November 15, 2022
Good morning, everyone!
This week’s critical vulnerabilities:
Patch All the Things!
Cyber Liability Insurance
A recent legal case involving cyber insurance has been a hot topic on LinkedIn lately. There is much talk that cyber insurance companies are no longer going to trust your answers to their questions about security, and may start requiring third-party verification before offering a policy. With that in mind, here are my recommendations in this regard.
Be as secure as you possibly can be. The first thing you want to do is achieve the highest level of security your organization is able to tackle. Why? Because the stronger your security, the less chance of having a major cyber incident – and the lower your cyber liability insurance premiums will be! So start with a security assessment by a reputable third party like my company and implement as many of their suggestions as you can. These are exactly the things that show up on your insurance application and affect your premiums.
Be as compliant as you can afford to be. In an ideal world, security and compliance would be the same thing. Unfortunately, this is not an ideal world. Security is about measurable outcomes (“I do this thing and I get this result”). Compliance is about accountability and liability (“I need to check this box”). If you focus on security first, your compliance will be easier and your overall risk reduced.
Assess your exposure. What are the chances of your organization being hacked? And what are the consequences? There are several factors that have a significant impact on these determinations:
- Are you in a high- or low-risk industry? A few years ago, retail merchants were at the highest risk, but recently healthcare and manufacturing have taken the top two spots.
- What kind of data do you store? Is it the kind of data that cyber criminals want to steal?
- How strong is your information security program? Do you have a “culture of security” in your organization that makes you feel confident your employees are practicing safe behavior online? Do you have good policies and procedures, and training for your employees? Do you have good backups that are secure, encrypted and verified?
Determine your appetite for risk. This is one that many people don’t think about. What is your appetite for risk? Look at your car insurance. What’s your deductible? $250? $500? $1000? $5000? That’s a good indicator of your personal risk appetite. When looking at cyber liability insurance for a business, you need to know what is the appetite for risk of the business owner or primary stakeholders.
Purchase insurance accordingly. Start with your current business insurance provider, and go from there. As always, if you have questions or wish to discuss further, ping me.
Upcoming Virtual Workshop
Eight years after its release, many organizations still find themselves struggling with how to
implement the NIST CSF. In this virtual workshop, we will break it down into a simple, 7-step process that
anyone can follow.
Have a great week!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺