Cyber Insurance’s Achilles Heel

Cyber insurance is a specialized product that is designed to help cover losses that stem from cyber hacks. These losses may be associated with breaches in data, network problems and workload interruptions. Like other for-profit businesses, these insurance companies don’t want to lose money. Despite their best efforts, they are sometimes forced to release hefty payouts. Why? This is an important question, especially if they are encouraging customers to take proper protective measures.

Many competent insurers reward companies that minimize their risk of a cyber breach by doing two things:

  1. Offering better coverage at no additional cost for enterprises who have adequate preventive measures in place
  2. Lowering premiums for high levels of organizational self-protection

Insurers realize that when companies lose money due to a cyber incident, they lose big. An IBM-sponsored study by the Ponemon Institute suggests that a single cyber breach costs a U. S. company about $8.64 million in losses, on average.

Perhaps, the insured are not adopting the preventive measures that truly work. Many companies spend thousands of dollars in an attempt to ensure adequate cyber protection, but their money is spent almost solely on technological defenses, such as firewalls and digital intrusion alerts. When it comes to cyber threats, the greatest problem facing companies is human nature, and a digital firewall does not address that.

Since 95 percent of cyber breaches are traceable to human error, a lack of effective cybersecurity awareness training has become the Achilles’ heel of cybersecurity insurers. Like Achilles’ heel in the mythological tale, inadequate training is a weakness that could cause a collapse of overall strength, leading to an ultimate downfall. Not only does a cyber hack incur direct financial costs, but it can also negatively impact a company’s brand and customer relations.

Hackers have found new and increasingly effective ways of breaching company networks. Many of these strategies rely on a lack of employee education. Still, companies can increase their cyber protection by training their employees properly, but the coursework must be effective enough to mentally re-program employees to act against human nature.

The workers in your organization, like all humans, respond to dopamine, a brain chemical that rewards people with a euphoric feeling when they conduct certain actions or even anticipate rewarding activity. This dopamine response can cause them to participate in dangerous activities, because they fail to resist a temptation that incurs negative consequences.

Each time your employees see an email attachment, they are tempted to open it, especially if the title of the attachment evokes curiosity. This what cyber criminals are banking on. Many of their attacks are based on the poor judgment of your employees. The hackers don’t anticipate that your employees will be able to resist the charm of their virus-filled bait, and unless you have adopted proper training techniques, the criminals may cash in on their assumption.

For cybersecurity insurers to have fewer claims to pay, they must encourage companies to adopt better cybersecurity awareness training. The training cannot be patterned after the run-of-the-mill coursework of the past. Instead, it should be designed to appeal to the way that the human mind works. This means that the training should be short, impactful and frequent.

To reward companies with lower risk, the insurance companies can offer discounts to customers who show progressive employee awareness and preparation — not just protective technology. Companies can offer proof of cybersecurity awareness progression by assessing the current knowledge level of their workers to establish a benchmark and periodically conducting comparative assessments.

Poor employee education does not have to remain the Achilles’ heel of cyber insurers.