Engage all levels of employees to achieve effective cyber security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.businessinsurance.com/article/20151022/NEWS06/151029916/katie-school-insurance-executive-forum-panel-advises-risk-managers


As emerging technologies introduce new security risks to businesses, risk
managers should have a solid plan in place to both prevent and respond to a
potential cyber attack, according to a recent panel of insurance industry
experts.

But the plan should strike a balance between protecting the firm from cyber
breaches while still enabling the business to perform its operations with
the technology necessary to do so, experts said Tuesday during the
Insurance Executive Forum held by Illinois State University's Katie School
of Insurance and Financial Services in Chicago.

Data breaches are becoming more common, making response plans all the more
essential to protect the property and reputation of an organization.
According to a September 2014 study by the Traverse City, Michigan-based
Ponemon Institute L.L.C., 43% of companies said they suffered a cyber
attack in 2014, compared with 33% in 2013.

And employers are acting: 73% of organizations have developed a data breach
response plan in 2014, up from 61% the year before, the Ponemon Institute
found.

An effective data breach response plan includes three parts, said Greg Bee,
the director of corporate information security governance and chief
information security officer with Bloomington, Illinois-based insurer
Country Financial.

The first step is to determine how to prevent a breach from occurring by
assessing the risks of the organization and where the gaps in security are,
Mr. Bee said. Firms should also prepare to “dissect the attack” once it
occurs, he said.

“We have to understand why we're being attacked, how we're being attacked
and what the motive of the attackers (is),” Mr. Bee said.

Third, if a breach does occur, organizations should know ahead of time how
to portray themselves in the public. Holding mock cyber incidents can help
prepare the organization in all scenarios, he said.

Companies that are successful at battling cyber breaches include all
leadership and workers in the plan to prevent attacks, said W. James Regan,
senior vice president of FINPRO at Marsh L.L.C.

But it's important to note that employees are often one of an
organization's greatest “vulnerabilities,” said Paul Larson, senior vice
president and specialty risk manager with Chubb Specialty Insurance, a unit
of Chubb Corp.

As such, training workers in cyber security is necessary. For instance,
Country Financial began testing its employees' cyber security practices
four years ago by sending a fake phishing email crafted by a third-party
organization to 400 workers during the benefits enrollment period, Mr. Bee
said. The email was made to look as if it was sent from the benefits team,
and 320 employees clicked the malicious link. Forty-percent actually handed
over credentials, he said.

But after performing the test each year since, last year only 2% of Country
Financial's employees clicked the malicious link, and only one person gave
up credentials, Mr. Bee said.

Securing cyber insurance

The insurance industry has “done a good job expanding cyber” insurance
coverage to include potential sources of costs, such as business
interruption and extortion, Mr. Regan said.

According to the Ponemon Institute study, in 2014 26% of organizations
adopted a cyber insurance policy, compared with 10% in 2013.

Insurance options for middle market employers are widely available, and
organizations can outsource to a third-party vendor to perform an annual
review of the cyber security practices, experts said.

According to Mr. Larson, a good agent or broker “is critical” because they
work to find gaps in the cyber security of an organization. But in the end,
he said, data breach preparedness begins with a good cyber security policy
in the workplace.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!