According to John Menefee (pictured), CyberRisk Product Manager at Travelers, cyber risk awareness has grown significantly in recent years, but how business leaders are transforming that awareness into effective risk management and insurance decisions. There is still some discontinuity in terms of whether it should be reflected.
“More and more organizations are buying cyber insurance. 59% of respondents have a cyber policy,” he said. “That number is growing and will continue to grow. Every day we work with our agents and customers to highlight the importance of that coverage. and we are beginning to gain some ground.
“From a risk management perspective, despite the growing awareness of attacks, ransomware, and all sorts of bad things that can happen on the internet, many of the most effective controls and prevention methods are still out there. Underutilized. Most respondents do not utilize endpoint detection and response (EDR) technology, and nearly half require multi-factor authentication (MFA) for remote or admin access and most do not have incident response plans.So there is still a big disconnect.”
Read the following: Many companies are woefully underprepared for cyber threats
There are many things companies can do to mitigate cyber risk, some of which are relatively low-cost such as MFA. Menefee said MFA is “one of the most impactful preventive controls” and that more companies implementing his MFA for email, remote access, and internal administrative access to systems would “be successful.” “The number of attacks will drop dramatically.”
However, adoption of MFA has been slow. According to the 2022 Travelers Risk Index, 90% of survey respondents said they were familiar with their MFA, but he said his company implemented remote access practices Only 52%.
Menefee told Insurance Business: “I think it’s just a knowledge gap because we [as insurers] By responding to so many events, we know what controls are most effective in reducing your organization’s chances of falling victim to a cyberattack. We also know many of the vulnerabilities and attack methods that attackers use to gain access to these networks. Based on the low usage of some of these controls, there appears to be a gap between the level of trust respondents have and their actual exposure.
“That is why it is important for cyber carriers to share the information and intelligence we have. And when we engage with our customers in this way…they seem very receptive and tend to work hard to enforce their controls. I just don’t know what I don’t know.”
Beyond MFA, all cyber risk professionals emphasize the importance of employee education, training employees on how to identify and report suspicious online activity and phishing emails. As Menefee pointed out, users are sometimes the weakest link and even the best cybersecurity controls can be defeated by a lack of education.
“Also, threat actors often select victims based on vulnerabilities visible on the internet,” added Menefee. “Organizations that are aware of their attack surface and patch critical vulnerabilities effectively avoid opening ports that attackers often target. Organizations that can avoid being targeted by attackers will have a much greater advantage.
“For some of the more advanced technologies that cost a little more, EDR technology can be very advanced controls that can identify and stop unwanted behavior or commands on the network. It’s like a backstop, and if all else fails, EDR is another layer of protection that can prevent claims from incurring or ransomware from running.”
One of the cyber challenges is the ever-changing nature of risk. Security controls implemented one day may be obsolete the next. While 93% of business decision makers in the 2022 Travelers Risk Index believe they have implemented best practice controls to mitigate or prevent cyberattacks, 80% of He also said it was difficult to keep up with the situation and threat vectors.
“And we can help, share data, and provide resources to our customers, and encourage them to implement these best practice controls to reduce the number of cyberattacks that occur. We can,” reiterated Menefee. If we are successful in encouraging our customers to make changes based on all that knowledge, it could be a major factor in reducing the impact cybercriminals have on our daily lives. I think it is important to understand the risks that change from moment to moment. I think many of them are starting to realize. Consciousness is there and we are encouraged by it. ”