Security awareness training and cyber insurance: Prevention, treatment or both?
Cybersecurity risk management: A business priority
Managing cybersecurity risk should be a priority for all organizations, no matter the size or industry. Bad actors don’t discriminate based on company size or business model, and the ever-growing number of cybersecurity attacks and data breaches is a reminder that no business can afford to ignore this risk.
Risk management strategies range from risk avoidance and mitigation to transference and acceptance. From a cybersecurity perspective, avoidance and acceptance may not be the best approaches. Avoiding exposure to cybersecurity risks in today’s interconnected world is a tall order, while accepting risk may come at too high a price.
The alternatives are to mitigate the risk, which means preventing incidents as much as possible through best practices such as awareness training, or transferring risk through cybersecurity insurance and other strategies. The question becomes which one is best for your organization?
The high price tag of data breaches
Before you decide on your risk management approach, consider the implications of cybersecurity incidents and data breaches. Cyber incidents are the top risk globally in 2020, according to the annual Allianz Risk Barometer.
The cyber incidents category has been climbing to the top of the Allianz list for the last few years, finally ranking as the No. 1 risk in the most-current survey — indicating that the risk has been growing over time.
As the Alliance Global Corporate and Specialty Deputy Global Head of Cyber Marek Stanislawski noted in the report, “The costs of a cyber incident are rising across the board, a product of growing complexity, more stringent regulation and the damaging consequences to a business from a loss of data or critical systems.”
Cybersecurity incidents, especially data breaches, carry high costs for organizations of all sizes. Research from IBM Security and Ponemon Institute estimates the 2019 cost per exposed record at $150, or an average of $3.92 million per data breach.
Yet financial loss is not the only concern that you have to worry about: the consequences range from loss of customers to reputational damage. New regulations also continue to emerge, adding to the price tag of data breaches.
Risk mitigation and risk transference can both potentially lower your costs of a cybersecurity incident. They work in different ways, however, and provide different advantages.
Security awareness training: “An ounce of prevention”
An ounce of prevention is worth a pound of cure, as the old proverb goes. This certainly applies to cybersecurity when it comes to employee security awareness training.
While training both end users and security staff is important, organizations often view the end users as their first line of defense, or the “human firewall.” Training end users is one of the best ways to fortify this firewall.
Before launching a program, you need to consider your security awareness training goals. Some organizations may do it as part of their compliance with European Union’s General Data Protection Regulation (GDPR) while for others, it may be part of a security-oriented culture. Regardless of the driving force behind the training program, the purpose is more or less the same: to reduce the risk of security incidents due to human error.
Awareness training to prevent phishing can be particularly effective for your workforce because bad actors use phishing for multiple purposes, from stealing user credentials to distributing malware.
Verizon’s 2019 Data Breaches Investigations Report found that phishing was the top attack vector: it was involved in 32% of data breaches. Phishing is all about manipulating human behavior, and an ongoing, consistent training program can limit your exposure.
Phishing is just one area where education and training can make a difference. Privacy protection, strong password practices, data classification and sharing, risky security behavior, compliance — these are some of the other practices to consider covering in your training program.
While security awareness is more common than it was a few years ago, it’s still a strategy that many organizations don’t leverage. Global insurance provider Chubb found that despite a 1,215% increase over the past decade in the number of commercial cybersecurity claims, many organizations have ways to go in providing education.
Chubb’s survey of more than 1,200 individuals found that only about a fifth learned about cybersecurity protections from their employers. The rest relied on sources like the media and friends — is that a reliable source of information you want your employees to use when it comes to protecting your assets?
Cyber insurance: Transferring your risk
Training is all about minimizing your exposure to threats, whereas insurance is more about minimizing the financial damages. It’s in no way a substitution for strong cybersecurity practices and doesn’t lower your cyber risk — it simply transfers some of it to the insurance carrier. The more risk you transfer, the more you’ll pay for it upfront.
Compared to other types of commercial insurance, the market for standalone insurance policies is quite small, but it has been steadily growing. Insurance broker Aon forecast that by 2021, cybersecurity insurance premiums worldwide will reach $4 billion, growing at an annual compound growth rate of 14.1% and becoming the fastest-growing category of commercial insurance.
Cyber-risk policies may pay for costs such as data recovery, regulatory defense, liability from data breaches and crisis services. While some may think it’s a proactive measure to limit financial exposure, it doesn’t improve your cybersecurity posture, except perhaps in one way: Many carriers require insureds to have certain security measures in place to start with and continue to follow those best practices to maintain coverage.
Insurance is not a substitution for defensive measures, but it might become an incentive to adapt robust security: you may be able to reduce your premiums if you can show that you are a lower risk.
You can look at your cyber policy the same way you would at your general liability or casualty insurance. It’s an investment that can soften the impact of a financial loss, and your business size or industry may not matter as much as your exposure. If you have sensitive data such as customers’ personal information, or stand to lose a lot of money if a cyberattack disrupts your operations, then considering insurance is a prudent step.
Conclusion: Should you invest in both?
How to best invest your risk-management dollars is a complicated question and there’s no one-size-fits-all answer. One place to start is a security risk assessment and an understanding of your risk appetite.
Once you understand your risks, you’ll have better clarity on whether training could mitigate some of those risks. And once you understand your risk appetite and other factors, you’ll be better equipped to answer the question whether insurance is a good idea for your organization.
You may find that you using both in tandem is beneficial for your business. The key is to not view either one of these solutions in a vacuum, but as parts of a larger risk-management strategy.
- Allianz Risk Barometer: Identifying the Major Business Risks for 2020, Allianz Group
- Cost of a Data Breach Report 2019, IBM Security/Ponemon
- 2019 Data Breach Investigations Report, Verizon
- Chubb Cyber Risk Survey 2019, Chubb
- Global Commercial Insurance Market to Grow $170B in P/C Premium By 2021: Aon Inpoint, Insurance Journal