An organization’s cyber security measures, along with an overall secure IT approach that is properly implemented and continuously enhanced can provide as much “protection” as a strong cyber liability policy. But can it really be an alternative to costly and, in some instances, required insurance?
The number of cyber-attacks increased by 50% year-over-year in 2021. Damage related to cyber-crime surpassed $6 Trillion in 2021. Insurance companies continue to drive increases to the minimum levels of security technologies, tools and processes an organization must have in place to obtain a policy. Yet in 2021, the average price of cyber insurance, per million increased by 174%. The 2020 cyber insurance market was worth $7.8 billion. Analysts expect it to grow beyond $20 billion by 2025.
As the saying goes, “An ounce of prevention, is better than a pound of cyber insurance.” Read on for advice from our experts and an examination of the tenants of a well-managed and secure IT strategy.
Business Continuity and Disaster Recovery
Business continuity and disaster recovery, or BC/DR, are terms used frequently in IT circles. BC/DR planning are critical elements in reducing business interruption in the event of a security incident or other unexpected disaster. Mature IT departments will have both electronic and written copies of the plans available for reference in preparation for a natural disaster or security event that takes out critical infrastructure. A vetted backup retention policy that has been rigorously tested for restoration of both file and complete system restores of all critical infrastructure to a warm or cold site are a few of the building blocks of a healthy BC/DR plan.
Vulnerability and Patch Management
Security and IT teams across the world continue to stress that most cyber attacks are not a result of sophisticated attacks or ridiculously complicated techniques for gaining access to systems. Most attackers exploit widely known and easily leveraged security gaps, often the result of a lapse in basic security hygiene. Establishing and adhering to a vulnerability management strategy is an extremely effective (and inexpensive) tool to reduce risk.
From public-facing network infrastructure, all the way through to your internal wireless LAN, various parts of a network can represent risks when improperly managed. However, if you keep all components updated on the latest software release, apply security patches when available, and prohibit unnecessary access and unsecure protocols, you have already done quite a bit to thwart the would-be attacker.
Identity Management
Identity and credential management is one of the cornerstones of having and maintaining a secure environment. Enforcing multi-factor authentication (MFA) for administrative functions as well as end-user actions related to personally identifiable information (PII), sensitive/confidential data or intellectual property (IP) is a fantastic way to enhance your company’s identity and credential management implementation. Properly structured directory services that follow a zero-trust philosophy supported by multifactor authentication, formalized password policies, tiered administrative rights, defined user permissions and rights, and multi-factor authentication are just a few of the tenants of a solid identity management strategy.
Security Awareness and Training
Hackers commonly utilize social engineering tactics, such as email phishing, to trick untrained employees and gain access to corporate IT systems. Even the most secure infrastructure can easily be compromised by someone clicking on a link in a malicious email or responding to a text message. Basic security training upon hire and reinforced annually (at a minimum) is a terrific way to ensure employees understand their role in keeping the organization secure. Other common ways to improve awareness are performing phishing campaigns, providing self-guided training, and communicating security updates from the IT department regularly.
Endpoint Detection and Response and Logging
Active threat detection products are growing in popularity,at the same rate as cyber-attacks. Understanding and addressing unusual activity in your environment is critically important to thwarting an attack. Endpoint Detection and Response (EDR) along with SOC (Security Operations Center) services are a tried-and-true method of making this a reality.
These products are intended to replace traditional anti-virus applications and form part of a well-managed cybersecurity program when properly configured. Centralized logging is a huge asset in identifying and responding to a cyber-attack. The ability to understand where the attack originated and how it moved through an environment is dependent on having trustworthy and up-to-date logging, and is paramount to understanding and addressing the root cause or vector of an attack.
Next Level Security
It is 2022 — cyber threats are numerous and increasing every day.
All companies should be implementing items in the fundamentals section of the security resiliency matrix. Depending on the nature of your business, the sensitivity of the data you produce, and the associated risks, you can make the decision to implement solutions to enhance and enforce security or to further validate and sustain your current efforts.
So, can effective Cyber-Security be a Substitute for Cyber Insurance?
It comes down to a business risk decision.
Cyber liability insurance companies understand this and are now requiring policyholders to take active steps to improve their security programs no matter what industry they are in. Many times, these steps include exactly what we have outlined above. Certain businesses may have more sensitive or regulated data, which in turn will require a more complex and multifaceted strategy. As risk increases due to the nature of your business, companies should then look to employ the more advanced security controls found in the security resiliency matrix.
Every organization is different. But realizing that there is no silver bullet and no magic piece of software that can mitigate every potential risk is an important first step. A well-structured liability insurance policy that contains adequate coverage based on your organization’s risk profile is only one component of a well-built and maintained security strategy, and certainly not a substitute for the fundamental controls we have outlined above.
Still have questions? Contact one of our cybersecurity experts today, to learn how you can develop a more secure approach to your organization’s security.