There are two sides to cyber risk that brokers should understand when selling a cyber policy.
One gets talked about the most (at least by vendors who sell cybersecurity solutions): IT defenses. That means being prepared to keep out snooping hackers with technology solutions like firewalls and encryption, monitoring to know when an attack is taking place, and defense plans to take action when you are being attacked.
The other side of cyber risk is less sexy because it has no easy solutions. That is the people: your clients’ employees, their business partners, and their clients. With the increased incidence of “social engineering” tactics like phishing, people have become one of the biggest security risks for organizations of all types — government and private industry; high-tech and old-school; large and small.
After many high profile reports of social engineering in the past few years, there has been a surge in organizations providing information and training for their employees, teaching them to look out for these social engineering tactics. Perhaps you’ve sat through a mandatory webinar yourself. Those efforts are starting to pay off, as surveys this year have started to show reductions in self-reported risk in categories that include phishing and social engineering. Yet the continued prevalence (and success) of malware and phishing points to the limitations of training and education. Cybercriminals aren’t giving up so fast.
act, your client’s technical defenses can directly impact social engineering risk. Criminals go after companies they can identify as having low defenses because they are less likely to have adequate training programs in place. Often the victims in these situations are smaller companies without dedicated IT resources to provide proper education and protocol to their employees. At the other end of the spectrum, larger established companies whose sheer scale prevents them from being able to take advantage of the most up-to-date IT defenses can provide fertile ground because their organizational complexity is easy to exploit.
Whatever category your client falls into, there are steps they can take to mitigate risk.