Cyber loss prevention: How to mitigate cyber risks to your business
Cyber loss prevention: How to mitigate cyber risks to your business
In the event of a cyber-attack, properly prepared businesses take immediate action, whether it’s putting their IT team on the case, or calling in experts like a cyber breach coach. While having a response plan in place is vital to mitigate risks such as business interruption, regulatory fines, or legal costs, there’s another critical side to the cyber security coin: prevention.
With shifts in our work lives and technology usage, new cyber risks have emerged. For example, a recent study found that 82% of IT leaders believe their company is at greater risk of phishing attacks when employees are working remotely. 1 In addition, with many employees using personal devices for work, IT professionals are worried about security risks such as downloading unsafe apps, malware infections and software updates.2
In this changing landscape, it’s crucial for businesses of all sizes to take a proactive approach to cyber protection. Having the right safeguards in place can help prevent a range of cyber losses — from data breaches and theft of intellectual property, to financial losses stemming from social engineering, ransomware, and other attacks.
Here’s a look at key measures that can help protect your business from cyber losses:
Employee training programs and simulations: Human error—meaning an unintentional action or lack of action that allows a cyber incident to take place—is behind nearly all successful data and security breaches.3 That’s why employee training and education is so vital: it can help you avoid cyber incidents and strengthen your organization’s overall cyber security culture. 4
The Canadian Centre for Cyber Security recommends organizations consider education and training topics such as: creating unique passphrases and complex passwords for all accounts; using the internet and social media safely in the workplace; using approved software and mobile applications; and identifying malicious emails. 5
You can then put that training to the test with attack simulations. These allow you to see how employees would respond to different types of attacks, in real-world situations. For example, a phishing test sends employees a fake malicious email and/or a fake website to see if they’ll open attachments and/or click on the links, or if they report the suspicious email.6
Vulnerability scans and penetration tests: On the IT side, you can test your organization’s defenses with vulnerability scans and penetration tests. Vulnerability scanners are automated tools that allow organizations to check if their networks, systems and applications have security weaknesses that could expose them to attacks. 7
Common vulnerabilities include substandard backup and recovery; weak authentication management; and poor network monitoring, among others. 8
Penetration testing, also known as a “pen test” or “ethical hacking,” goes beyond vulnerability scanning. Using a mix of automated tools and manual techniques, a penetration test identifies vulnerabilities and then attempts to exploit those vulnerabilities. 9
To illustrate the difference between vulnerability scans and penetration testing, a cyber security firm uses this analogy: A vulnerability is like walking up to a door, checking to see if it’s unlocked, and stopping there. A penetration test not only sees if the door is unlocked, but also opens the door and walks right in.10
Cyber security consultants: While cyber breach coaches help organizations deal with the aftermath of a cyber-attack, cyber security consultants are often hired to build the right defenses. These experts provide a range of services, including IT systems auditing, system monitoring, building firewalls and helping organizations stay compliant with government regulations.
Cyber security consultants are typically involved with every employee contact point for company data, including devices, applications, data storage and internal networks. Knowing how staff interact digitally allows these experts to identify potential weaknesses and plan for how to protect against them.11
As risks evolve, a proactive approach to cyber protection is crucial. When planning your defense strategy, it’s important to consider insurance coverage that’s specifically designed to address the unique and emerging risks to your business.
The Sovereign Secure TechPro product suite offers a new Policy wording that includes Technology E&O and Cyber Liability with enhanced first and third party liability coverages. This new modular product offers flexible coverages adapted to the unique and emerging risks to Canadian businesses – giving policyholders more of what they need and less of what they don’t. So not only is their policy comprehensive, but they’re getting great value too.
Contact your broker to learn more.
©2021 The Sovereign General Insurance Company, a member of The Co-operators group of companies. Sovereign® is a registered trademark of The Sovereign General Insurance Company. Not all advertised products may be available in all jurisdictions. For full terms and conditions, including coverage limitations and exclusions, please refer to the policy wording. The Sovereign General Insurance Company is committed to protecting the privacy, confidentiality, accuracy and security of the personal information that we collect, use, retain and disclose in the course of conducting our business. Visit sovereigninsurance.ca or call toll free at 1-800-661-1652 to learn more.
Sources
1,2 Tessian, “How hybrid-remote working with affect cybersecurity,” Sept. 2020
3 Hacker News, “Why human error is #1 cyber security threat to businesses in 2021,” Feb. 4 2021
4,5 Canadian Centre for Cyber Security, “Provide employee awareness training,” Feb. 16 2021
6 Dashlane, How to run an effective phishing test at work, March 7 2020
7, 9 Rhino Security Labs, “Do I need a vulnerability scan or penetration test?”
8 Logsign, “What are the types of cyber security vulnerabilities?”
10 Control Scan, “Penetration tests vs. vulnerability scans: What’s the difference?”
11 EC-MSP, “What can a cyber security company do for your business?”