Whether through human error or ignorance, companies are exposed to cyber risk through employees and must consider their defences. Lauren Webb and Nick Bellamy, cyber underwriting manager and principal cyber risk engineer at Chubb, explain.
One in three companies have experienced a cyber incident in the past 12 months, according to Chubb’s latest research, Bridging the Cyber Risk Gap. As a direct consequence of this, a significant majority realised they were less prepared than they had hoped. In many cases, that lack of preparation will not have been around companies’ digital defences, instead the problem will have been with their people.
Few firms in the UK understand or address effectively the human element of their cyber risk. Around 70% of cyber security breaches result from phishing attacks, and a growing number from broader social engineering by criminals.
This does not include the number of cyber breaches that result from simple human error, without malicious intent.
Here are a few easily recognisable scenarios: the employee who emails important data to someone they did not intend; the employee who falls for a scam email; the employee who opens a link in an email without verifying the sender’s address; the employee who goes online and inadvertently downloads malware onto a company computer; and the employee who accesses company information from their own device and introduces malware.
The above are a combination of simple human error, ignorance or – more worryingly – sophisticated attacks known as “spear-phishing” in which information gleaned from social media or a company’s own website is used to dupe an employee into doing something or following a link which exposes the company to risk.
Phishing or spear-phishing scams succeed by exploiting human nature: instincts such as curiosity, eagerness to respond to a boss’s request, greed, or our natural tendency to human error. Often scams happen on a Friday when employees may be tired after a long week or are not fully concentrating as they prepare to leave for the weekend. Law firms in particular are familiar with the practice dubbed the ‘Friday afternoon fraud’. This is where employees are targeted by fraudsters to hand over bank details, usually as conveyancing transactions are being completed.
Many firms have concentrated their efforts on technological defences against cyber attacks. The focus, typically, is on building and maintaining the traditional perimeter security encompassing server security, malware protection, access control – and on applying the software patches that come out so frequently to protect against new threats. This concentration on digital aspects can mean that building employee defences comes a distant second. To defend successfully against cyber attacks, companies need to prioritise both.
Technology is only half the battle
Building a human firewall requires a holistic approach that starts at the very top with the mission and the culture of the organisation. If a firm’s corporate mission is to bake bread, for example, it needs to look at what is essential to achieve this. Often companies are concerned by data breach issues even when they hold no sensitive customer information. One baker client had a factory operating system accessible through the web or handheld employee devices, which did make it vulnerable to attack and which were not on the risk register. Any business, even sophisticated global players, can be vulnerable – as major logistics and pharmaceutical businesses discovered at their own expense last year.
As part of a proactive, pre-event risk management and mitigation strategy, a cyber audit should be undertaken for new clients, looking at all aspects of their operations, not just their data security.
This holistic pre-event approach to risk management requires the involvement of different teams across the business. Starting at the top, brokers must engage with risk managers to verify the level of buy-in from the board to ensure that cyber security is regarded as a whole-business problem, not an IT-only issue. That means talking to the board in their language – spelling out the damage that cyber attacks can wreak not just in terms of reputation, but also bottom line impact.
With the support of the board, the first two teams that risk managers need to join up are IT and operations, ensuring that all critical systems are identified and the potential losses arising from them are understood by both sets of people. Risk assessment here must look not just at the digital exposures, but at the weak spots where staff action, or occasionally inaction, makes the business vulnerable to attack.
Once human cyber risk factors have been identified, mitigation of those risks through training, adoption of new policies and behavioural change is possible.
There are a number of different areas to consider here. Training must start on day one, which means including relevant cyber security training during the onboarding of new starters. Staff may stay with a firm for a long time, and risks will change, so regular refresher training will also be required, potentially supported by insight from specialist broker and insurer partners that closely monitor changing cyber threats.
Help will be needed from human resources and training specialists, while impactful communication about cyber risks to staff will require the input of internal communications specialists to ensure training stays fresh and that staff who think they’ve “heard it all before” take in messages about new threats or potentially dangerous online habits that expose the company to risk.
Meanwhile, when staff leave, companies should consider how access controls and privileges are deleted, and how the firm manages the recovery of assets like mobile phones and laptops.
The training given also needs to be varied and appropriate to the type of employee. This is not only a case of talking the right language (and avoiding jargon), but also of understanding how different groups of people approach technology differently. Younger people, for example, are often more comfortable with lower levels of security on social media and are used to sharing what would once have been seen as private data. Training on the risks that over-sharing on social media can create is something that benefits staff both in their home lives and in a business context. Sometimes couching this training as being of benefit both at work and at home ensures that the messages stick.
For businesses with a greater level of risk, including firms that hold financial records, or which come under regular attack, simulated phishing exercises are invaluable, whether managed internally or via one of the many external providers. These test employee responses to phishing mails and then deliver training to those who show low awareness.
This kind of top-down training is essential when you consider that according to our research, fewer than half of companies (41%) believe that even IT employees’ cyber risk understanding is ‘excellent’ and only 32% say the same for risk management. Even more concerning, perhaps, are the limitations of the executive team: only 31% of respondents describe the senior leadership’s cyber risk understanding as ‘excellent’.
Against this backdrop, training for all employees is a key priority in the move to improve cyber risk management across the organisation, along with regular monitoring of staff behaviour and clearer communication with employees.
Insurers need to offer policies that support effective risk prevention, help to protect against cyber risk and assist companies in better understanding and evaluating risk so they can improve security and respond as effectively as possible when an incident happens.
Of course, in terms of the insurance itself, coverage is aimed at ensuring clients are ultimately restored to the position they were in prior to the breach. Clients can also be supported in other ways during and after an incident, such as working with third parties to minimise disruption and also to limit reputation damage where possible.
With strong technological protections, a well-educated human firewall and an insurance solution tailored to the individual needs of the business, companies can have confidence they are as well prepared as possible to face the ever-present and constantly evolving cyber threat.
Managing cyber risk
All firms should undertake a holistic audit of their cyber exposure. In each area, pre-loss planning can minimise the likelihood or effect of an attack. The areas are: awareness; protection; detection; response; and resilience.
Awareness involves understanding in detail the business environment, what risks exist and what regulation applies to a firm in the event of a cyber breach.
For protection, companies need to implement best-in-class cyber hygiene, including proper data-handling protocols, identifying a responsible information security officer, implementing technology or buying protection against identified risks.
Detecting intruders as quickly as possible is key to limit the damage attackers can do. This includes both technology-led solutions, and offering incentives to staff to raise the alarm quickly if they see or do something unusual.
Companies need a 24-hour response system that allows rapid action, including notification of those affected after an attack, as well as cleansing the system of malware.
Often referred to as business continuity, resilience is about the long-term protection of revenue, and includes communication to clients about resumption of business, rapid restart planning, and pre-planning to find alternative routes to market in the event of a shutdown.