By Allen Blount
Your organization’s cyber maturity is a primary factor in determining insurability, coverage amounts, and pricing. A cyber-aware workforce and multi-factor authentication have become table stakes. Without these safeguards, your likelihood of getting a cyber policy is negligible.
Given the ongoing threat of ransomware and other expensive cybercrime, organizations that want the best cyber insurance coverage and pricing will need to demonstrate best practices beyond mere compliance training. As we head into 2023, it’s safe to expect that insurers will request additional security measures and documentation as part of the underwriting process. Here are five opportunities to strengthen your defenses:
1. Expand endpoint security planning
Hackers will find clever new ways to infiltrate your network through endpoint devices. With edge computing and the proliferation of smart devices that connect to company resources, endpoint security has become exponentially more complex. Medical devices, fire alarms, and other equipment not typically owned by IT now require cybersecurity protocols.
2. Examine the software/platform/infrastructure as-a-service products you rely on
Though SaaS, PaaS, IaaS, and other as-a-service offerings provide convenience and cost-savings, they complicate your security planning and increase systemic risk potential. Have you established a service-level agreement with each provider regarding cybersecurity? No matter what security promises you receive from a vendor, your organization bears ultimate responsibility for protecting data and meeting customer needs. If a breach occurs in a vendor’s network, your customers expect you to have a Plan B.
3. Pause training at your own peril
Employers who are belt-tightening due to the economy often view training as discretionary spending, as opposed to a necessary investment. But people are your first line of defense against cyber threats, and insurers expect your workforce to practice good security hygiene and know what danger signals to watch for.
Additionally, those involved in software development, IT ops, data pipeline management, and other specialty roles need in-depth knowledge of how to spot and correct vulnerabilities. For example, many software development teams are shipping code today with security vulnerabilities. Does your organization include security protocols when defining software requirements? Have you implemented secure coding best practices and trained your teams on these? Are you monitoring compliance to make sure all developers are adhering to the coding standards you’ve established?
4. Look at corporate culture and compensation through a cyber lens
Some executives reward product development speed in a way that compromises cybersecurity. If their bonus depends on getting a new feature to market by a specific date, what prevents them from taking security shortcuts?
If you measure software developers’ performance based on the number of tickets or story points, do they have incentive to focus on cybersecurity?
You need to audit your business to identify practices that may be creating inadvertent cyber risk.
5. Consider the impact of layoffs on cybersecurity
A reduction in force — within your company or at a vendor you use — can open the door to multiple cyber risks. People with institutional knowledge of vulnerabilities can use that information to harm an employer. Handling a layoff poorly, with inadequate notice and impersonal communication, can leave you (or a vendor) with a disgruntled workforce. One upset employee can bring your system down.
The surviving workforce, which is now shouldering a heavier workload, may be tired. Fatigue can lead to human error and oversights, such as failing to monitor open ports or clicking on a malicious link.
If heavy layoffs take place in a compressed timeframe, certain job tasks may sit completely neglected, including those related to security monitoring.
Hackers watch for signs of internal turmoil, and they will pounce on your vulnerabilities. If you’re busy quelling a media firestorm, are you paying adequate attention to your cyber defenses?
From a compliance mindset to a security culture
As authorities crack down on one type of cybercrime, bad actors find new ways to infiltrate your network. Because the human imagination is limitless, the cyber threat landscape will continue to expand and morph.
Instead of viewing security as a checkbox and implementing bare minimum defensive activities, you will need to do more in 2023 to qualify for the best cyber insurance rates and provisions. Together, we can talk through what a security culture looks like and how to get from where you are today to a state of cyber-resilience.