Login Register Subscribe
Current Issue

Engage all levels of employees to achieve effective cyber security

Reprints

As emerging technologies introduce new security risks to businesses, risk managers should have a solid plan in place to both prevent and respond to a potential cyber attack, according to a recent panel of insurance industry experts.

But the plan should strike a balance between protecting the firm from cyber breaches while still enabling the business to perform its operations with the technology necessary to do so, experts said Tuesday during the Insurance Executive Forum held by Illinois State University's Katie School of Insurance and Financial Services in Chicago.

Data breaches are becoming more common, making response plans all the more essential to protect the property and reputation of an organization. According to a September 2014 study by the Traverse City, Michigan-based Ponemon Institute L.L.C., 43% of companies said they suffered a cyber attack in 2014, compared with 33% in 2013.

And employers are acting: 73% of organizations have developed a data breach response plan in 2014, up from 61% the year before, the Ponemon Institute found.

An effective data breach response plan includes three parts, said Greg Bee, the director of corporate information security governance and chief information security officer with Bloomington, Illinois-based insurer Country Financial.

The first step is to determine how to prevent a breach from occurring by assessing the risks of the organization and where the gaps in security are, Mr. Bee said. Firms should also prepare to “dissect the attack” once it occurs, he said.

“We have to understand why we're being attacked, how we're being attacked and what the motive of the attackers (is),” Mr. Bee said.

Third, if a breach does occur, organizations should know ahead of time how to portray themselves in the public. Holding mock cyber incidents can help prepare the organization in all scenarios, he said.

Companies that are successful at battling cyber breaches include all leadership and workers in the plan to prevent attacks, said W. James Regan, senior vice president of FINPRO at Marsh L.L.C.

But it's important to note that employees are often one of an organization's greatest “vulnerabilities,” said Paul Larson, senior vice president and specialty risk manager with Chubb Specialty Insurance, a unit of Chubb Corp.

As such, training workers in cyber security is necessary. For instance, Country Financial began testing its employees' cyber security practices four years ago by sending a fake phishing email crafted by a third-party organization to 400 workers during the benefits enrollment period, Mr. Bee said. The email was made to look as if it was sent from the benefits team, and 320 employees clicked the malicious link. Forty-percent actually handed over credentials, he said.

But after performing the test each year since, last year only 2% of Country Financial's employees clicked the malicious link, and only one person gave up credentials, Mr. Bee said.

Securing cyber insurance

The insurance industry has “done a good job expanding cyber” insurance coverage to include potential sources of costs, such as business interruption and extortion, Mr. Regan said.

According to the Ponemon Institute study, in 2014 26% of organizations adopted a cyber insurance policy, compared with 10% in 2013.

Insurance options for middle market employers are widely available, and organizations can outsource to a third-party vendor to perform an annual review of the cyber security practices, experts said.

According to Mr. Larson, a good agent or broker “is critical” because they work to find gaps in the cyber security of an organization. But in the end, he said, data breach preparedness begins with a good cyber security policy in the workplace.