(And How the Cyber Insurance Industry May Help You for Free)
I won’t keep you waiting. Before you get too excited about that free assist from the cyber insurance industry, let me be clear: it won’t, directly. But that’s no problem. Resourcefulness benefits any business, and the cyber insurance industry will soon provide a new resource.
Marsh & McLennan is launching a consumer ratings system for cybersecurity defenses. It will review and rate software and cybersecurity services—and starting in June 2019 those ratings will be available to the public.
So even if you’re in the 27% of US firms that have no plans of getting cyber insurance you can still benefit from the industry’s due diligence.
There’s no word yet on how the platform will maintain impartiality or the underlying methodology so for the clearest consideration, I’d recommend cross-referencing the ratings against professional reviews.
But isn’t this just a new tactic to differentiate themselves in the market/make money? Sure; in fact if your company has cyber insurance with one of the participating insurers you may become eligible for special “terms and conditions†when you use a product that those insurers consider effective (a “Cyber Catalyst†in their parlance). Clearly this is a business and not a philanthropic endeavor. But that doesn’t mean you can’t use it to your advantage.
Designing an effective security program will take research, diligence and perhaps more ingenuity than you might expect. And cyber insurance companies have a vested interest in keeping their payouts down. If their experience with the aftermath of major breaches and associated product insights inform your decisions, all the better.
One further caveat: cybersecurity companies will have to submit their wares for consideration, and with thousands of companies worldwide quite a few will choose not to submit.
Don’t miss out on those that choose not to participate.
How do you choose other effective cybersecurity measures?
Coordination, Coordination, Coordination
Think approach, rather than product. Once you have the approach, you can choose the appropriate product. Prioritize it. Creating a cohesive, coordinated security structure centered on prevention will serve you better than focusing primarily on individual products that may hyperspecialize.
There are a few reasons for this: many products are proprietary and don’t communicate well, if at all, with each other. Further, between each there may be gaps, ripe for breach. Just as the devil’s in the details, the gremlins live in the gaps. Find and fill gaps relentlessly.
Remember to consider staff, company processes, and technology when designing your system. Gaps between them do just as much damage as, if not more than, those in your technological defenses.
First, Have a Second Line of Defense
Prevention is an ideal and like all ideals it’s often not realized. Detection is a fallback position worth establishing and maintaining. Indicators of compromise (IOCs) save you time, money and reputation costs. Get the freshest, most actionable, verified IOCs available — and use them wisely and regularly. They’re the building blocks of your security infrastructure.
Define and Measure Effectiveness
It’s time to create metrics if you haven’t. If you don’t have a threshold or findings over time, you won’t know when you’ve made progress. In short, the only tool worth having is one that works. And you’ll only know it works if you can see the effect. So whether you’ll measure the number of incidents, time since the last incident or a third-party vendor’s response time, know the metrics that matter to your organization and implement a system to track them.
Security Is the Best Policy
Mounting cyber threats compel companies to purchase cyber insurance. Whether you’re one of them or not, make sure you’ve mitigated your own risks, by using all the tools available, ready made, self-fashioned, or commandeered. In 2017, half of US firms didn’t carry cyber risk insurance. Policy is one thing, process another. For the best protection, ensure your company’s processes and products align.