Closing the disconnect between cyber risk awareness and action

While awareness of cyber risk has increased significantly in recent years, there remains some disconnect in terms of how business leaders turn that awareness into effective risk management and insurance decisions, according to John Menefee (pictured), CyberRisk product manager at Travelers.

“More and more organizations are purchasing cyber insurance; 59% of respondents have a cyber policy,” he said. “That number has increased, but it should continue to increase, and we’re engaging every day with agents and customers to stress the importance of that coverage. That’s a battle that we’ve been fighting for a long time, and we’re starting to gain some ground.

“From a risk management perspective, despite the increased awareness of attacks, ransomware, and all sorts of bad things that can happen on the internet, we still see that many of the most effective controls and prevention methods are underutilized. Most respondents aren’t utilizing endpoint detection and response (EDR) technology, about half report they don’t require multi-factor authentication (MFA) for remote or admin access, and most don’t have an incident response plan. So, there’s still a big disconnect there.”

Read next: Many companies woefully underprepared for cyber issues

There are lots of things that businesses can do to mitigate their cyber risk, some of which are relatively low cost, such as MFA. Menefee said MFA is “one of the most impactful preventative controls,” and if more companies implemented MFA for email, remote access, and internal administrative access to systems, “the number of successful attacks would plummet”.

However, MFA has been slow to catch on. According to the 2022 Travelers Risk Index, 90% of survey respondents said they were familiar with MFA, yet only 52% said their company had implemented the practice for remote access.

“I found that really interesting … especially since so many of our respondents (93%) were confident that they’d implemented best practices to prevent or mitigate a cyber event,” Menefee told Insurance Business. “I think it’s just a knowledge gap. Because we [as insurers] respond to so many events, we know which controls are the most effective in reducing the chances of an organization being the victim of a cyberattack. And we also know many of the vulnerabilities and attack methods that the threat actors are using to gain access to these networks. Based on the low usage of some of those controls, there seems to be a disconnect in the level of confidence respondents have and their actual exposure.

“For that reason, it’s important for cyber carriers to share the information and intel that we have. If we work with our customers, we provide them with resources to reduce that knowledge gap, we can reduce the likelihood that they’ll become victims of cybercrime. And when we engage with our customers in this way… our customers seem to be very receptive, and they tend to work towards putting those controls in place. They just don’t know what they don’t know.”

Read more: Municipalities, school districts are large targets

Beyond MFA, all cyber risk experts stress the importance of employee education, and training employees how to identify and report suspicious online activity and phishing emails. As Menefee noted, the user is sometimes the weakest link, and even the best cybersecurity controls can be defeated by a lack of education.

“Also, threat actors often choose their victim based on vulnerabilities that are visible on the internet,” Menefee added. “Organizations that are aware of their attack surface, that effectively patch critical vulnerabilities, avoid having ports open that are often targeted by threat actors – those organizations are much less likely to be targeted in the first place. Organizations that can avoid doing things that will put them in the crosshairs of a threat actor are going to be a lot better off.

“For some of the more advanced technology that costs a little more, EDR technology can be a really sophisticated control that can identify behavior or commands on the network that’s unwanted, and stop it from executing. It’s almost like a backstop, so if other things fail, EDR is another layer of protection that can prevent a claim from happening or ransomware from being executed.”

One challenge with cyber is the ever-changing nature of the risk. Security controls implemented one day could be obsolete the next day. While 93% of business decision makers in the 2022 Travelers Risk Index are confident they’ve implemented best practice controls to mitigate or prevent cyberattacks, 80% of respondents also said it’s difficult to keep up with the evolving cyber risk landscape and threat vectors.

“And we can help, we can share our data, we can provide resources to customers, and then by encouraging customers to implement those best practice controls, we can reduce the number of cyberattacks that happen,” Menefee reiterated. When we’re successful at encouraging our customers to make those changes based on all that knowledge, we can be a major factor in reducing the impact that cyber criminals have in our daily lives. I think it is important for our customers to view this as an ever-changing risk. I think many of them are starting to, the awareness is there, and we’re encouraged by it.”