Data breaches are inevitable for almost every organisation, regardless of sector, and they are increasing in both regularity and size.
When these breaches cost large firms between £600,000 and £1.15m and small firms £65,000-£115,000 every year, the importance of cyber insurance is clear.
While cyber insurance is nothing new, demand is certainly increasing. Earlier this year Lloyds of London announced a 50% increase in cyber insurance sales during the first three months of 2015 compared to the same period last year.
This is likely due to high-profile security breaches dominating the news agenda over the past 18 months. With 100 global financial institutions falling victim to one of the largest ever cybercrimes – when it was uncovered a Russian gang could have stolen up to £650m – companies are seeking better protection.
But while investing in cyber insurance is a positive step towards reducing the impact of a data breach, it is only one part of a range of security measures organisations need to take.
Cyber insurance does not prevent the attack – it picks up some of the fallout costs associated with it.
For cyber insurance to be effective and affordable, a company must have a clear understanding of its security architecture and what it requires.
Proactive steps therefore need to be taken before the cyber insurance policy is in place:
- A “cyber hygiene” overhaul – Otherwise your policy will cost a fortune and may be void anyway. Begin by reviewing your existing IT infrastructure, which will help identify services that need to be controlled, users that need to be managed and systems that need to be patched. A cyber hygiene checkup should be scheduled routinely to cover the most common flaws in data security.
- Know your security architecture – A lack of understanding can result in voiding your policy. You need to know the risks faced by different business functions and departments. From there, you can identify the appropriate security controls to protect each part of your business.
- Monitor and respond – Continuous risk management underpins all security processes. You must constantly monitor your estate and the threat landscape. Learn from past mistakes and assess how your security architecture can evolve in light of these incidents. With this insight, plan how to recover after an incident – not just a short-term financial recovery, but how you will continue your business.
- Make employees part of the solution – Security should be embedded in company culture by outlining clear succinct policies. However, not only do employees need to play by the rules, they also need to be the eyes and ears on the ground – remaining vigilant to any suspicious behavior and reporting incidents.
- Plan to recover – No matter how secure you think your business is, breaches and attacks will happen. Put in a place a solid plan so that you and your employees understand how to detect, contain and recover from a security incident.
Once these internal matters have been attended to, a decision can be made on investing in cyber insurance.
Insurance helps mitigate some of the financial impact, but organisations need to be proactive in understanding their security architecture and checking its relevance in the context of today’s threats.
Put simply, security threats scale with increasing digitisation of a business. To succeed, businesses need to take more initiative so they can stay ahead of threats rather than respond to them.
For more business insight into the challenges around security, visit our website.
Latest posts by John Alcock (see all)
- Before you cyber insure there are five key considerations businesses must address - September 15, 2016
- Compliance: A global perspective - November 15, 2013