Think Cybersecurity Insurance Will Save You? Think Again.
By this point, we know that state-sponsored cyber attacks are a thing. Time and again, we see headlines to this effect, whether it’s election hacking, IP theft, or mega-breaches. For your average consumer, it’s troubling. But for executives at organizations that are targeted, it’s a nightmare.
The accompanying PR headaches, customer churn, and
operational and reputation losses
are bad enough; but when big companies think they’re protected by cyber
insurance only to find out they aren’t,
things go from bad to worse.
Are You Really Covered?
Indeed, per
the New York Times, “Many
insurance companies sell cyber coverage, but the policies are often written
narrowly to cover costs related to the loss of customer data, such as helping a
company provide credit checks or cover legal bills.” In other words, many
organizations think that because they’ve purchased cyber insurance, they are
protected and will be reimbursed for any expenses related to suffering and
mitigating a cyberattack.
But that’s not necessarily the case. Insurers are increasingly
citing a “war exclusion” clause —which “protects insurers from being saddled
with costs related to damage from war”— to avoid reimbursing losses associated
with cyberattacks.
[You may also like: Here’s Why Foreign Intelligence Agencies Want Your Data]
Huh? How can that be? We’ve seen the US Department of
Justice identify
APT-10 as a Chinese state-sponsored corporate hacking group, attacking both
Hewlett Packard Enterprise and IBM.
In addition, the now infamous NotPetya
(for which the U.S. assigned
responsibility to Russia in 2018), affected companies are considered collateral
damage in cyberwars. This is the nightmare scenario that played out for both Mondelez
and Merck
in 2017, after both organizations suffered hundreds of millions of dollars’
worth of damages resulting from the NotPetya attack. Unsurprisingly, both Mondelez
and Merck are respectively fighting back—in
court. But these cases will likely take years (and an astounding amount of
legal fees) to resolve. Which begs the question: what are companies to do in
the meantime when cyber insurance fails to protect the business?
Protecting Your Business
Well, first thing’s first. Prioritize security, don’t treat it as an add-on or wait until
you’ve been hit with an attack to beef it up. Build it into the very fabric of
your company’s foundation. As I wrote
last year, doing so enables an organization to scale and focus on security
innovation, rather than scrambling to mitigate new threats as they evolve.
Besides, baking security into your products and/or services can be leveraged as
a competitive differentiator (and therefore help produce new revenue streams).
Additionally, there are several other steps to take to help
protect your organization against large scale cyberattacks:
[You may also like: Marriott: The Case for Cybersecurity Due Diligence During M&A]
- Install
comprehensive DDoS and application security protection. Such solutions will
optimize business operations, minimize service degradation and help prevent
downtime. - Educate
employees. This can’t be emphasized enough; employers should educate their
employees about common cyberattack methods (like phishing campaigns), and to be
wary of links and downloads from unknown sources. This may sound simplistic,
but it’s often overlooked. - Manage
permissions. This holds particularly true for organizations operating in or
migrating to a public cloud environment; excessive permissions are the number
one threat to your cloud-based data. - Use
multi-factor authentication. Again, this is low-hanging fruit, but it bears
repeating. Requiring multi-factor authentication may seem like a pain, but it’s
well worth the effort to safeguard your network.
And, as always, let the (security) experts handle the
(cybercriminal) experts. Don’t hesitate to engage third-party experts in your
quest to provide a secure customer experience.
Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.
Mike O’Malley
Mike O’Malley brings 20 years of experience in strategy, product and business development, marketing, M&A and executive management to Radware. Currently, Mr. O’Malley is the Vice President of Carrier Strategy and Business Development for Radware. In this role, he is responsible for leading strategic initiatives for wireless, wireline and cloud service providers. Mr. O’Malley has extensive experience developing innovative products and strategies in technology businesses including security, cloud and wireless. Prior to Radware, Mr. O’Malley held various executive management positions leading growing business units at Tellabs, VASCO and Ericsson. Mr. O’Malley holds a Master of Business Administration degree, a Master of Science in electrical engineering, and a Bachelor of Science in electrical engineering from the University of Illinois. He also is a graduate of the Executive Strategy Programs at the University of Chicago.
*** This is a Security Bloggers Network syndicated blog from Radware Blog authored by Mike O'Malley. Read the original post at: https://blog.radware.com/security/2019/04/think-cybersecurity-insurance-will-save-you-think-again/
