Airmic

Why people risk should be at the heart of cyber security

Insurance is critical for mitigating the impact of cyber attacks, but prevention must start with employees. Adeola Adele and Glyn Thoms of Willis Towers Watson, argue that risk managers must work with HR to ensure that skills, training and resources are a company's strongest cyber defence.

In May this year, a large-scale cyber attack utilising a powerful strain of malware known as "WannaCry" took advantage of a flaw in the operating system of Windows-based computers across a number of industries. The ransomware causes end-user frustration by encrypting any infected machine and making it unusable until the owner pays a ransom using the digital currency, Bitcoin.

This type of attack, if not addressed quickly and effectively, can have far-reaching consequences to an organisation's net income, network functionality and critical data. So, what steps should organisations take to protect themselves against future potential breaches and associated losses?

Insurance key to protecting balance sheet

Having suitable cyber insurance coverage in place is central in managing cyber risk and protecting an organisation's balance sheet. In addition to cyber liability insurance policies, there may be some coverage under kidnap and ransom or property policies. Protection may also be available for the cost of legal counsel, computer forensics, data restoration, business interruption and the ransom itself.

If you discover that your company has succumbed to a breach, you should consider the following first steps:

  • Most policies require notification to the insurer as soon as practicable or within a set period of time, and also require consent before engaging outside vendors or incurring expense. It is therefore imperative to address this step immediately upon discovery of an attack, as well as consulting with law enforcement and legal counsel on whether you should pay the ransom;
  • Validate the cause, and analyse the scope of a breach. Is it caused by hacking or a negligent employee?
  • Gather your incident response team (e.g. management, legal, IT, PR) to form an action plan;
  • Notify your employees, customers and your local data protection regulator; but only communicate what you know to be factually correct. Use your response team to have open lines of communication to deal with employee and customer enquiries.

In terms of future protection, technology providers recommend the following steps to mitigate exposure to your organisation's network systems:

  • Focus on patch and antivirus updates: ensure your antivirus and anti-spam filters are current. Most of the credible antivirus/antispam providers have already updated their systems to detect and prevent this malware, but because variations are emerging, it is difficult for providers to stay current with real-time fixes;
  • Ensure security updates are current for Microsoft and other operating systems.

Insurance risk managers have led - and continue to lead - the charge in managing cyber risk for their organisations and have made major strides in bringing their chief information and security officers (CISOs or CIOs) along in understanding the critical role that cyber insurance and effective technology controls play in managing the risk.

That said, if we consider that WannaCry was likely enabled through a phishing email, i.e. an employee had to click on an "infected" link, such as a malicious Microsoft Word file, to enable the ransomware, even the most robust of IT systems cannot protect you from people risk.

Employees are the weakest link in cybersecurity strategies

Recent Willis Towers Watson's cyber insurance claims data show that two-thirds of incidents are the direct result of employee behavior - for example, negligence leading to lost devices and malicious insiders seeking to profit from corporate espionage. When analysing the other 33% of incidents, a large portion can ultimately be traced back to additional human factors such as talent shortage, skill deficits and employee engagement.

Given these results, in order to drive a culture that creates cyber smart employees, organisations' human resources professionals and the chief human resources officer (CHRO), or equivalent, must be brought more prominently into the conversation to help identify deficiencies in talent and skills within critical roles - including within IT departments - that may be creating vulnerabilities.

To effectively manage people risk and make employees the strongest defence when it comes to cyber exposure, risk managers and CHROs should work together to evaluate organisation culture (e.g., training, leadership, rewards) and talent or skills deficiency issues that can increase cyber risk.

Some points to consider include:

  • Establishing how HR can help risk managers better understand the employee-related governance and procedures (e.g., employee training, social media policies) in place for managing risk. Equally, risk managers can help HR better understand insurance limits, retentions, and why insurance underwriters request certain employee-related information (e.g., frequency of training, bring-your-own-device policies) in the insurance application process;
  • Assessing whether your organisation's IT department has sufficient talent and skills needed in today's environment to effectively be prepared to handle these emerging threats. In the case of WannaCry, companies that have been impacted should ask themselves why the patch that Microsoft made available was not installed in a timely manner. Was the lag in installation a talent or employee engagement issue?
  • Increasing the level and regularity of cyber risk awareness training in your organisation. It is important that employees are trained to review emails closely to ensure they are from trusted and known senders before opening them or clicking on links. Ultimately, it is key to evaluate whether your organisation's culture is supportive of cyber-awareness and action-oriented behaviours. For example, do leaders model positive behaviours that encourage employees to do the same, and do employees truly know what actions to take to report a cyber incident?

Recent findings from a Willis Towers Watson Cyber Pulse Survey found that two-thirds of UK companies believe they are "highly protected" and can adequately react to threats, but low "cyber IQ" among employees poses a threat. 76% of companies in the UK and US reported that they have improved their technology system and infrastructure over the last three years; evidence that companies around the world are focusing the vast majority of their time, resources, and budget on cyber protection technology.

While critical to protecting the enterprise, technology is only one piece of the solution. Organisations need a fully integrated, comprehensive plan that emphasises people, capital and technology protections to effectively manage cyber risk across the enterprise and ensure resiliency.

Adeola Adele works in the Willis Towers Watson cyber team in the USA. She is director of integrated solutions and thought leadership (global).

Glyn Thoms is executive director of cyber in the Willis Towers Watson UK office.