Cyber Security: The challenge for insurers and practices alike

Since you only get one chance…

I want to add something slightly peripheral to the discussion that is possibly at the root of the issue in any business but may even be more magnified in small and medium sized businesses and that is the issue of management hypocrisy. If I was to guess the most negative characteristic of business leadership described in management texts, I would put hypocrisy very near the top. It can manifest in many forms from ‘do as I say, not do as I do’ through to the undermining of employees’ expectations by behaving poorly with an individual or their peers. At the very least, a misalignment of the words and deeds of a leader creates an environment where employees may start to psychologically distance themselves from the firm with the consequence of higher employee turnover. (Greenbaum, Mawritz, & Piccolo, 2015) Once you establish and communicate your cyber security policy with your team you must flawlessly model the behaviours you expect your employees to follow. The label of ‘hypocrite’ is one that you simply cannot afford in an environment where those who are hunting for access to your data only need to crack the shell once. It goes without saying too that the poor adherence to the rules by leadership may be the thing that grants access to your network and if the breach is something like a password (that you like to joke with people you have been using since you started work) then the higher up the management tree you are the more access it may provide.

You need to educate yourself and your team about what the consequences of a breach are and what to look out for. That sounds like a no-brainer but there is way more to it than you may think. There are areas of your cyber defence that can create some degree of complacency amongst users if they aren’t effectively trained on the limitations of your defences as well as explaining what it is that the automated systems are looking for. Specifically, the appreciation of the fallibility of the applications that are installed to protect you is key.

“…there was evidence that a lack of appreciation of the limitations of technical safeguards can lead to riskier, non-malicious behaviours relating to cyber security when using a digital device. Specifically, over-trust of technical safeguards was linked to poorer ability to discriminate between phishing and genuine emails. This is an important finding given that phishing attacks are still the most common form of cyberattack.” (Butavicius, et al., 2020) This research really highlights the need to not only provide guidance for yourself and your team with regards to cyber attacks but just as importantly it is crucial to provide context. When someone logs into their PC and sees the auto-start screen for a virus scanner it may lead them to assume that they are completely protected.

Afterall, the owners of the company think that this is good enough to protect their assets then that’s good enough for me. When you consider that it’s likely to be the (relatively) low-tech assaults that are most likely to infiltrate your security, you need to ensure that people understand the limitations of the protection that you have.

The FAAA provides guidance on some of the key considerations for dealing with cyber security. When you consider the research discussed above it is not surprising that their first step suggested is staff training and education with the following reasons offered:

  • Staff are a business’s first line of defence
  • 93% of phishing scams are from employees opening unsolicited emails
  • Training plays a key role because employees have access (digital logins) to business databases, client information and sensitive data. If hackers are able to access these areas using a valid username and login authentication then it will be even more difficult for a business to know their cyber security walls have been breached (FAAA, 2023)

The FAAA also offers the following on cyber liability insurance: Additional Cyber Liability Insurance is a protection method.

  • 1st party losses arising from cyber-attack:
    – business interruption losses
    – the costs of repairing and restoring systems or improving cyber security
    – reputational damage
    – extortion costs (paying ransoms for hackers to return valuable data)
  • E.g. ‘denial of service’ attack or the costs of rectifying the harm done
    (repairing, restoring systems that have been damaged)
  • 3rd party losses include:
    – liability in negligence for failing to properly protect client information
    – fines imposed by regulators such as ASIC on companies or individual directors (FAAA, 2023)

As you would imagine, if a company can secure cyber insurance that covers the most relevant threats at a price that is affordable for the protection that it offers then it seems an ideal part of the security options that may be pursued. As we have seen though, this is likely to become ever more expensive and offer protection over a shrinking universe of parameters. Accordingly, it appears that acting as though you have no protection is the starting point that we should go from. Since the threats are perpetually evolving and the door may be opened by you or one of your team, the baseline is one that requires constant vigilance and improvement of the systems and procedures that we utilise.