October is Cybersecurity Awareness Month (CAM). The need for a reminder month can be found in the numbers.
- “79 million malicious domains flagged in the first half of 2022” KnowBe4.
- 45% of active cyber insurance plans will not be renewed in 2022 because firms do not have proper security software, plans, and processes in place.
- Nearly two in three midsize organizations have suffered a ransomware attack in the past 18 months. 20% of them spent at least $250,000 to recover from it.
The numbers have caught the attention of both businesses and the government. The federal government shares its concerns with the publication of the President’s Cybersecurity Awareness Month Proclamation. This is being matched by new legislation at the state and federal levels.
Business concerns manifest themselves in the changes transpiring in the insurance industry, Cyber insurance is currently the biggest risk to any insurer, underwriter, or reinsurer.
Changes in the renewal of insurance are now particularly targeted to companies that handle and maintain certain data. Such companies have larger risk exposure. The exposure accompanies entities that process credit card information or need to retain information such as health information, driver’s licenses, and anything that could be used to gain unauthorized access to key corporate information or can be used for identity theft.
The industry is seeing insurers move to require proof that a data breach response plan has been developed. Others now also require that you have conducted a security assessment within the past 12 months and have a plan for filling in the gaps. Finally, the insurers themselves are conducting network audits. The audit is carried out by conducting a remote penetration test of the insured ICT systems, data storage, file servers, mail servers/exchanges, and an on-site physical inspection.
The on-site inspection is vital, and the reason is you and me. The largest threat within an organization is “human error.“ The numbers again are defining. They provide proof that the majority of large-scale attacks have been the result of human error.
The human error basics are not new but evolving: Clicking a link, entering passwords into spoofed accounts, phishing attacks, and responding to spoofed emails. On-site insurance inspections assess the training, integrated prevention functions, automated preventions to detect and avoid human errors, and the internal cybersecurity awareness culture.
Hackers are joining Halloween spooks for October’s lineup of frightening specimens. This is ransomware, phishing, data breach, or worse yet…data publishing month (the Los Angles School System Hack). Welcome to Cybersecurity Fright Month.
It is good to have a certain annual reminder that cybersecurity is a business priority. If cybersecurity insurance trends continue, you won’t need a month to remind you that securing your networks and data is a high priority. Human error requires training, education, and a true culture shift to maintain security staying at the top of everyone’s mind. Security awareness and training are therefore requirements that need acceptance as a daily priority. The traditional approach to training employees in security is giving way to a broader-based approach that tackles behavior and culture. Being aware is the first step, but having a change in employee behavior that is based upon a security-conscious culture is the new goal.
Let this October be the month where you are reminded that times have changed, and those changes require a new level of security vigilance…and then ensure you back up everything. Yes, that’s another topic all together.
