One of the greatest challenges for managing cybersecurity is the fact that the threat landscape is constantly evolving. Last year’s (even last month’s) solutions may no longer be wholly effective. The shift to remote/hybrid work in the wake of the global pandemic makes cybersecurity more complex and yet more essential than ever. This is especially true for companies that scrambled to get employees working at the height of the crisis. Many of these have not circled back to address the vulnerabilities such emergency measures may have introduced.
Additionally, with escalating tensions between the United States and nations well-versed in cyber warfare, we can expect to see new, more aggressive malware. While insurance businesses, especially small to medium-sized ones, may not be the primary targets of such attacks; past experience shows that viruses and ransomware can quickly spread far beyond their original targets. Furthermore, once the code is “out in the wild,” cybercriminals can reverse-engineer and re-deploy it.
With this threat landscape in mind, let’s look at some DOs and DON’Ts for 2022.
DON’T Think It Can’t Happen to You
Depending on whose research you look at, somewhere from 43% to 70% of cybercriminals specifically target small and medium-sized businesses, which are perceived as easier prey. Also, would-be hackers can go online and purchase ready-to-use computer code for as little as $50. This low “cost of entry” means that even a small business can be a profitable target for a cyberattack.
Smaller companies often are less able to weather a cyber event. Today, a single claim can easily run through a company’s cyber liability coverage limit. Additionally, the reputational harm for a smaller agency or insurance company can be greater because of the closer relationships they often have with policyholders.
DO Create a Culture of Cybersecurity
Traditionally, cybersecurity was an IT issue. Modern information security regulations, however, ensure that individuals at every level of an organization have a role in promoting best practices – from the board room to the newest intern. Employee training needs to begin on Day 1 as part of the onboarding process for new hires. HR personnel and trainers can begin by explaining how job responsibilities determine employees’ levels of access and build from there. Don’t assume that “experienced” workers will know what to do, either. Remember, every company’s security needs and systems are different.
When designing an employee training program to promote cyber awareness, make clear the consequences for clients, the company, and individuals if an event occurs. Don’t exaggerate the risks, however. This approach can desensitize workers to very real hazards. While regulations mandate yearly training, sitting your entire team down to watch an Internet video is a less-than-ideal approach. Broad-focused, infrequent training isn’t likely to stick with workers or significantly change their online behavior. Instead, opt for more targeted sessions spread throughout the year. This allows for reinforcement of past learning and provides an opportunity to update materials to address current threats.
Finally, train — don’t shame. All behavior modification works best when it leverages positive reinforcement. When employees fear being ridiculed for falling prey to a cyberattack, they’re more likely to hide evidence of a breach. That allows threats to go undetected for a longer period and thus do more damage.
DO Start with a Thorough Risk Assessment
While there are lots of fill-in-the-blank Information Security Programs available online, your ISP must reflect your organization’s needs and resources. Otherwise, you risk leaving gaps in your defenses or spending time and money on things you don’t really need at this point. Always begin by mapping your information system and its contents. Describe hardware (including physical barriers and surveillance systems), software (both installed and cloud-based), data assets, and access needs.
Once you have an accurate map, determine your organization’s risk tolerance. Absolute security is unattainable. Instead, stakeholders need to agree on what level of risk they can live with. Regulations influence this decision, obviously, but they don’t prescribe acceptable risk. They do, however, ease tensions between IT professionals and leaders, who often butt heads over this decision. Now, final decisions about risk tolerance and mitigation measures lie with executives, and they bear the consequences of those decisions.
Finally, identify and prioritize threats. Start by identifying your key business processes; then determine what hardware, software, and data are required to complete them. Remember, too, that information has a supply chain, just like any physical asset.
DO Secure Remote Devices
Remote work is here to stay, so an ISP needs to address this situation in a formal way. Ideally, companies should provide hardware, software, and secure network access for all remote workers. That allows the business to control what’s on the devices and how they are used.
f the budget won’t run to this, treat employee-owned devices the same as company hardware. Include them on your hardware map and subject them to the same assessments and inspections as any company-owned device. Remember that even when an employee follows best practices, other family members who share access can introduce vulnerabilities.
DON’T Allow DIY IT
We live in an age when employees who have a “need” can go online and download a free app that meets that need. That’s wonderful in personal life, but can be problematic in the workplace. Such apps and the sites that host them can expose visitors to all types of malware. At a minimum, you’re introducing an unknown variable into your information system. You can also find yourself on spam lists, which can be a channel for phishing attacks. Furthermore, free apps are often intended for personal use only. Using them for business purposes may violate the terms and conditions of use.
If you do allow users to “customize” their systems, have an approval process in place. This allows individuals overseeing the ISP to create accurate system maps. They can also notify users of potential threats associated with certain apps or sites.
DO Set Appropriate Access Levels
Access control is fundamental to your cybersecurity plan. You have to know WHO is working with WHAT data WHEN to trace cybersecurity issues to their source. Access should be based on each employee’s information needs and should be updated immediately if their work responsibilities change. It should also reflect the value of the data. The more important it is that information be correct or kept confidential, the better it is to restrict access.
Don’t overdo it though. Remember, when cybersecurity measures prevent access to information people need to do their jobs; they start looking for ways to circumvent them. Also, don’t overlook physical access controls. Sophisticated encryption does no good if anyone can walk into an office space and see what employees are doing.
DON’T Overlook the Value of Supervision
While “walking around” supervision isn’t practical in the new hybrid workplace, there are ways to monitor employees’ activity. Workers may find this kind of monitoring intrusive or “creepy” at first; but if employers use it appropriately, it quickly becomes invisible.
Know what team members are doing and how they engage with technology in their day-to-day work lives. Get to know who has too much free time and thus may be tempted to start “exploring” information systems. Also, identify employees under financial or emotional stress who may become desperate enough to act against the company’s best interests.
DO Know What Your Cyber Insurance Covers
Cyber liability insurance is a relatively new product and underwriting standards are changing rapidly. Many policyholders (and even some brokers) are a little fuzzy on what it does, doesn’t, or might cover. Additionally, specialty products such as ransomware insurance and cyber E&O are now available. Make sure policies address both first-party and third-party losses and understand policies’ “due care” standards.
Finally, mind the “Silent Cyber” gap. High losses have many carriers reducing or eliminating their exposure under policies not specifically intended to cover cyber risks. Losses covered in the past may not be covered in the future. Businesses counting on such coverages to fund their response and recovery may be in for a shock.
DON’T Think You Have to Do It Alone
While companies retain ultimate responsibility for their compliance with cybersecurity regulations and to the consumers who rely on them, that doesn’t mean every element of the ISP must be handled in-house. In fact, getting an outsider’s perspective can result in a more effective program. A wide range of roles and responsibilities, from CISO to system monitoring to incident investigation and response to notifications, can be outsourced.
Make sure the vendor you choose is reputable and provides regular updates about their activities. Remember, if a deal seems too good to be true, it probably is. Ask industry colleagues for recommendations. Cyber insurance providers may also recommend resources to mitigate or manage risk.
Looking for Help with Cybersecurity?
Be sure to visit ILSA’s Cybersecurity page. We provide a wealth of information about current regulatory requirements and how to meet them.
This article is based on a presentation made at the SILA Texas Chapter Meeting on March 9, 2022. My thanks go to Diana Capes and everyone at SILA for their ongoing commitment to this important area of regulatory compliance.