Compliance

Security Awareness Training For Cyber Insurance

Cybersecurity insurance providers will often expect your employees to have completed Security Awareness Training before offering to cover you. Why is that? And what can you do to meet these requirements?

Security Awareness Training For Cyber Insurance

Cyber insurance acts as a safety net for organizations in the unfortunate, but very real, eventuality of a cybersecurity attack. The implications of a successful cyber-attack can be devastating, with financial losses, data breaches, lost business and clients, affected third-parties, ruined brand reputation, and stocks falling. It’s estimated that cybercrime is going to cost the world $10.5 trillion annually by 2025, especially as ransomware attacks are predicted to rise in the near future. This means that cyber insurance providers will have their work cut out for it.

Cyber insurance isn’t a silver bullet solution – companies will still have to deal with the consequences of an attack, but cybersecurity insurance can make this process easier. The insurance can help out with some costs, as well as technological and business experts on how to best manage the fall out and recover. However, in order for companies to be eligible for cyber insurance, there are strict guidelines that need to be met. One important factor is security awareness training (SAT)

What Is Cyber Insurance?

Cyber insurance is a form of specialized insurance that aims to protect businesses from internet-based risks and minimize the resulting damage. This is often achieved through remuneration, but also with expert advice and analysis. Cyber insurance companies are specialist insurance providers that deal in exactly this.

These specialist cyber insurance companies often have policies that offer first-party coverage to provide remuneration for losses as a result of a cyber-attack. Outcomes might include data loss, destruction, theft, or extortion. Ransomware and distributed denial-of-service (DDoS) attacks are also something to be wary of. Companies are held solely responsible for whatever losses, breaches, and successful attacks occur, but cyber insurance is there to act as a safety net to help affected companies to recover from the damage.

It’s important to have some form of cover in place, because the implications of a cyberattack can be financially devastating. In 2017, hackers released the personal information of almost 70 million Target customers. Costs incurred that were directly related to the attack totalled $292 million, which included lawsuit settlements. The company saw a reduction in earnings before by nearly 30 percent, some $1.58 billion. The company needed to reserved revenue in order to pay the damages. The company also took a hit from customers refusing to shop at Target in the aftermath. Attacks can get expensive.

The majority of cyber insurance providers’ policy offer will cover first-party and third-party cover for financial and reputational costs in the event of data loss, destruction, or theft. For the claimant, cyber insurance cover can include the investigation costs, recovered data lost, restoration of computer systems, loss of income from downtime, management and remediation of affected reputation, notification costs. Some coverage will extend to covering the ransom demands for attackers, though the premiums on this can be very expensive.

Any third-party coverage included with a company’s cyber insurance program will help to pay for damages and out of court settlements, as well as any court fees from legal disputes. Cyber insurance also provides other benefits such as providing regular security audits, post-incident public relations management, and even criminal reward funds.

What Scenarios Does Cyber Insurance Cover?

Some types of attacks included in cyber insurance coverage include:

Ransomware

This is a type of harmful code that shuts servers and devices down, rendering them unusable, until a ransom has been paid to an attacker. Ransomware attacks often end up being the most financially and reputationally damaging. Not only do attackers demand extortionate fees, but the loss of revenue from extended downtime can be severe. Organizations will often require expensive specialist help to recover inaccessible files, data and servers. 

It is common for cyber insurance providers to require that organizations have a strong backup and recovery solution in place. Backup and recovery solutions are separate storage devices that keep copies of servers and data to mitigate the effect of ransomware in the event of an attack.

Malware

Malware is an umbrella term applied to a wide range of malicious software that, once deployed on a device or network, aims to cause harm either through theft, disruption, damage, or by gaining access to further data and files. Some malware attacks are more covert than others, with threat actors able to spy on users and activities within the network. Common forms of malware include Trojans, Worms, Spyware, and Bots. Technically, Ransomware is a form of malware.

Data Losses And Breaches

Data is, perhaps, the most precious thing a company has. It allows you to tailor your operations and ensure that you are delivering a service that your customers need. As a result, data has become a prime target for threat actors. Attackers often aim to infiltrate a network in order to access, steal, destroy, or edit data. It can be sold on the dark web, giving attackers an easy way to monetize the breach.

This data can be highly sensitive and confidential, such as financial or customer and client information. It doesn’t matter what the data is, you don’t want it falling into the wrong hands. Your customers expect you to look after their data, and you don’t want to breach this trust. 

The Effect Of An Attack

As well as the immediate financial losses felt from the initial attack – the costs of tackling and remediating the issue, lost productivity during downtime, and any ransoms paid – the effects can be much more long lasting. Corporations can also lose revenue from lost customers and have to pay large settlements to afflicted clients and customers. Rather than relying on cybersecurity insurance it is essential that you do not rely on it. Preventing data loss, malware, or ransomware is the best, cheapest, and most effective thing you can do. Cyber insurance providers often have high expectations of organizations before they will consider cover.

Cybersecurity insurance plans usually cover:

  • Lost revenue from downtime
  • Destruction of digital assets
  • Data retrieval and network restoration costs
  • Network security and privacy liability
  • System failures
  • Extortion and ransomware
  • Expenses incurred from response and remediation efforts
  • Contingent business interruption
  • And most notably when it comes to SAT, cyber insurance also covers instances of social engineering and cyberattacks

For more information on how to choose a cybersecurity insurance policy, read this article:

So, where does security awareness training (SAT) come int? We’ll tell you, but before we take a look, let’s explore the ins and out of SAT.

What Is Security Awareness Training?

Security awareness training is a form of training delivered to users within an organization or company to educate and train them on the common risks and dangers associated with working online and how best to respond when they encounter one of these threats. Many organizations often have extensive technical capabilities, making employees the final line of defense for nifty threats. Human error, forgetfulness, or misjudgement can give an attacker all the opportunity they need.

In practice, this might look like an end-user unwittingly clicking a link to a harmful website or downloading malware hidden in an attached file as part of a phishing scam. Physical data mishandling or mis-storing – such as losing a removable hardware device, or sharing passwords, can also have severe consequences. All of these scenarios could have been avoided if end-users had proper training and an understanding of the potential consequences.

So, what does SAT look like in reality? Most SAT training has moved away from monotonous presentations containing reems of facts and figures. Instead, the more popular (and often more successful) SAT programs rely on fun and visual ways to learn – some have branded this as “gamable”. This can look like anything from pop quizzes and educational videos to interactive games and fake scenarios presented so users can discuss in groups and come up with solutions. SAT programs can be deployed for individuals to complete alone or delivered to an entire workforce or department. This strategy encourages collaboration and participation, making it ok for employees to ask questions.

Overall, SAT is there to train your users on the dangers and help- them think critically when a real-life situation occurs. If they are the only thing standing between your company and a catastrophic data breach, they can be equipped with the essential information on how to react. SAT teaches:

  • Appropriate office behavior
  • Good password and security hygiene
  • How to properly store data and files
  • How to spot threats in their inboxes–whether that’s email, message apps, text messages, or even phone calls and voicemails 
  • (Most importantly) How to respond accordingly

How Does Security Awareness Training Work And Is It Effective?

So, is it effective? The short answer is yes. It’s very effective. And very easy to implement.

There are two sides to an SAT solution: education and training. The educational side is handled through the interactive learning modules that cover a range of relevant topics. Some of these will be relevant to all employees, others will be designed for specific roles or sectors. These sessions can be deployed as frequently as admins would like – you want to find the balance between keeping employees knowledgeable, without the training becoming a burden.

The goal of having small modules delivered periodically is that it ensures that users are not overloaded with information, meaning they’re more likely to actually retain what they learn in those sessions. Ultimately, this makes the solution more likely to be effective.

Most SAT solutions rely on kinaesthetic learning–i.e., learning by doing. Engaging and interactive modules work because the employee is taking an active part in the training. They cannot zone out and let the content wash over them. This interactive training can be enhanced through another feature of many SAT courses: phishing simulations. 

These simulations send fake phishing emails to users once they have completed a training module to see if the training has been successful. The phishing simulations encourage end-users to think critically and put the skills they learned into practice. It makes them think independently, outside of the “classroom environment”, thereby making them more confident.

If a user fails the simulation, the admin will be notified, and can decide if the user needs further training. Simulations can be configured to run as frequently as admins would like. As will the deployment of modules, ongoing and perioding deployment is advised.

One research group, the Aberdeen group, found that having a strong SAT solution in place reduced the risk of successful socially engineered cyber-attacks by roughly 70%. Those are odds anyone would like the sound of, especially your cybersecurity insurance provider.

For more on SAT, how it works, what it does, and what to look for when choosing a solution, start with our in-depth guide to point you in the right direction:

Security Awareness Training Requirements For Cyber Insurance

With SAT having continued and widespread success in heavily reducing the number of successful breaches and attacks, it’s no wonder that its deployment has become a prerequisite for cybersecurity insurance qualification. It is one of the easiest and most effective solutions for reducing risks and potential attacks, while improving security posture. This benefits the insurance provider as it means that organizations are less likely to make a claim. By proving to a provider that you take cybersecurity seriously – that you are doing everything you can to mitigate the risks – many providers will offer reduced premiums and discounts.

In order to qualify for cyber insurance, organizations wishing to apply for coverage need to make sure they have the right security protocols and solutions in place – such as SAT. Admins will first need to assess their cybersecurity risks and vulnerabilities and ensure that there is effective policies and tools in place. They can then find an SAT vendor who is suited to addressing these weaknesses. 

While most SAT solutions cover the same core topics, it’s important that your SAT solution covers the most important topics for your organization. Common modules and risk areas include:

  1. Phishing Scams: In a report from IRONSCALES, it was revealed that 81% of organizations across the globe have seen an increase in email phishing since March 2020. Phishing remains one of the most popular and successful attack methods threat actors leverage against a company. It’s cheap, relatively easy to do, and can be sent to thousands of users at once. However, more and more sophisticated phishing attacks are occurring, with attacks such as voice phishing, SMS phishing, whaling, and BEC scams on the rise.
  1. Password Hygiene: Passwords are the number one target for a lot of cybercriminals. They can be sold on the dark web, or gain network and account access to carry out more sophisticated attacks. Whatever the reason, passwords have become the number one target, with around one million passwords stolen each week. Cyber insurers want to know that the company they’ll be supporting in an incident takes appropriate care when looking after passwords, and that good password hygiene is always practiced. 
  1. Securing Devices: Each device is a connection or tunnel into a network. Devices need to be properly secured to prevent it from acting like a gateway. Deviced should be looked after with care to ensure they’re not stolen or compromised, and there should be strict policies on how they’re used in instances of remote or nomadic working. Your end-users should know these policies and treat their work-mandated devices with care.
  1. Data Privacy And Security: A big one. SAT should cover data privacy and security, with reference to compliance and regulation where relevant. This ensures that your users know exactly how to treat sensitive information, how to handle it, how to store it, who should have access, and understand revoked and restricted access. 
  1. Clean Desk Policy: SAT should also educate and reinforce the idea of a clean desk policy for your users. This ensures that information is kept private and secure by maintaining a clean and ordered workspace that leaves nothing out or anything accessible. It is harder to notice when something goes wrong in a messy environment.

Summary

For many organizations having a strong cyber insurance plan in place can be critical in retaining credibility, restoring finances, and being able to continue operations in the aftermath of a cyberattack. Cyber insurance is there to act as a safety net, to help with some of the fall out in the wake of an attack. They can be essential in helping an organization to recover, although they are not a fix-all. 

Rather than focusing on a cybersecurity insurance policy, you should ensure that your network is adequately protected. Cybersecurity insurance should be in addition to defences. 

SAT has become an important part of any well-rounded security stack, as well as being a necessary requirement for qualifying for cyber insurance. While your security solutions stack contains some powerful and technical tools, it relies on the human employee doing the right thing. 

Your users play a critical role in maintaining your overall network health. You can throw as much money as you like at the best tools in the cybersecurity business, but all it can take is the click of a link or the sending of a file to the wrong recipient, for a devastating cyber-attack to be instigated. Cybersecurity insurers know this too.