The fear of experiencing a cyberattack is rightfully keeping businesses owners up at night. Not only would a cyber attack give your security team a headache , but could have profound and irreversible financial implications for your businesses. In fact, according to a report by IBM and the Ponemon Institute, the average cost of a data breach in the U.S. is a over $8 million. And with 30% of companies expected to experience a breach within 24 months, it’s no surprise that business are seeking coverage. The problem, however, is that businesses and insurance companies alike are still grappling over exactly what is and is not covered when a cyber event occurs.
Some businesses are learning this the hard way
Recently, a phishing campaign successfully stole the credentials of an employee at a rent-servicing company that allows tenants to pay their rent online. The phishers used the employee’s credentials to take $10 million in rent money that the company owed to landlords. The company had a crime insurance policy that covered losses “resulting directly from the use of any computer to fraudulently cause a transfer,” but soon found out their claim was denied. Among the reasons the insurer gave for denying the claim was that, because the funds stolen were owed to landlords, the company did not technically suffer any first-party losses and there were not covered by the insurance policy.
In another case, the pharmaceutical company Merck found itself victim to a ransomware attack that shut down more than 30,000 of their computers and 7,500 servers. The attack took weeks to resolve and Merck is now claiming $1.3 billion in losses that they believe should be covered by their property policy. The problem, however, is that the attack on Merck was actually a by-product of a malware campaign that the Russian government was waging against Ukraine and happened to spread to companies in other countries. The insurer therefore denied the claim, stating their property coverage excludes any incidents considered an “act of war.”
Silence is Deadly
The Merck example above also illustrates the concept of “silent”, or “non-affirmative” cyber. Basically these are standard insurance lines, like property or crime, in which cyber acts have not been specifically included or excluded. Merck was filing the claims against the property policy because it sustained data loss, system loss and business interruption losses. Silent cyber is difficult for a carrier to respond to (which is why the carrier in this case is looking to the war and terrorism exclusion to deny coverage) and even more challenging to account for. That’s one reason both carriers and businesses are looking to standalone cyber insurance, which provides both the insured and carrier with a lot more clarity as to what is covered. (Although, carriers can deny coverage in situations where the attestations about the quality of security up front do not measure up at claim time.)
Predicting the Unpredictable
It’s commonly said that insurers will do anything to avoid paying out claims, but the issue with cyber insurance coverage goes much deeper. Instead, the problem centers around a number of uncertainties involved in categorizing and quantifying cyber risk that makes comprehensive policy writing a near impossible task. For one, cyber insurance is a new market dealing with a relatively new problem. There are therefore not as many data points for insurers to accurately quantify risk as there are for long-standing forms of insurance.
The real problem, however, is that cyber incidents are extremely difficult to predict and reliably account for. Whereas health and natural disaster policies, for example, are based on scientific modeling that allows for a certain degree of stability in risk factors, it is much harder for insurance companies to predict when, where, and how a cyber attack might happen. Even Warren Buffett told investors that anyone who says they have a firm grasp on cyber risk “is kidding themselves.”
Reading the Fine Print
It’s important to understand that, despite the relatively unpredictable nature of cyber incidents, there are plenty of steps businesses can and should take to understand and mitigate their risk profile. Organizations with robust risk management practices can significantly reduce their vulnerability and a strong security posture goes along way towards minimizing their risks and providing a strong defense when a claim strikes.
Unfortunately, this puts a lot of the responsibility on individual businesses when evaluating their cyber exposures and the insurance coverages which might be available to respond. A good insurance broker who has expertise in cyber is essential. Much like the threat landscape, cyber insurance coverage is constantly evolving, and it is to all parties, from businesses to carriers, to keep up.
Remember the sales contest from the movie, Glengarry Glen Ross?
“First prize is a Cadillac Eldorado….Third prize is you’re fired.”
We seem to think that, in order to motivate people, we need both a carrot and stick. Reward or punishment. And yet, if we want people to change behaviors on a sustained basis, there’s only one method that works: the carrot.
One core concept I learned while applying behavior-design practices to cyber security awareness programming was that, if you want sustained behavior change (such as reducing phish susceptibility), you need to design behaviors that make people feel positive about themselves.
The importance of positive reinforcement is one of the main components of the model developed by BJ Fogg, the founder and director of Stanford’s Behavior Design Lab. Fogg discovered that behavior happens when three elements – motivation, ability, and a prompt – come together at the same moment. If any element is missing, behavior won’t occur.
I worked in collaboration with one of Fogg’s behavior-design consulting groups to bring these principles to cyber security awareness. We found that, in order to change digital behaviors and enhance a healthy cyber security posture, you need to help people feel successful. And you need the behavior to be easy to do, because you cannot assume the employee’s motivation is high.
Our program is therefore based on positive reinforcement when a user correctly reports a phish and is combined with daily exposure to cyber security awareness concepts through interactive lessons that only take 4 minutes a day.
The upshot is behavior-design concepts like these will not only help drive change for better cyber security awareness; they can drive change for all of your other risk management programs too.
There are many facets to the behavior design process, but if you focus on these two things (BJ Fogg’s Maxims) your risk management program stands to be in a better position to drive the type of change you’re looking for:
1) help people feel good about themselves and their work
2) promote behaviors that they’ll actually want to do
At this point, many companies have instituted work at home policies. And, assuming that the organizations have taken the right steps to secure their remote workers and increase their bandwidth to handle the increased loads and redundancies, business can get back to the new normal, correct?
Not quite. The key to managing remotely is communication. And I’m not talking about emails from the company referencing COVID-19. I’m talking about ongoing communication that keeps the staff engaged, strengthens the culture and overcomes isolation.
There are many ways to do this. Here are a few you can do right away.
Daily virtual standup meetings. Have your teams jump on a video call same time each day to have a quick chat about what went well and what blockers have come up since the prior days call. Make it video so people can see each other which improves the socialization aspect of the meeting.
Catch them doing something good. Each day call out someone for doing something well, especially if it involves helping clients or each other. Support is now a key differentiator and it should be rewarded.
Conduct white-hat phishing exercises. Phishing hasn’t gone away. In fact, COVID-19 has given the bad guys something else to use a lure. Keep your team digitally aware by running phishing simulations, but let them know you are doing it and reward them for any phish they report. That way you both sensitive the team to be on the lookout for suspicious emails and keep them positively engaged at the same time.
Step up security training for privileged users. With the changes to network access and perhaps the installation of additional technologies to support remote access, it is critical you spend the time with your systems, application and network teams on security role-based training to ensure that the assets are appropriately configured. Misconfiguration poses a large cyber threat in the best of times; even more so now. Of course, make sure you are catching them doing something good, as well. (See #2 above.)
Create standing “tea-times”. Let’s face it, part of working together is socialization. For teams not used to working remotely (and therefore not used to connecting with each other on a social basis remotely), carve out some time each day which permits them to reach out and talk to each other about whatever they want. You don’t have to over engineer this, giving permission might be all you need to do.
The resilience of an organization’s ability to respond to any challenge is in no small part due to the strength and resilience of its culture. Focusing on, communicating with, and recognizing your staff will go a long way to keep people working together. Even when they’re apart.
Here is the bottom line: when it comes to cyber threats, we should of course take steps to protect ourselves and our businesses from attacks. However, we also need to prepare ourselves for the very real possibility that, at somepoint, someone will get into our systems. That’s why many cyber experts are beginning to use the new term “cyber resiliency.”
The concept of cyber resiliency stems from an understanding that the cyber threat landscape is so diverse that it’s important to make sure you can withstand and not simply prevent attacks. The overall goal of a cyber resilient system is therefore to maintain essential operating functions even when it is under attack.
The Basics of Cyber Resiliency
In the fall, the National Institute of Standards and Technology (NIST) released a cyber resiliency engineering framework that provides detailed steps organization can take to minimize the impact of attacks. However, the overall framework can be broken down into four basicgoals:
According to the NIST framework, the first goal of cyber resiliencyincludespreventative measures often included in cyber security policies. However,anticipating a cyber threat goes beyond prevention by also focusing on preparing for an attack.This includes having an incident response plan in place, as well aschanging your system often in order to preempt attacks.
Withstanding a cyber attack should involve steps taken to limit the overall damagean attack has, even if you haven’t detected the attack yet. In general, this involves deflecting the attack to areas that can take the most damage without disrupting day to day activities. You should also be prepared toentirely remove andreplace systems that are badly damaged.
Before an attack even happens, you should know exactly how you plan to recover if one ever happens. This should primarily involve being prepared to revert your systems back to the state they were in before the attack. Recovery strategies will therefore depend heavily on having good backups of your system that you test regularly.
At bottom, adaption means understanding that if the threat landscape continues to change, so do your security policies and systems. You should constantly be looking for new vulnerabilities within your system as well as new forms of cyber threats. If an attack does happen, you should also be willing to take a hard look at how it happened and make changes accordingly.
Leaders are best equipped to drive cyber resiliency efforts
Because many executives don’t come from a background in cyber security, it may seem to make the most sense to leave the responsibility to the IT department or someone trained security. However, cyber resiliency is as much a function of culture as anything: how we govern, organize, and communicate about cyber threats are all necessary considerations for putting cyber resilient policies into action.
The report found that leaders who scaled technologies and security systems across all levels of the organization were far more effective at both preventing attacks and discovering attacks already in place.
Offering comprehensive security training across all levels of the organization also proved to be an effective method for protecting and maintaining system during cyber attacks. Business leaders are therefore key for investing in and maintaining robust training programs.
Perhaps the most important skill a business leader brings to cyber resiliency is the ability to collaborate. Putting in place a cyber resiliency policy requires cooperation and communication between all levels and aspects of the business. By bringing different groups together and keeping everyone on the same page, organizations can be confident their policies and practices are as effective as possible.
The Take Away
At its root,cyber resiliency involves preparing all aspects of an organization so that any potential cyber threat has a minimal impact on business operations. This involves well-informed risk management strategies, effective communication and training for employees, updatedintrusion detection systems, and a strong incidence response plan thatis testedand revised regularly.Cyber resiliency takes a village but depends first and foremost on a leadership team that takes the task seriously.
One main challenge for implementing proper cybersecurity policies is the fact that there is no one-size-fits-all solution. But, in some respects, this isn’t a bad thing. What solutions a business needs depends on several factors, such as size, industry, and the type of data being stored. If every business followed a single set of security solutions, some would end up over-protecting their assets, where others would be under protected.
There are, however, a number of widely accepted security standards that strike a balance, giving organizations an outline of what protocols to implement based on their overall business strategy. A good example of this is the National Institute of Standards and Technology’s (NIST)Cyber Security Framework (CSF).
And one misunderstood aspect of the NIST’s Cybersecurity Framework is the use of implementation tiers. Rather than being progressive levels that all business should work toward, the tiers exist to relate the firm’s approach to cybersecurity risk management as it exists today with a desired tier level that meets organizational goals and is feasible to implement. Businesses can then go through each control within the framework to address what they are doing today within their current tier context and what they want to be doing to reach their target tier.
Here is a brief outline of NIST’s four tier levels to help your organization begin to evaluate where you stand now, and where you want to be.
Tier 1: Partial
Organizations at this tier are considered to have no formalized risk management practice and respond to threats in a sometimes “ad hoc and reactive manner.” On the organizational level, risk management is carried out an irregular basis and without any set process to share cybersecurity information throughout the organization.
Tier 2: Risk-Informed
The risk-informed tier is for organizations that have risk management practices approved by management but might not be established across all levels of the organization. Cybersecurity processes are prioritized based on the organization’s risk level and business requirements but is only shared throughout the organization on an informal basis.
Tier 3: Repeatable
Businesses at this tier have formally approved cybersecurity policies that are well-communicated across all levels of the organization. The organization’s cybersecurity processes are regularly reviewed based on changes in threats and technology. Employees are also properly trained and able to carry out their specific roles related to maintaining the organization’s cybersecurity practices.
Tier 4: Adaptive
Finally, organizations in the adaptive tier are those where cybersecurity risk management is a part of the business’ overall culture and effectively adapt their practices based on lessons learned and predictive indicators. Cybersecurity risk and business objectives are fully integrated across all levels of the organization and are considered when making any business decisions.
Tier as a Strategic Lever
Businesses should not blindly implement cybersecurity controls. Instead, it’s important for organization to think carefully about their position with regards to risk — from the board level, to governance, to marketing — and make informed decisions on where they want it to be. A benefit of NIST’s tier system is that it can be used to benefit the overall business strategy, and not simply be an exercisein cyber risk management. That’s because a company’s position and goal with regards to any risk (from cyber risk to market risk to capital risk) is an articulation of the value it brings to its stakeholders. If a firm is currently at Tier 1 with regards to its cybersecurity, how does that impact it’s value proposition to its customers? What limitations does it impose on capital allocation? If the organization worked towards a repeatable tier, what opportunities would be unlocked (and conversely, what markets would they perhaps walk away from)?
Businesses which view the concept of tiers and cybersecurity risk as value creators rather than a compliance exercise will find that it creates sustainable advantages in a marketplace more engaged and attuned in digital protection and privacy.