1 August 2019

Your Clients’ Biggest Cyber Risk? Their People. Five Ways to Defend Against “People Risk”.

With the increased incidence of “social engineering” tactics like phishing, people have become one of the biggest security risks for organizations of all types — government and private industry; high-tech and old-school; large and small. 

There are two sides to cyber risk that brokers should understand when selling a cyber policy. 

One gets talked about the most (at least by vendors who sell cybersecurity solutions): IT defenses. That means being prepared to keep out snooping hackers with technology solutions like firewalls and encryption, monitoring to know when an attack is taking place, and defense plans to take action when you are being attacked. 

The other side of cyber risk is less sexy because it has no easy solutions. That is the people: your clients’ employees, their business partners, and their clients. With the increased incidence of “social engineering” tactics like phishing, people have become one of the biggest security risks for organizations of all types — government and private industry; high-tech and old-school; large and small. 

After many high profile reports of social engineering in the past few years, there has been a surge in organizations providing information and training for their employees, teaching them to look out for these social engineering tactics. Perhaps you’ve sat through a mandatory webinar yourself. Those efforts are starting to pay off, as surveys this year have started to show reductions in self-reported risk in categories that include phishing and social engineering. Yet the continued prevalence (and success) of malware and phishing points to the limitations of training and education. Cybercriminals aren’t giving up so fast. 

act, your client’s technical defenses can directly impact social engineering risk. Criminals go after companies they can identify as having low defenses because they are less likely to have adequate training programs in place. Often the victims in these situations are smaller companies without dedicated IT resources to provide proper education and protocol to their employees. At the other end of the spectrum, larger established companies whose sheer scale prevents them from being able to take advantage of the most up-to-date IT defenses can provide fertile ground because their organizational complexity is easy to exploit. 

Whatever category your client falls into, there are steps they can take to mitigate risk. 

Defending against “People Risk”: Five Ways to Prepare

With social engineering and phishing, your “defenses” are a combination of your technical defenses and of your people. At Corvus, we review your IT setup and identify any gaps that could lead to greater vulnerability (this is included in our Dynamic Loss Prevention reports). Any business should cover 5 key aspects to both prevent and mitigate the impact of “people risk”:
  • Training and Education: Social engineering often comes down to a momentary lapse in judgment – someone absentmindedly clicked a link, or rushed to respond to an email without thinking it through. Employees often know soon after they’ve made a mistake that something is wrong, but the damage has been done. That’s why regular education is critical to help them get ahead and recognize the signs of a social engineering effort. Routinely educating employees with examples of what to look out for is now a necessity for any organization. Organizations can even learn if they are at elevated risk by looking at how many new employees they have since new employees are most at risk for falling for social engineering. If your clients aren’t already engaged in some sort of training and education, this would be the first step.
  • Monitoring Sentiment: Look out for rogues. What looks like a social engineering incident is not always an accident; sometimes the call is coming from inside the house. Monitoring internal employee sentiment may help your client identify trends morale that may lead to disgruntled employees before a cyber event occurs. This could involve using reports that gather data from sites like Glassdoor and LinkedIn to help your client know when their risk is highest.
  • Monitoring dark markets: Being aware of the risks your employees face is critical. People often reuse passwords, so your clients should ensure that their employee’s passwords, emails and other info are not showing up for sale in databases used by cybercriminals. This requires gathering data through dark-web monitoring on an ongoing basis to stay ahead of the curve.
  • Response: With a high likelihood that any organization will be affected by social engineering at some point, your clients should have proper resources to respond to cybersecurity events. Ensuring that the proper staff in place to respond to cyber events can mitigate the impact or stop breach incidents altogether. Services exist to guide clients through the response to a breach as part of some cyber insurance policies.
  • Transferring risk: Cyber insurance policies typically offer coverage for the types of social engineering exploits that lead to losses for your clients. The best policies go beyond coverage and help to inform the policyholders’ strategy for preventing losses. Many of the services mentioned above come as a value-add with cyber insurance policies, such as phishing testing, monitoring of company employee sentiment, evaluation of your IT team staffing, and dark web monitoring. Cyber insurance also helps clients navigate the stressful situation of dealing with a breach, including finding third-party resources to help.

Perhaps you’re gathering the conclusion here: gathering data on how risky your client’s business is and having a response plan in place are key to ensuring that the right level of effort is taken to mitigate risk and prevent loss. 

Mike Karbassi

Mike Karbassi is Vice President and Head of Cyber Underwriting at Corvus. He specializes in Network Security, Privacy Liability, Technology E&O, Media Liability, and Miscellaneous Professional Liability. Karbassi has over a decade of experience in insurance and is a graduate of the Boston University Questrom School of Business.

Gerritt Graham

Gerritt is the Chief Commercial Officer at Corvus. He has over 20 years of sales and marketing experience, primarily focused on technology and data solutions for the financial services industry.

James McElhiney

James co-founded Corvus and is the company’s Chief Technology Officer. A 30+ year technology veteran, Jaimie most recently served as CTO of Iora Health and previously co-founded Gazelle.

Mike Lloyd

Mike Lloyd is the Co-Founder and Chief Product Officer of Corvus Insurance. Previously, Mike co-founded Poncho, a personal lines agency InsurTech startup, and was a venture investor at FJ Labs. Mike has an MBA from Harvard Business School and engineering degrees from Virginia Military Institute and MIT.

Phil Edmundson

Phil is the founder and CEO of Corvus. A 30+ year insurance veteran, Phil co-founded broker William Gallagher Associates (acquired by Arthur J Gallagher in 2015) and was an active leader in both the Worldwide Broker Network and Council of Insurance Agents and Brokers. Phil is the Managing Partner of Edmus Ventures where he invests in InsurTech companies including Verifly, Wellthie, Agentero, and Cover Wallet, and serves on the board of Cover Wallet.

Play Video