David is the Senior Director of Information Security for ReSource Pro.
Mitigate your cyber risk
The cost of cyberattacks is reaching new highs. According to data from Coveware, the average ransom payment in Q1 2021 was $220,298 compared to just $6,733 in Q4 2018. Insurers are feeling the impact too, with Aon reporting a 67% loss ratio in U.S. cyber market.
Our industry is the #1 target for cyberattacks, but with the right processes, we can reduce cyber risk significantly and recover more quickly in the event that a disruption does occur. Below are four key processes insurance organizations can utilize to protect against cyber threats and other adverse events.
1. Security awareness
Cyber threats, such as ransomware, rely heavily on social engineering to succeed. This means that building a strategy to enhance employees’ capability of recognizing digital risks is one of the most important security processes for an organization to establish. Unfortunately, many companies struggle to create an impact on their employees when doing so. Below are three tips for success:
- Use positive reinforcement, not punishment
- Training should be easily digestible and occur regularly
- Don’t tell employees what not to do, provide them with info and resources they can use
2. Business continuity planning and disaster recovery
Every organization should establish and maintain a detailed business continuity plan (BCP) that will enable it to restore value delivery to its customers in the event of a disruption, such as a power outage or cyberattack. Three essential steps to creating and executing an effective BCP include:
- Establishing a crisis management team to monitor the crisis and coordinate BCP execution
- Creating a communications plan to inform and update affected clients, partners, and vendors
- Evaluating and improving your remote work capabilities
3. Incident management
Incident management refers to how an organization plans to respond to issues that impact the delivery of its services to customers. This goes beyond just calling the repairperson when the office printer is broken, but having a process in place to help:
- Prevent such issues from occurring in the first place
- Address incidents in order of importance
- Escalate incidents that cannot be resolved quickly by IT or a security admin
Critical incidents, such as a power outage, may require a BCP response, or even outside support. When Hurricane Harvey impacted Texas in 2017, ReSource Pro supported several Texas-based property and casualty agencies in providing uninterrupted service to their customers.
4. Identity and access management
Organizations leverage dozens of services spread out across multiple providers. Think databases, benefits administration systems, and productivity applications. Each requires a separate account to access and, in some cases, provides control over confidential information. This emphasizes both the need for strong security awareness—so that employees keep their accounts secure—and for organizations to employ identity and access management (IAM), monitoring and controlling:
- What users have access to the system
- What permissions they have within the system
- What they are doing within the system
How can leaders bolster their teams’ security awareness?
To foster a cyber-secure workplace, leaders should exercise strong performance management. As with any other skill, you should set clear expectations and responsibilities for employees. As you employ security awareness tests and other tools, ensure that leaders at all levels, from managers to C-suite, are engaged in identifying and acting to address underperformance.
Want to learn more about how we can securely support your insurance operations? Let’s get in touch.