Does your cybersecurity strategy include insurance coverage?

Businesses are now more connected than ever before. The advent of the cloud has resulted in more centralized data stores and critical business applications that are accessible from the internet.

Statistics from the United States show that over 66 per cent of American shoppers prefer electronic purchases over in-store shopping. The technology market research company Gartner has forecast a rise in the use of connected devices from about 8.4 billion in 2017 to over 20 billion in 2020 while the Institute of Electrical and Electronics Engineers (IEEE) predicts that the Internet of Things will number over 50 billion in 2020. The shipping industry is now on a massive drive to modernize and to infuse the use of technology more deeply into its operations.

What does this mean for security? Greater exposure! Larger threat surfaces! Humongous challenges!

Weaknesses

While not exhaustive, these are staggering statistics that must be the focus of any IT conversation, especially one about cybersecurity. I recently attended a seminar on cybersecurity hosted by the Port Authority of Jamaica (PAJ), delivered by Hudson Analytix, during which several cybersecurity weaknesses in relation to the shipping community were highlighted. They included a recent spate of cyber incidents such as the WannaCry ransomware which devastated public and private organizations worldwide; the Maersk ‘NotPetya’ attack, estimated to have cost upward of US$ 300 million to resolve; and the textbook case of the Antwerp cyberattack which took place over two years spanning 2011 to 2013. These are key reminders that security must be a focal point in any strategic agenda. Due to the growing levels of connectivity, threat levels have never been higher, making cyber events no longer a risk but a reality that must be countered tactically and strategically if business survival and full participation in the data revolution are to be assured.

The question is no longer whether there will be a breach, but – if not already, when? The traditional defenses are well established. Organizations instal edge protection technologies such as firewalls, proxy servers, spam filters, traffic filters, etc. Internally, anti-virus and anti-malware software monitors everything. Honeypots, nets and farms are more elaborate implementations aimed at fending off attacks. However, these have proven to fall short when tackling the myriad cyber threat vectors that exist today. The Mordor Intelligence Global Cyber Security Market – Applications, Trends, Forecast (2017-2022) report estimates that in the past year over US$ 450 billion was spent on cyberattack recovery.

So, what else can be done?

You must infuse cybersecurity awareness as part of the organization’s culture. Train and sensitize all staff on cybersecurity. Don’t forget the janitors, as they usually have organization-wide access when no one else is around. Remember the C-Suite, who may not be so tech savvy and may want exceptions that may punch huge holes in your defense mechanism. Develop a cybersecurity response strategy from which should evolve a cyber incident response plan. Don’t forget that you need to know the risks by assessing your vulnerabilities. Encrypting your data is no use if there is no back-up from which you can restore. Be smart about your approach. Spend your limited dollars on the 20 per cent that will yield the most results and give the most value. Establish service level agreements (SLAs) with your suppliers that ensure disclosure if their systems are breached.

Even if you believe that your data is insignificant, and you have nothing to worry about, transfer the risk. Get insurance with the right coverage. Forbes.com estimates that the cyber insurance market will grow from US$ 2.5 billion in 2015 to US$ 7.5 billion in 2020. So the insurance companies have seen the opportunities spawned by this pervasive threat. It is important to make sure that any damages arising from an attack on your system are covered. Note that a breach on your end can lead to breaches of your suppliers and customers. They will sue for damages! The Equifax breach resulted in the personal data of over 140 million US citizens being made public. The US retail giant Target was breached via its maintenance service provider. Maersk’s breach affected the worldwide shipping community. All these resulted in damages that must be to be paid from non-budgeted resources. Insurance is the most logical strategy that will reduce your financial risk.

In summary, there is an exponential growth in connectivity. The use of online services is trending upwards, making the threat surface larger and more complex. Traditional cybersecurity measures are always playing catch-up, necessitating a strategic convergence approach to physical security and cybersecurity. Enterprise architecture must be redesigned to include a focus on cybersecurity awareness. No one is immune; all should be trained and sensitized; individual vigilance may win only half the battle. However, you may have done all that is possible and still experience a breach. So, insure against the risks with the right coverage.