Humans continue to be the weakest links when it comes to corporate cyber security, but companies looking to reduce phishing or ransomware attempts must first address their company culture, one expert tells Canadian Underwriter.
Over the past two to three years, companies have been tightening their cyber controls and investing in their network security, but nearly 90% of cyber claims still stem from human error, says Brandon Middleton, AVP of cyber, technology and mobility at Liberty Mutual.
In particular, ransomware is still the number one cyber risk for companies, though ransom actors are changing their methods to give themselves more leverage, he says.
“We’re seeing a lot of attackers really focusing on accessing third-party data, and exfiltrating the data — actually stealing the data first — versus just encrypting it,” he says.
“Once they’ve stolen the data and have access to it, then they’ll deploy the ransomware and scuttle the network, just to give them a bit of a backup to be able to potentially sell that data on the black market later on.”
Ransomware, followed by phishing and business email compromise, make up the top three cyber risks for companies.
What underwriters want
Underwriters are looking for companies who’ve demonstrated they’ve positively integrated cyber security measures into their company cultures — and that they actively promote it across the organization.
One way to do that is by instituting cyber security working groups — or cyber security champions — to foster better cyber hygiene among their peers.
“[Cyber security champions] could be staff [members that have] a heightened understanding of cybersecurity and awareness and are able to foster that information and share it with peers across the organization,” Middleton says.
That way, there’s no single point of contact for cyber security. It’s “peppered throughout the organization.”
Fostering internal branding of a company’s cybersecurity team, ideally a branch of the internal IT team, also helps strengthen corporate cyber culture.
“Maybe they have their own logo and their own sub-name within the team, that can be pasted onto any kind of documentation that gets sent out, or initiatives or campaigns throughout the company,” says Middleton. “Something that’s really recognizable and draws attention and awareness to what they’re trying to do.”
Companies should also foster cyber hubs, where employees can access any crucial details on best cyber practices. These can either be internal, or outsourced to insurance carriers, for example.
“[There needs to be] sort of place where people can go to access this type of information easily, always has a positive impact on an internal culture,” says Middleton.
And for those employees who are at risk of getting phished, or have already been phished, incentivizing better cyber habits produces positive outcomes as well.
“Maybe if there was some kind of financial reward or gift card or something to incentivize being diligent,” Middleton says, “that’s a way to gamify the process and get people to keep cybersecurity front-of-mind.”
Feature image by iStock.com/izusek