Five Essential Cyber Risk Facts
As businesses struggle with embarrassing data breaches, this new normal is spurring better information protection. Costly intrusions have a long-lasting effect, from customer impact to insurance claims and lawsuit exposure.
Insurance professionals need pragmatic context to prepare insureds to handle a data breach — a roadmap to understanding and mitigating cyber risk exposures.
Start with these five facts:
1. Hackers attack for any reason or no reason.
Organizations fail to manage cyber risk because they believe their data simply isn’t worth stealing. Common vandalism is a frequent reason for a cyber attack. Hackers might penetrate a company’s digital defenses solely for a thrill or ego boost.
You don’t need to have lucrative information to be a target; the only prerequisite is having data in the first place.
2. Internal users can be the weakest link.
The Hollywood version of hacking is a computer whiz sitting in a dark room, furiously typing sophisticated codes. In reality, there’s a much easier way: Ask for the passwords.
A well-known method of data theft is impersonating someone within the company who needs confidential information.
Social engineering ploys can be deceptively simple, such as contacting an employee and claiming to be from IT, then soliciting a user’s account information. Or, call the help desk, claiming to be an executive, and exploit the representative’s good nature to gain system access.
Thieves attack the weakest link; sometimes that’s not the computer, but the person sitting at it.
3. Small businesses aren’t safe.
The public is aware of breaches at big companies like Sony and Target. While attacks on smaller businesses won’t generate headlines, they can potentially be more devastating, because smaller organizations are less able to recover.
It doesn’t take a multinational crime syndicate to steal data. It can be as simple as a disgruntled employee sharing access codes online or leaking sensitive emails.
For a small business, the reputational loss from betraying customer trust can be ruinous. While smaller businesses might not be the biggest targets, they are often the most vulnerable.
4. You don’t have a choice.
Legislators reacted to expanding cyber thefts with regulations requiring organizations to better protect customer data containing personal indentifying information (PII). Congress, state legislatures, and agencies like the SEC have promulgated guidelines on how to protect PII.
Companies should not wait for the various bodies to agree on one standard — they should already be doing everything possible to manage information securely.
5. Cyber risk management is everything.
Cyber risk is not a computer issue only, or merely a customer data concern. Its impact must be evaluated from an enterprise risk management perspective. Like anything that threatens an organization’s long-term viability, cyber risk must be managed.
While a number of cyber risk policies are available, there are many non-transfer strategies for managing cyber threats.
While cyber risk is changing constantly, insurance professionals need a pragmatic perspective to cope effectively. Those who take the time to study this field will better protect their organizations and themselves while earning trust from their clients and managers.
Read all of Martin Frappolli’s Risk Insider contributions.