By Steven Schwartz | Founder | Global Cyber Consultants, LLC
Security Incidents and Data Breaches pose huge risks for Directors & Officers across almost every industry. For many years, cyber security was traditionally siloed with the primary focus on technology and reliance on the IT Department. However, the threat landscape has changed, and personal wealth is at stake for executive leadership and their board of directors who do not exercise appropriate oversight of their organization’s cyber risks. These risks include data theft/loss, business interruption caused by a computer malfunction or virus, and fines or lost income because of system downtime. The Ponemon Institute most recently reported that the average cost of a data breach to a US company is $8.64 million, while cyber security research firm, Cybersecurity Ventures, predicts that global annual cybercrime costs will grow to $6 trillion by 2021.
An alarming report recently commissioned by Nasdaq and Tanium, an endpoint security and systems vendor, states that 90% of corporate executives say they aren’t prepared to handle a major attack. To protect both corporate and personal assets, business leaders need to approach cyber security in a much more holistic manner. Traditional technical controls, prevention, and detection are simply not enough and will leave any organization exposed as they struggle to bridge the gap between growing information security risks and the wider business risks as internal and external stakeholders are increasingly engaged through advancements in digital technology. Business leaders must gain a basic understanding of their organizational cyber risk exposure and drive new cyber security efforts that bring coordination across the entire firm.
The dynamics of a cyber hacker has evolved into sophisticated crime syndicates and governmental state nations that have moved beyond exploiting technological loopholes to exploiting human vulnerabilities for network access. Phishing scams, Social Engineering and Hacking Attempts were noted as the top three attack types to successfully exploit enterprise networks in 2015. These new threats brought an 89% increase in the number of phishing email campaigns in the first quarter of 2016 compared to the last quarter of 2015 and roughly 90% of the daily 300 billion emails sent across the world are estimated to be spam.
To protect both corporate and personal assets against cyber-risks, business leaders are increasingly turning to Cyber Security Insurance. Often overlooked in organizational security plans and cyber insurance underwriting, is the growing threat that employees place on network security. In IBM’s 2015 Cyber Security Intelligence Index, it was revealed that 95% of cyber breaches occur because of human error. Between human error that cyber criminals continue to exploit through social engineering tactics or malicious insiders within an organization, most data breaches originate inside company walls. Human error is inevitable, but it is the company’s responsibility to train their team on how to identify threats. How do you identify a phishing scheme? Why should you never share your passwords or give them to someone cold calling you and stating they’re from Internal IT? It seems simple, but this human-factor vulnerability is the weakest link in cybersecurity and today’s training simply is not enough.
The cyber insurance market is still in its infancy and has struggled to underwrite cyber security risks with limited understanding of what companies need to do to effectively mitigate the human risk. It is widely known that employees are the weakest link in an organization’s cyber security, yet most insurers only ask if an employee cyber training program is in place, ignoring the more important qualitative aspect of training. This will soon change as the insurance community looks towards new measures in assessing the human threat to cyber security.
To effectively underwrite cyber risk, insurance companies need to understand that most training programs out there today do little to bring about the long-term employee behavior change that is essential. Failure to use strong access controls, password protection, and even formal employee education can result in a denial of coverage. For too long, cyber security training has been focused on checking a box to meet regulatory requirements and not adequately addressing the problem. An annual 1-hour cyber training course or perhaps 4, 20-minute classes throughout the year is simply not enough to make employees care about cyber security. Unfortunately, regulatory guidelines, such as the NIST Framework or the FFEIC, and insurance underwriters have yet to fully grasp the effectiveness of engaging, measured and continuous employee awareness training as a key metric in evaluating an organization’s cyber risk profile. As the importance of employee cyber security training continues to grow, a “Level of Cyber Maturity” for an organization’s employee awareness and training program is not only critical to protecting against security incidents, but an essential element insurance underwriters are going to require in affording broad Cyber Insurance and D&O Coverage.