(And How the Cyber Insurance Industry May Help You for Free)
I wonâ€™t keep you waiting. Before you get too excited about that free assist from the cyber insurance industry, let me be clear: it wonâ€™t, directly. But thatâ€™s no problem. Resourcefulness benefits any business, and the cyber insurance industry will soon provide a new resource.
Marsh & McLennan is launching a consumer ratings system for cybersecurity defenses. It will review and rate software and cybersecurity servicesâ€”and starting in June 2019 those ratings will be available to the public.
So even if youâ€™re in the 27% of US firms that have no plans of getting cyber insurance you can still benefit from the industryâ€™s due diligence.
Thereâ€™s no word yet on how the platform will maintain impartiality or the underlying methodology so for the clearest consideration, Iâ€™d recommend cross-referencing the ratings against professional reviews.
But isnâ€™t this just a new tactic to differentiate themselves in the market/make money? Sure; in fact if your company has cyber insurance with one of the participating insurers you may become eligible for special â€œterms and conditionsâ€ when you use a product that those insurers consider effective (a â€œCyber Catalystâ€ in their parlance). Clearly this is a business and not a philanthropic endeavor. But that doesnâ€™t mean you canâ€™t use it to your advantage.
Designing an effective security program will take research, diligence and perhaps more ingenuity than you might expect. And cyber insurance companies have a vested interest in keeping their payouts down. If their experience with the aftermath of major breaches and associated product insights inform your decisions, all the better.
One further caveat: cybersecurity companies will have to submit their wares for consideration, and with thousands of companies worldwide quite a few will choose not to submit.
Donâ€™t miss out on those that choose not to participate.
How do you choose other effective cybersecurity measures?
Coordination, Coordination, Coordination
Think approach, rather than product. Once you have the approach, you can choose the appropriate product. Prioritize it. Creating a cohesive, coordinated security structure centered on prevention will serve you better than focusing primarily on individual products that may hyperspecialize.
There are a few reasons for this: many products are proprietary and donâ€™t communicate well, if at all, with each other. Further, between each there may be gaps, ripe for breach. Just as the devilâ€™s in the details, the gremlins live in the gaps. Find and fill gaps relentlessly.
Remember to consider staff, company processes, and technology when designing your system. Gaps between them do just as much damage as, if not more than, those in your technological defenses.
First, Have a Second Line of Defense
Prevention is an ideal and like all ideals itâ€™s often not realized. Detection is a fallback position worth establishing and maintaining. Indicators of compromise (IOCs) save you time, money and reputation costs. Get the freshest, most actionable, verified IOCs available â€” and use them wisely and regularly. Theyâ€™re the building blocks of your security infrastructure.
Define and Measure Effectiveness
Itâ€™s time to create metrics if you havenâ€™t. If you donâ€™t have a threshold or findings over time, you wonâ€™t know when youâ€™ve made progress. In short, the only tool worth having is one that works. And youâ€™ll only know it works if you can see the effect. So whether youâ€™ll measure the number of incidents, time since the last incident or a third-party vendorâ€™s response time, know the metrics that matter to your organization and implement a system to track them.
Security Is the Best Policy
Mounting cyber threats compel companies to purchase cyber insurance. Whether youâ€™re one of them or not, make sure youâ€™ve mitigated your own risks, by using all the tools available, ready made, self-fashioned, or commandeered. In 2017, half of US firms didnâ€™t carry cyber risk insurance. Policy is one thing, process another. For the best protection, ensure your companyâ€™s processes and products align.
By Tenea D. Johnson
Founder, Progress By Design