Recent publicized ransomware attacks (“WannaCry”) have reminded many about the importance of cybersecurity vigilance. Proving this, any insurance organization that followed the most basic cybersecurity best practices would have been safe from WannaCry.
We’ve put together a list of best practices that will help you minimize your insurance organization’s exposure to cyber liability.
Keep your operating systems and software up to date.
The WannaCry ransomeware took advantage of computers that have not been properly updated or maintained. Computers without Microsoft’s March 2017 update (MS17-010) were impacted. Ensuring all computers have the latest security updates is your first line of defense against these attacks.
Establish a cybersecurity program and implement best practices.
It’s valuable to get an independently certified Information Security program from a subject-matter expert and built upon cybersecurity best practices. Common activities within that plan might include:
- Routine maintenance and security updates of all your equipment
- Regular cybersecurity risk assessments and audits
- Vulnerability scans against all computers and devices
- Regular review of computer logs to proactively identify issues
- Email phishing campaigns to raise awareness and test readiness
- Simulated cyberattacks including testing your incident response procedures
Your environment may not need this same level of proactivity, but having a security consultant that helps you establish your cybersecurity program and determine which best practices to implement on a consistent basis is a smart investment.
Educate your employees on cyber-safe behavior.
WannaCry was spread globally through a phishing email. Likewise, many cyberattacks rely on careless behavior, (e.g., opening a phishing email, accessing malicious websites), which proves to be an efficient method for hackers. Train employees on secure cyber behavior, then consistently focus on reinforcing everyone’s awareness. An adequate cybersecurity program requires technology, policies, and procedures, it must also encompass the human element. Awareness and education programs often include:
- Integrating cybersecurity within your culture and decision making
- Engaging employees with cybersecurity; make security fun
- Recognizing good behaviors publicly
- Providing incentives to encourage secure practices and a secure company culture
In many cybersecurity-conscious organizations, employees are required to attend annual online security awareness training. The training is updated annually, with material added to reflect new areas (e.g., phishing, ransomware, social engineering, etc.) that require reinforcement and awareness.
Make cyber safety and security a priority.
Many cyber experts recommend having an internal team to monitor and maintain the daily security operation. Selected team members often receive additional or advanced training to help champion best practices, make policy decisions, and most importantly to identify, respond to and resolve issues during cyberattacks.
Research conducted by Cybersecurity Ventures, estimated that the cost of cybercrime could reach $6 trillion by 2021. If true, that number will have doubled in just six years, from an estimated $3 trillion in 2015. That means every business needs to make cybersecurity a priority.