Eight Tips to Help Your Business Achieve Cyber-Readiness
In the Hiscox Cyber Readiness Report, the perennial importance of cyber security shines through (of course). But so does its feasibility. While some organizations rightly invest significant funds in this area, others with less to spend may feel their hands are tied. Good news: They’re not.
The report is informed by more than 3,000 executives and IT managers across Germany, the UK and the US: “men and women on the front lines of the business battle against cybercrime,” who were surveyed for the occasion by Forrester Consulting. “As such, this report can be considered as one of the most authoritative of its kind,” Hiscox said. What can we learn from it? Let’s see the highlights.
Who’s ready and who’s not?
Hiscox divided organizations into three categories, based on how ready they were to weather a cyberattack. Novices (53 percent) rated low on strategy and execution. Opportunists (17 percent) rated highly on one or the other, but not both. Experts (30 percent) performed well on both.
“The most striking message of this analysis is that the majority of firms are either novices or experts,” Hiscox said. “Novices account for more than half of our survey group, suggesting the majority of companies have a long way to go before they can claim to be cyber-ready.”
The problem is real
A lack of readiness wouldn’t be so bad if cybercrime weren’t so serious, or so ubiquitous.
- Attacks are everywhere. Over half of the firms surveyed have experienced an attack in the last year. Two in five have faced multiple attacks.
- Downtime is painful. Almost half of businesses took two or more days “to get back to business as usual,” Hiscox said.
- Smaller firms feel it most. The financial impact of a breach is disproportionately high for the smallest companies. The fallout can do real damage to a company’s bottom line.
All told, robust defenses against cyberattack, paired with strong procedures for eliminating careless behavior, “are now the keys to business continuity and consumer trust,” Hiscox said.
Readiness doesn’t require big bucks
Businesses rated as “experts” spend a higher percentage of their revenue on preventing and mitigating cyberattacks than do smaller companies. Given the risks, that’s money well spent.
However, if you think it takes a mountain of cash to protect your organization from cybercrime, think again. “The good news is that this does not have to involve a major financial investment,” Hiscox said. The biggest gaps between novices and experts were in strategy and process: two areas where cyber security novices can make “a lot of quick wins.”
Eight ways to make some quick wins
- Raise awareness. Hiscox detected “a lower level of buy-in and awareness at board level for the key elements of cyber readiness.” Communicate the importance of cyber security and educate your team on relevant standards.
- Take an interdisciplinary approach. “Expert firms tend to involve a broader mix of stakeholders from across their organisation when setting their cyber strategy,” Hiscox said, with a collaboration of HR, marketing, product management, and sales as well as IT.
- Involve leadership. One of the defining characteristics of expert firms was executive involvement in the cyber security effort. In these organizations, cyber security was a top priority at the top tier, and security metrics bore a direct impact on decision-making.
- Make it formal. Board-level decisions “should be supported by formal, defined interactions rather than corridor meetings,” Hiscox said. With clearly-defined structures, executives can devote a formal budget to security projects and make sure their decisions respect their organization’s cyber security tolerance.
- Train the whole team. The overwhelming consensus among expert firms is that employee training reduces cyber incidents. Security awareness should extend across the organization, with HR reviewing individual security competencies according to established metrics tailored to different roles.
- Dial in your documentation. Improving security tracking requires only moderate investment, but offers significant payoff. Document a response plan, measure its effectiveness, and define your containment procedures.
- Tighten up technology. The gaps between experts and novices here are less pronounced, but most novices can up their game with internal and external message encryption and the integration of strong, company-wide authentication.
- Transfer risk. As any cyber security professional will tell you, there’s no such thing as 100 percent security. Breaches happen to the best-prepared companies, which is why response is just as important as prevention. “One part of the solution, adopted by an increasing number of organisations, is to transfer the cyber risk to an insurer,” Hiscox said. Nearly two-thirds of expert firms have a cyber insurance policy, with many planning to extend their coverage in the coming year.
When it comes to the risk of cyberattack, how safe is your legacy policy administration system?
Each year, Silvervine Software completes the SOC 1 No. 16 Type 2 Exam. That’s infosec-speak for having passed an intensive security audit administered by a qualified third-party. As we’ve said, “Companies who complete an annual SOC 1 examination are able to demonstrate a substantially higher level of assurance and operationally visibility than those companies who do not.” In summary, we offer highly secure insurance software as well as secure hosting services with a Mirrored Failover Option that provides internal redundancy at two secure locations more than 100 miles apart. Request a demo to learn more.