According to Orbis research the cyber insurance market is expected to reach $17.55bn by 2023. Ten, fifteen, years’ ago this wasn’t an industry that existed. Such are the times we live in that there is now money to be made, and lost, on cyber security insurance.
And times are tough. Breaches that register terrabytes are starting to become common place and companies report continuous prolonged attacks, day in day out. 20% have experienced attacks daily, a fifth weekly and a third monthly. What’s more some 57% of companies have reported a data breach as a result of attacks in the last year. That’s hard to swallow in a GDPR world.
But it’s not surprising when you learn that in Europe, two thirds of companies believe their networks are susceptible to attack. It’s a natural state and although companies are spending somewhere between 30 and 40% of the security budgets on new forms of AI solutions, they rely heavily on their security vendor and, unfortunately for some, manual troubleshooting to keep them safe.
Is it any wonder then that they are turning to insurance? Especially given half of attacks cost between $500,000 and $10m, and the average attack represents $4.6m in losses and around £100,000 to win customers back after a breach.
Yet the current Mondelez case highlights that cyber insurance could leave companies with a false sense of coverage. When NotPetya struck it caused hundreds of millions of dollars’ worth of damage. But it was deemed an “act of war” instead of just a cyber attack and therefore not eligible for a pay out, under the ‘war exclusion’ clause.
Looking at the market as a whole, these types of clauses, in effect protect the insurer from highly destructive global attacks. And with nation state attacks become more prevalent and highly effective in stealing both Intellectual Property (IP) as we amass data on the public at large, there is often enough uncertainty to refuse the claim.
In addition, some policies are quite narrow in their scope and cover only costs related to direct loss of customer data such as credit check costs and associated legal bills. They don’t cover all the costs incurred, which, as we have already established, can be several times bigger and more permanent than the direct costs alone.
Sadly, for companies in this position it’s likely to take years to fight cases in court and finalise if the insurance should be upheld. So, if you should ever find yourself in that position, what do you do in the meantime? Here’s our 9-point checklist.
- You have to get back to basics and prioritise your own security. Make sure that the plan you have isn’t treating security as an add-on. You can longer be in a position of waiting until you’ve been hit with an attack to beef it up. It has to be built it into the very fabric of your company’s foundation. If you do it from the start you are far more likely to build an approach that can be scaled and focussed.
- Scaling and automation are important because the threats are always changing and are increasingly complex. You cannot leave yourself in a position where it’s a scramble to mitigate multiple new threats as they appear. You have to be ready with a solution that can turn up the dial automatically, at a moment’s notice.
- Likewise, if you have products and services you sell then baking in security at conception will be paramount to allay attacks in the future. It’s also proving to be a differentiator and a powerful marketing tool. It says to people that you can trust us and builds your brand.
- Think about your applications and how important they are to the fabric of your company. They will no doubt be intrinsic to your operations and if they failed your employees wouldn’t be able to work, your suppliers wouldn’t be able to get good to you and your customers wouldn’t be able to buy. That’s why you have to install comprehensive DDoS and application security protection. It’s the only way to optimise business operations, minimise service degradation and prevent downtime.
- Don’t overlook mobile applications as part of this as they are pervasive in modern business, and particularly vulnerable. In fact, a fourth of execs say mobile apps are targeted daily. It’s not helped by the fine balancing act of managing mobile access to the cloud which is still proving to be a headache be it private, public or hybrid.
- Related to this is the need to better manage permissions. This holds particularly true for organisations operating in or migrating to public cloud environments; excessive permissions are the number one threat to cloud-based data. 75% of execs say that they regularly see unauthorised access to their cloud from employees that are using slack credential checking. Permissions exist for a reason, so poor permission practice allowing too many individuals access just can’t happen. If you can, put in place a specific process that can’t be by-passed no matter how busy people are.
- It’s therefore always a good idea to think about your employee behaviour and what you can do to get them thinking secure at all times – on the train reading a confidential document, tailgating on the entry barrier, using in-secure wifi connections are all things that need to be eradicated. This can’t be emphasised enough. But employers should also educate their employees about common cyberattack methods, like phishing campaigns and malware, and to be wary of links and downloads from unknown sources. This may sound simplistic, but it’s often why an emergency response team has to get involved.
- It’s also a good idea to use multi-factor authentication across your network. Again, this is low-hanging fruit, but it bears repeating. Requiring multi-factor authentication (MFA) may seem like a pain, but it’s well worth the effort to safeguard your network. Without MFA, passwords are simply too easy to crack.
- And, as always, let the security experts handle the cybercriminal experts. As attacks continue to get more complex and more effective, leverage the people with the latest tools and training. Don’t hesitate to engage managed security experts in your quest to provide a secure customer experience.
The security landscape will always change, and the threats will alter. But with a check list like this you can ensure you have the bases covered with the latest techniques, and ensure the cloud, the apps it runs, and your employees and customers are always protected.