Have You Reviewed Your Cybersecurity Insurance Policy?

Coverage Loopholes

Cybersecurity rates are increasing while coverage is decreasing. Per the Wall Street Journal, “Direct-written premiums collected by the largest U.S. insurance carriers in 2021 swelled by 92% year-over-year”. Most of the increase is due to the sophistication of the attacks, higher ransomware payment demands, and the number of attacks. The State of Ransomware 2021 global survey (per Sophos) includes the following chilling facts:

  • The average cost of remediating a ransomware attack more than doubled in the last 12 months. Remediation costs, including business downtime, lost orders, operational costs, and more, grew from an average of $761,106 in 2020 to $1.85 million in 2021. This means that the average cost of recovering from a ransomware attack is now ten times the size of the ransom payment, on average
  • The average ransom paid was $170,404. While $3.2 million was the highest paid out of those surveyed, the most common payment was $10,000. Ten organizations paid ransoms of $1 million or more
  • The number of organizations paying ransom increased from 26% in 2020 to 32% in 2021, although fewer than one in 10 (8%) managed to get back all their data.

All this bad news results in cybersecurity insurance increases for your organization. 

Steps you can take to get the most value out of your cybersecurity insurance

Review your cybersecurity posture – take a self-assessment against theCIS Critical Security Controls (CIS Controls). Seeing how your organization ranks against the control can provide a snapshot of focus areas for improvement before obtaining or renewing your cybersecurity policy. If you aren’t sure where to start with the assessment or need help implementing improvements, Dewpoint’s cybersecurity experts are here to assist.

Review your data – the more highly sensitive data your organization holds, the more risk. Taking the simple step of reviewing your data can reduce your premium. Determine if you need the data to conduct your business and review the best way to safeguard it through additional security and limiting access to critical employees. If you need to print the information, make sure the paper is kept in a locked cabinet and office and destroyed in a secure method. If it is all virtual, use encryption software for email and limit file-sharing capabilities. 

Review your policy for loopholes – most insurance policies do not cover “an act of war.” If a ransomware attack occurs because of the current Russian invasion of Ukraine, would you be covered? It’s an excellent question to ask your provider, given the uncertainty in our world, and determine the definition of “war.” For more information on different types of insurance and what they cover, click here.

What’s Next?

Navigating through the cybersecurity insurance maze can be a daunting task. Dewpoint can help by starting with an assessment to identify gaps in your current environment and recommendations to reduce those gaps. Organizations with poor security controls may be uninsurable or unable to afford a policy if available. Reach out to one of our security experts to help you get the most value out of your cybersecurity insurance and increase your overall security posture.

Why the Human Factor is Still the Most Important Part of IT Security

The human factor weakness

Regardless of the number of tools, software, and processes you implement, cybersecurity has one major weakness  – the human factor. Per Gartner, recent industry research shows that “22% of all breaches involved phishing, attackers leveraging stolen credentials accounted for 37% of all breaches, human error accounted for 22% of all breaches, and 30% of all breaches involved insiders”. Continuous monitoring and improvement are the keys to ensuring your human factor is no longer the most significant challenge for an effective threat prevention strategy.  

Tips to reduce the human factor

 Below are some tips to change your weakest link into your most robust in the cybersecurity fight.   

Keep IT simple

The more complex you make IT security for your end-user, the more they will find workarounds. By now, most organizations have implemented a password protocol requiring 10+ characters with a combination of letters, symbols, and numbers. The longer and more complex the password, the more likely the employee writes it down or reuses a password from another system. Think about how you can make it easier. Deploying multi-factor authentication (MFA) or two-factor authentication (2FA) may enable your organization to simplify the password requirements and add a layer of security.  

Trust no-one

We are ‘like’ family – many organizations get caught up in the employee ‘loves’ us and would never do anything to harm the company. Due to financial stress, a change in politics, or unforeseen circumstances, even the ‘best’ employee can be tempted to divulge company secrets or allow a ‘hacker’ to gain access. You can reduce exposure by implementing a zero-trust policy, where you trust no one and limit all users to minimal access – only enough to perform their jobs. Another option is to employ a privileged access management (PAM) tool to restrict access to sensitive accounts. Finally, make sure your organization has auto-monitoring to alert you if your system is attacked from the inside. The sooner you find out about the attack, the more you can control the damage.

It’s All About Education

Security awareness training should be more than a yearly task that employees need to complete. It should be ingrained into their everyday routines. Think about increasing or changing the training. Although computerized classes have become the norm, your employees may just be “clicking through” to get to the end. A few in-person sessions with small groups to talk about the latest threats and reinforce how important they are as the frontline defense will make more of an impact. In addition, include testing as part of your overall IT security awareness education. Periodically send out “fake” emails to judge if employees apply what they learn. Finally, ensure your employees know who to contact in case of a ransomware attack, know the protocols to follow, and aren’t afraid of reporting an incident. Don’t assume they know what to do.

How to improve your Human Factor

Making your organization cybersecurity ‘human proof’ starts with understanding where you are today. Dewpoint can help by evaluating your current organization and making recommendations to improve your overall security posture. As a technology company, we understand the software and tools that may help take the “human factor” out of the equation. Furthermore, we are partners with cybersecurity leaders in training and also provide individual training sessions. Contact us today.