Not a week goes by without news of a security threat or massive data breach hitting the headlines. The global average saw 51% of public sector organisations hit by ransomware last year, and a high of 60% in the media, leisure, and entertainment industries.* No industry is safe and it can lead to heavy claims for insurers. Take the Marriott Hotel for example; 339 million guest records compromised, $100m costs incurred with over £99million in EU fines. This breach alone led to insurance companies having to pay out over $102million.** We’ve seen other excessive data breach payouts to global players such as British Airways, Verizon and Capital One to name but a few.
Cyber attacks are increasing 50% year on year.*** And now Cyber criminals are jumping on vulnerabilities exposed by the rise in remote workforces: They have upped their game with increased targeted phishing attacks, hoping to access organisational networks through an employee’s lack of awareness of best practices while working from home.
The main problem comes from the lack of education in the (now remote) business workforce. The old school,’ go to’ option for average businesses is simply to rely on technology as a defence. But, as forward thinkers realise, this is only part of the solution. The fact is that over 90% of all data breaches are caused by human error.
Effective pre-breach solutions are critical for insurers. And it is becoming more common for insurers to interrogate the reliance on technology as a sole pre-breach solution. Any investment in state-of-the-art security tools can be undone by a simple click on a phishing email, having the same password across multiple accounts or a misconfigured server. Now, more than ever, businesses need the technology AND the educational tools that focus on the human element of defence. Securing the business through the people within the organisation as well as the technological defences is the most effective pre-breach approach.
To the cybercriminal, and so to the insurer, employees represent the biggest cyber security vulnerability and are a “soft target” due to their lack of understanding of the risks faced. Interestingly, the most senior employees, (known as whales), can be the biggest risk as they are usually the least technically savvy. (A whaling attack). So, instead of using highly technical and time consuming hacking methods to breach a company’s systems, cyber criminals often prefer to target the employees with low grade, but very believable, email lures. Bad spelling and foreign princes offering money through scams is a thing of the past.
Insurers now need to encourage clients to build a strong cyber security awareness culture and real time training protocols. Clients need to recognise and prioritise cyber security in their risk registers and assign accountability for this risk to appropriately qualified senior executives. Cyber security is NOT an IT issue, it is a business risk and it is the responsibility and obligation of every staff member to help defend the network. This is where education becomes most important and it is something that needs to happen across every level of the business.
Cyber Risk Aware is the only company in the world to offer real time cyber security awareness training, is GCHQ accredited and is Microsoft Azure's only security awareness training platform. I created the platform after seeing the need for a pre-breach service during my time as a CISO and advisor to cyber underwriting teams within the insurance/reinsurance industry. Cyber Risk Aware helps companies assess the level of human cyber risk in their business, delivering Real-Time training to staff in their exact moment of need and running simulated phishing attacks and cyber knowledge assessments, to see where the risks lie in each business.
By understanding the importance of education on cyber risk, forward thinking insurers are innovating with pre-breach solutions and tackling the real fragility of human error. They are building the human firewall that, in turn, protects the technical firewall. We are delighted to be partnered with several leading cyber insurers who are leading the way, encouraging clients to recognise and prioritise cyber security in their risk registers and assign accountability for this risk to appropriately qualified senior executives.
Having formed strategic partnerships with Cyber Risk Aware, these innovative insurers are offering a pre-breach service that focuses on the number one cause of claims - the people. Fake invoices, false donations, emails deceptively created to look like the CEO requesting the CFO to wire money into another bank account, are everyday examples of how easily a cyber attack can occur. By providing cyber insurance clients with complementary phishing simulation and security awareness training content as an added benefit to their policies, insurers can help their clients understand their greatest security risk (employees), and how a security awareness training platform can help avoid costly security incidents happening in the first place.
* Sophos the State of Ransomware 2020 , ** ft.com , *** 2019 Mid-year Data Breach Quickview Report
Stephen Burke founded Cyber Risk Aware in 2016, having consistently found during his time as a CISO or as a Security Consultant, that most if not all security incidents are caused by human error at all levels in an organisation, no matter how good the technical defences were. Having looked at what security awareness training and assessment was available on the market, he decided to take the plunge, and look to make a genuine difference and help companies and users at home from being victims of cybercrime.
As a CISO, he achieved notable success in directing and implementing a broad range of corporate security initiatives that reduced risk and fostered a security aware culture across all offices. The same now applies in Cyber Risk Aware.
Having occupied a number of positions in Ireland, Sweden and the UK spanning a 20 year career in technology and security his specialties are:
Security Education and Awareness Programs, Cyber Insurance, Network Security, Data Governance and Security, Malware Investigator and Incident Response, Risk Management, Security Behaviour Analytics. Security Architecture, Heuristic Security, Security Audit, Digital Forensics, Penetration Testing, Encryption, Wireless security, Security management, Database as a Service, Internal Cloud Design, SAN Design, RDBMS Virtualisation and Consolidation, Disaster Recovery.