It is down to you and your team
“Organisations often obtain cyber insurance that can provide a measure of protection in the event of losses from a critical cyber incident. While cyber insurance may be necessary for certain organisations, the often high cost and restricted or tailored coverage of a particular policy means that a board should carefully consider if it is appropriate and/or value for money for their organisation.
In addition to financial compensation, a key motivation for holding a cyber insurance policy is access to expert advice and assistance in the event of a significant cyber incident. Either the insurer, or specific industry experts engaged by the insurer, will assist an organisation in the immediate response and recovery phase of a significant cyber incident.
Prior to issuing a cyber insurance policy it is common for insurers to seek detailed information on an organisation’s cyber posture and procedures. This underwriting process can be useful for organisations to assess their current resilience levels as the questions asked by brokers/insurers will sometimes reveal previously unknown vulnerabilities.” (AICD, 2022)
The quote above is drawn from Cyber Security Governance Principles which was produced by the Australian Institute of Company Directors. You can read the full report by clicking here. Whilst the situation is extremely dynamic when it comes to cyber insurance and the policy you have (which may be dictated by a licensee), the core issue for SMEs is to position yourself such that you are focussing on the appropriate issues. Whilst that statement sounds particularly plain, dealing with the most immediate vulnerabilities and understanding where they are generated from is the most effective means of dealing with the issue.
The AICD highlights that SMEs tend to struggle with cyber security management because of factors including cost, resourcing, and the perception surrounding the complexity of the issue. Interestingly, they also point out that SMEs can be attractive targets due to the commonly low level of resilience to attacks from relatively simple malware and ransomware bots that can identify security weaknesses. Clearly, the size of a business will influence the amount of reporting that is done on cyber security issues but the importance of knowing what your key digital assets are, who has access to them, and a regularly updated strategy as to how breaches will be prevented or dealt with is key. In a business with a number of directors it is an issue that should be reported on regularly in language that everyone can clearly understand. This material cannot be ethereal – it must be formally documented in order to properly manage the effectiveness of your policies. (AICD, 2022)
This is where it is crucial to reiterate that those that are after your data only need to crack your security once. One of the great failings of business leaders is to minimise or disregard an issue because they have not been exposed to it. In other words, since we haven’t had a data breach our security practices must be appropriate. This is remarkably flawed logic that is also incredibly common in business and wider forms of reasoning so if you feel any degree of warm complacency, it may be the perfect time to start challenging your assumptions.