Insurance is critical for mitigating the impact of cyber attacks, but prevention must start with employees. Adeola Adele and Glyn Thoms of Willis Towers Watson, argue that risk managers must work with HR to ensure that skills, training and resources are a company's strongest cyber defence.
In May this year, a large-scale cyber attack utilising a powerful strain of malware known as "WannaCry" took advantage of a flaw in the operating system of Windows-based computers across a number of industries. The ransomware causes end-user frustration by encrypting any infected machine and making it unusable until the owner pays a ransom using the digital currency, Bitcoin.
This type of attack, if not addressed quickly and effectively, can have far-reaching consequences to an organisation's net income, network functionality and critical data. So, what steps should organisations take to protect themselves against future potential breaches and associated losses?
Insurance key to protecting balance sheet
Having suitable cyber insurance coverage in place is central in managing cyber risk and protecting an organisation's balance sheet. In addition to cyber liability insurance policies, there may be some coverage under kidnap and ransom or property policies. Protection may also be available for the cost of legal counsel, computer forensics, data restoration, business interruption and the ransom itself.
If you discover that your company has succumbed to a breach, you should consider the following first steps:
In terms of future protection, technology providers recommend the following steps to mitigate exposure to your organisation's network systems:
Insurance risk managers have led - and continue to lead - the charge in managing cyber risk for their organisations and have made major strides in bringing their chief information and security officers (CISOs or CIOs) along in understanding the critical role that cyber insurance and effective technology controls play in managing the risk.
That said, if we consider that WannaCry was likely enabled through a phishing email, i.e. an employee had to click on an "infected" link, such as a malicious Microsoft Word file, to enable the ransomware, even the most robust of IT systems cannot protect you from people risk.
Employees are the weakest link in cybersecurity strategies
Recent Willis Towers Watson's cyber insurance claims data show that two-thirds of incidents are the direct result of employee behavior - for example, negligence leading to lost devices and malicious insiders seeking to profit from corporate espionage. When analysing the other 33% of incidents, a large portion can ultimately be traced back to additional human factors such as talent shortage, skill deficits and employee engagement.
Given these results, in order to drive a culture that creates cyber smart employees, organisations' human resources professionals and the chief human resources officer (CHRO), or equivalent, must be brought more prominently into the conversation to help identify deficiencies in talent and skills within critical roles - including within IT departments - that may be creating vulnerabilities.
To effectively manage people risk and make employees the strongest defence when it comes to cyber exposure, risk managers and CHROs should work together to evaluate organisation culture (e.g., training, leadership, rewards) and talent or skills deficiency issues that can increase cyber risk.
Some points to consider include:
Recent findings from a Willis Towers Watson Cyber Pulse Survey found that two-thirds of UK companies believe they are "highly protected" and can adequately react to threats, but low "cyber IQ" among employees poses a threat. 76% of companies in the UK and US reported that they have improved their technology system and infrastructure over the last three years; evidence that companies around the world are focusing the vast majority of their time, resources, and budget on cyber protection technology.
While critical to protecting the enterprise, technology is only one piece of the solution. Organisations need a fully integrated, comprehensive plan that emphasises people, capital and technology protections to effectively manage cyber risk across the enterprise and ensure resiliency.
Adeola Adele works in the Willis Towers Watson cyber team in the USA. She is director of integrated solutions and thought leadership (global).
Glyn Thoms is executive director of cyber in the Willis Towers Watson UK office.