It may surprise you (depending on how proactive your business insurance rep is) to learn that some insurance companies have started writing policies that cover business losses resulting from cyberattacks. Cyber insurance covered losses vary from carrier to carrier and policy to policy, but mainly include the costs of investigation, system downtime, and remediation.
This is new territory for insurers, and it may take a few years before they get the coverages, endorsements, exclusions, and premiums right to ensure they can offer these policies and still make a profit. One area that many such insurers are struggling with is accurately evaluating a customer’s cybersecurity risk profile.
Measuring Cybersecurity Risk
There’s nothing new or magical, of course, about determining cybersecurity risk; cybersecurity consultants do it all the time, and every business should have such a professional evaluation, whether they’re shopping for cybersecurity insurance or not. Firewall configurations, operating system and software patching, and password policies are all easy to evaluate. But the biggest cybersecurity risk of all has nothing to do with technology; it’s the highly subjective answer to the question:
How gullible is your staff?
Why is this important? People who are easily fooled are more likely to fall prey to phishing scams, which are by far the top tactic that hackers use to get what they want. Hackers are becoming experts at social engineering and carefully craft their phishing messages to fool more people than ever, even people you would not otherwise consider “gullible.”
There’s no standard measure for gullibility, and no good way to test for it that wouldn’t be time-consuming, intrusive, demeaning, or all three, so insurers have to fall back on some other way to be certain that their customers are doing everything they can to mitigate phishing risk. Insurance companies that offer cybersecurity policies are increasingly requiring customers to have some kind of phishing prevention tool in place as a condition for insurance.
Mitigating Phishing Risk
There are many “anti-phishing” solutions on the market; most fall into two types:
- Tools that analyze the content and other characteristics of an email or website to flag it as “suspicious” or a “possible phishing attempt”; these are typically add-ons to email clients or web browsers
- Tools that train users to recognize possible phishing attempts and test that ability; often this includes an easy way for users to report suspected phishing emails with a button in the email client
Notice that neither of these approaches automatically and reliably recognize and filter out phishing emails or prevent access to phishing sites. It’s an extraordinarily difficult problem, and no one has yet come up with an algorithm that can do so with 100% accuracy, with no “false positives” (flagging a legitimate email as phishing) or “false negatives” (failing to flag an actual phishing email). Some providers are starting to offer solutions that use artificial intelligence (AI) approaches to identify phishing attempts; it remains to be seen how effective these approaches are and how well they will keep up with the hackers’ increasing sophistication.
Still, some solution is better than no solution, and businesses are well advised to deploy at least one of each type, and will eventually have to do so in order to obtain cybersecurity insurance.
At bottom, in the absence of a solid, reliable, automated solution, your first line of defense is the people who use computers day in and day out and their ability to smell out phishing attempts. Until that imagined automatic solution becomes a reality, constant education and training of your staff, coupled with what technical solutions are available, are your best defense against phishing.