By this point, we know that state-sponsored cyber attacks are a thing. Time and again, we see headlines to this effect, whether it’s election hacking, IP theft, or mega-breaches. For your average consumer, it’s troubling. But for executives at organizations that are targeted, it’s a nightmare.
The accompanying PR headaches, customer churn, and
operational and reputation losses
are bad enough; but when big companies think they’re protected by cyber
insurance only to find out they aren’t,
things go from bad to worse.
Are You Really Covered?
Indeed, per
the New York Times, “Many
insurance companies sell cyber coverage, but the policies are often written
narrowly to cover costs related to the loss of customer data, such as helping a
company provide credit checks or cover legal bills.” In other words, many
organizations think that because they’ve purchased cyber insurance, they are
protected and will be reimbursed for any expenses related to suffering and
mitigating a cyberattack.
But that’s not necessarily the case. Insurers are increasingly
citing a “war exclusion” clause —which “protects insurers from being saddled
with costs related to damage from war”— to avoid reimbursing losses associated
with cyberattacks.
[You may also like: Here’s Why Foreign Intelligence Agencies Want Your Data]
Huh? How can that be? We’ve seen the US Department of
Justice identify
APT-10 as a Chinese state-sponsored corporate hacking group, attacking both
Hewlett Packard Enterprise and IBM.
In addition, the now infamous NotPetya
(for which the U.S. assigned
responsibility to Russia in 2018), affected companies are considered collateral
damage in cyberwars. This is the nightmare scenario that played out for both Mondelez
and Merck
in 2017, after both organizations suffered hundreds of millions of dollars’
worth of damages resulting from the NotPetya attack. Unsurprisingly, both Mondelez
and Merck are respectively fighting back—in
court. But these cases will likely take years (and an astounding amount of
legal fees) to resolve. Which begs the question: what are companies to do in
the meantime when cyber insurance fails to protect the business?
Protecting Your Business
Well, first thing’s first. Prioritize security, don’t treat it as an add-on or wait until you’ve been hit with an attack to beef it up. Build it into the very fabric of your company’s foundation. As I wrote last year, doing so enables an organization to scale and focus on security innovation, rather than scrambling to mitigate new threats as they evolve. Besides, baking security into your products and/or services can be leveraged as a competitive differentiator (and therefore help produce new revenue streams).
Additionally, there are several other steps to take to help
protect your organization against large scale cyberattacks:
[You may also like: Marriott: The Case for Cybersecurity Due Diligence During M&A]
- Install comprehensive DDoS and application security protection. Such solutions will optimize business operations, minimize service degradation and help prevent downtime.
- Educate employees. This can’t be emphasized enough; employers should educate their employees about common cyberattack methods (like phishing campaigns), and to be wary of links and downloads from unknown sources. This may sound simplistic, but it’s often overlooked.
- Manage permissions. This holds particularly true for organizations operating in or migrating to a public cloud environment; excessive permissions are the number one threat to your cloud-based data.
- Use multi-factor authentication. Again, this is low-hanging fruit, but it bears repeating. Requiring multi-factor authentication may seem like a pain, but it’s well worth the effort to safeguard your network.
And, as always, let the (security) experts handle the
(cybercriminal) experts. Don’t hesitate to engage third-party experts in your
quest to provide a secure customer experience.
Read “The Trust Factor: Cybersecurity's Role in Sustaining Business Momentum” to learn more.
Download Now