GRAHAM ADVISOR
YOUR BEST LINE OF CYBER DEFENSE
MARGAUX WEINRAUB
Cyber Practice Leader
One stolen password led to the devastating six-day shutdown of the 5,550-mile Colonial Pipeline in May. That password, retrieved from a legacy VPN system without multi-factor authentication, was all it took to enable a nearly $5 million ransomware scheme that disrupted fuel supplies to the Southeast and caused panic at the pump. Today’s cyber criminals are both sophisticated and opportunistic – they’re constantly scanning for vulnerabilities. We’ve said it before, but any organization that connects to the internet or maintains confidential information is at risk. This year, with the additional uncertainty caused by the pandemic and ongoing remote work arrangements, we’re seeing an increase in business email compromise scams, ransomware schemes and intrusive malware transmitted through social engineering and phishing techniques. According to IBM, the average cost of a data breach in the United States is more than $9 million – more than double the global average of $4.2 million. Moreover, Sophos reports that the average cost of remediating a ransomware attack more than doubled last year, rising to nearly $2 million. As a result, we’re seeing drastic changes underway within the cyber insurance industry. Many carriers are increasing their rates more than 50%, and in some cases more than 100%, because there is a disconnect between the damages that could be caused and the premiums being paid. Carriers are also becoming more selective before quoting terms, vetting organizations’ security controls, business continuity plans and information security policies and procedures That’s why, at Graham, we work closely with our clients to thoroughly evaluate their risk exposure and provide holistic security recommendations and loss mitigation strategies. Proactively improving your security posture and working to prevent a cyber incident is the best thing you can do for your organization, and those same strategies will also help to minimize overall insurance costs. Getting started may seem overwhelming, but there are a few relatively simple yet effective steps that all businesses should take to increase their protection against cybersecurity threats.
Employee Training
Implement regular phishing testing and employee training. Some studies show that as high as 95% of security incidents are caused by human error. Conducting regular employee training and phishing tests is an important way for your organization to go on offense in identifying threat actors’ attempts to intrude and compromise your networks.
Proactive Maintenance
Maintain patches. This past September, Apple issued an emergency software update for a critical vulnerability in its operating system, after recognizing invasive spyware could infect their devices without even having to click on anything. Similarly, following the introduction of a zero-day exploit vulnerability that allowed access to employee emails and administrative privileges on Exchange Servers this spring, Microsoft released updates to patch the exploit. When a software firm announces a vulnerability and provides a patch, threat actors begin scanning for unprotected organizations right away, so immediate action is crucial to protect your organization from being a victim of a known vulnerability. In addition, don’t forget about your Internet of Things devices – these are often ignored in cybersecurity planning, but pose a critical risk for unauthorized entry if not properly patched and accessible to your network.
Password Management
Enable multi-factor authentication (MFA) and password management. These basic security measures are absolutely critical for preventing, slowing and containing threat actors. As we approach 2022, carriers are requiring MFA for email, remote, and administrative access as a baseline/minimum control for insurability, due to its proven ability to thwart a cyber attack.
Introducing...
Cyber insurance is critical, but so is taking preventative measures. Our Graham Cyber BlueprintSM provides guidance, through a brief questionnaire, on where you can make improvements to your cyber security environment. This not only better protects your organization, but also helps you build resiliency with added peace of mind in the event that a cyber attack does occur. With those measures in place, the right insurance policy can then play an important role in protecting your people, finances, customers and business operations.