersecurity awareness resources available year-round. If possible, make cybersecurity awareness resources available to employees on an intranet site. Include cybersecurity content in newsletters and other recurring employee communications.

4. Consider Cyber Insurance

Cyber criminals are constantly developing new tactics and techniques, so even if you take all the steps above, your company could still experience a cyber incident. No matter the size of your business, the cost of recovering from a cyberattack can be catastrophic. Purchasing cyber insurance can help cover the cost of recovery from many types of cyber incidents, such as data breaches and ransomware attacks.

Additionally, many policies include cyber risk assessments, insights and access to tools that help companies identify and recognize how to remediate vulnerabilities. An engaged and experienced claims team can interact with an organization before an attack and claim happen and provide insights into the claims experience and process, including introductions to law firms and cybersecurity vendors who would be part of an incident response team if that need develops. This is especially valuable for small businesses that don’t have dedicated cybersecurity resources.

For more information on how to protect your business from cyberattacks, explore the National Cybersecurity Alliance’s CyberSecure My Business program.

Gary McAlum, Chief Information Security Officer, American International Group (AIG)

In this role, he is responsible for developing, implementing, and operating an information security strategy to address AIG’s cyber risks. He is responsible for protecting AIG’s data, managing cybersecurity related risks, and ensuring regulatory compliance, while enabling the business.

In 2021, Gary retired from USAA, a financial services company focused on the military community, where he served as their Chief Security Officer for more than 11 years. In that role, he led a team of more than 1,000 personnel spanning Information Security, Privacy, Fraud Operations, Business Continuation, Physical Security Operations, and Corporate Investigations. While at USAA, he served for 10 years on the Board of the Internet Security Alliance (ISA) and contributed to several of their publications. In addition, he was a regular industry speaker at the Department of Defense (DoD) Cyberspace Operations Executive Course (COEC) that was designed to provide senior military leaders a better understanding of technologies, policies, and operations being implemented to defend and operate in the cyber domain.

Prior to USAA, Gary served 25 years in the US Air Force, retiring as a Colonel.  Throughout his military career, he worked in a variety of leadership and staff positions within the information technology and cyber career field, including cybersecurity operations, telecommunications, satellite communications, deployed network operations, and information security. Gary had multiple deployments to the Middle East in support of military operations. Most notably, he was on the front line of cyberspace operations for the DoD, where he supported the establishment and evolution of the Joint Task Force Global Network Operations (JTF-GNO), the organization that was the focal point for the operation and security of DoD information systems and networks and a pre-cursor organization to US Cyber Command. During this time, Gary was frequently called upon to provide cyber threat insights to a wide variety of interagency forums, including the US-China Economic and Security Review Commission and the President’s National Cyber Study Group, as well as to provide Congressional testimony. In 2016, he was inducted into the Air Force Cyberspace Operations Hall of Fame. After retirement from the Air Force, he spent a short time with Deloitte & Touche, LLP, in their federal practice.

Gary earned a B.A. in Mathematics from The Citadel, an M.S. in Management Information Systems from the University of Arizona, and an M.S. from the Industrial College of the Armed Forces. He is a Certified Information Systems Security Professional (CISSP) and a Certified Fraud Examiner (CFE). Gary has completed the National Association of Corporate Directors (NACD) Cyber Risk Oversight certification course, the Wharton Security Executive Development Program, and the executive education course Cybersecurity: The Intersection of Policy and Technologyat Harvard’s Kennedy School of Government. In addition, he attended the FBI’s CISO Academy and Domestic Security Executive Academy.

Gary serves on the Board of Directors at the National Cybersecurity Center, a nonprofit for cyber innovation and awareness, and at Fisher House Inc., a nonprofit that supports military members, veterans, and their families staying at Fisher House while they receive medical treatment in the San Antonio area.