Myths about cyber protection
Published on in News & InsightsWe frequently discuss with our clients how they can protect their companies from cybercriminals. In the process, we’ve noticed that the same harmful lines of thinking keep coming up.
In this article, we will go through the main misconceptions about cyber insurance our clients have.
Cyber insurance is only for businesses that handle customer data
Just because your company doesn’t collect sensitive data from its customers, that doesn’t mean it doesn’t have any sensitive data at all. If your business has employees, it has sensitive data. Threat actors can exploit this data – things like bank details, home addresses, medical information, and more.
Additionally, if you do business with other vendors and conduct transactions, your business has sensitive data in the form of private account information – yours, and the other party’s.
We’ve got a good IT system, so we don’t need cyber insurance
Having IT security in place is great, and your business wouldn’t want to be without it. But even the best IT security isn’t a substitution for cyber insurance, and nor is it designed to be.
The fact is that cyber breaches can and do happen to businesses that have robust IT security systems. This is for a couple of different reasons.
First, the strategies and tactics threat actors use to exploit your business’s vulnerabilities are changing and adapting all the time. In the same way that seasoned security analysts commit to learning about the increasingly sophisticated methods of cyber-attackers (so that they can defend against them), so too are cybercriminals learning from experience what works and what doesn’t, and increasingly refining their methods of attack.
The second reason is that IT security doesn’t actually account for a business’s top cybersecurity risk: its employees. Staggeringly, it’s estimated that up to 95% of cyber-attack incidents are due to human error.[1]
It takes one employee slip-up to cause a cyber crisis that could cost your business more than just money.
Our IT is outsourced, so we don’t need cyber insurance
Just like the above, this misconception assumes that the only cyber-attacks cyber insurance can help to protect against are those that breach IT systems, but this isn’t the case.
Often, threat actors use tools that don’t require any network penetration, like social engineering. Using social engineering tactics, they can convince your employees that they’re representatives from a legitimate source and trick them into sharing sensitive data.
Your initial thought might be that your employees are too educated and tech-savvy to fall for such exploits, but this isn’t the case. In fact, the biggest social engineering attack of all time was orchestrated against Facebook and Google. This scam set the huge multinational companies back over $100 million USD. [2]
What’s more, even the most reputable IT companies include clauses in their contracts to protect them from liability if a cyber-attack breaches their defences and impacts your business. That’s where cyber insurance comes in.
Cyber insurance has a strong damage control element; it utilises crisis management methods to preserve your reputation while ethically handling any customers impacted by the breach. Good cyber insurance policies provide additional protection for losses to your business should your IT provider suffer an incident that does not directly affect you but still causes financial loss.
I’m covered for cyber insurance on a separate, general policy
While it’s true that other policies might partially cover some elements of business cyber protection, it would be a mistake to depend fully on it.
For two consecutive years, cyber threats have ranked as the top risk to businesses. [3]
As our technology and cybersecurity defences advance, so too do the tactics of threat actors grow more sophisticated. Years ago, terms like vishing, ransomware, and botnets weren’t in the cyber lexicon, because they didn’t exist. Today, they are problems that loom large for any modern business.
The cyber world is developing rapidly. The threats businesses face will continue to evolve. It would, therefore, be inadvisable to rest your business’s cybersecurity on a policy that neither understands nor covers your business from the sophisticated threats it faces, now and in the future.
Cyber insurance is too expensive
Just like any other form of insurance on the market, cyber protection varies in cost. There is no one-size-fits-all solution. Different companies face different threats; for example, a power plant company will face a different set of cyber risks than an IT company. Your cyber insurance policy should therefore be able to reflect your business’s individual needs.
But there’s a bigger question at hand. Instead of asking, ‘Is cyber insurance too expensive?’ a better question to ask would be, ‘What costs would my business face if it suffered a cyber breach?’
Not just the monetary cost, either, but the cost to your reputation and even the trust of your customers. Is this a cost that your business could afford?
Cyber insurance from Hugh J Boswell
If you have any questions about how you can protect your business from a cyber-attack, please contact us on 01603 626155.