- Cyber Insurance
The Knowledge
,
28th April 2023To protect against cyber risk, a layered approach is best
When organisations set out to manage and minimise their cyber security threats, they often focus a lot of their attention on employee training. After all, the vast majority of cyber claims are the result of employee behaviour, such as clicking on a bad link and providing access to sensitive information. A joint study by Stanford University’s Jeff Hancock and security firm Tessian found that 88 percent of data breach incidents are caused by employee mistakes. Similar research from IBM Security puts the number even higher, at 95 percent.[1]
But the problem is that training employees to spot a bad link or report a suspected breach often does not work. As a recent blog from the National Cyber Security Centre (NCSC) indicates, employees frequently need to click on links from unfamiliar sources in order to do their job.[2] Further, it’s too easy for a busy employee to slip up – and it only takes one person to fall for a phishing scam to grant access to a threat actor who attacks the network. Fear of punishment or stigma around reporting a suspected cyber breach can prevent a person from alerting others to it right away, delaying the response when prompt action might have minimised the damage.
New attacks need sophisticated protections
That’s why we urge brokers to help their clients manage cyber risk from multiple angles.
To be sure, employee training is important and must evolve in step with the threats. Not so long ago, attempted cyberattacks were much easier to spot – threat actors’ emails contained misspellings or wonky-looking links and logos. That’s not the case anymore as cyber attackers have put more effort into both making their communications feel more genuine and getting the attack right.
Right now, one of the more prevalent attacks we’re observing is the “man in the middle attack,” in which the threat actor positions himself between the user and the application. It feels like a normal exchange but makes it possible for the person to take login credentials from a website and steal financial information.
The nature of attacks continues to change too. While the NCSC has found ransomware to be the UK’s top cyber threat, the increase in ransomware cases last year was not as steep as it was in prior years. Social engineering attacks, meanwhile, are gaining momentum and multiplying in variety. Perhaps this is because insureds are providing enough training to help their employees thwart ransomware attacks, or perhaps it has become easier to spot these attacks and threat actors are trying new approaches.
For organisations to keep pace with the evolving threats, they must train employees on an ongoing basis to help them understand best cyber security practices. This cannot be a one-and-done exercise that an employee completes during their onboarding process but rarely thereafter.
But employee training cannot be an organisation’s main line of defence. It must be married with technology-based protections that act as a safety net to minimise the impact of an attack.
Help clients weave a tech-based safety net
One of our key requirements for obtaining cover at Travelers is multifactor authentication (MFA). Increasingly, this has also become a requirement across the market as a whole. Even if an employee’s login details are compromised, their organisation’s network is not as easy to exploit if MFA is in place.
Beyond MFA, we like to see protections like antivirus software, up-to-date firewalls, email filtering and endpoint defence. These tools can help detect, sequester and delete malicious code that can harm a device; protect a network from unauthorised access; and filter out viruses or malware before a person ever receives them in an email. These additional protections can help humans share the responsibility of risk detection with technology – and encourage threat actors to move on to easier targets.
Of course, the practicality of various protections can vary depending on the size of the organisation. What’s most important is to have a layered approach to security and to regularly review and test that approach. Ongoing tests of incident response and disaster recovery plans may reveal vulnerabilities that can be managed. Not only can these tests fortify an organisation’s protection in case of a real-life cyber breach, but they can also help ensure employees avoid a panicked response to an attack.
By helping your clients take this approach, they can avoid being low-hanging fruit for threat actors. Certainly, employees should know that a cyberattack can happen, as well as what they must do as soon possible if one occurs. Technology protections should also provide important backup security that can help an organisation better manage an attack and get back to business with minimal interruption.
There is no silver bullet when it comes to cyber protection. Only a layered approach has the best chance of deterring threat actors. You can be part of the solution for your clients by helping them become more frustrating targets.
Chris McMurray is Cyber Lead at Travelers Europe.
[1] https://securitytoday.com/articles/2022/07/30/just-why-are-so-many-cyber-breaches-due-to-human-error.aspx
[2] https://www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working
