Fighting back with Principle 9
The NAIC has a set of 12 Principles for Effective Cybersecurity: Insurance Regulatory Guidance. As a long-time partner to a leading cyber insurance pioneer — and as a provider of cyber security workforce training — we are happy that principle 12 points out the importance of training and assessment on cybersecurity issues. We’re also struck by one remarkable sentence found in principle 9:
“Cybersecurity transcends the information technology department and must include all facets of an organization.”
With phishing and social engineering attacks on the rise, this couldn’t be truer or more important. All of a company’s employees need to understand not just high-level concepts of cybersecurity, but also the nitty-gritty: how to recognize and respond to potential security threats they may face in their day-to-day work, and in their specific roles. When is it okay to deviate from established procedures? Should I click on the log-in link in this email? Someone is threatening to get me in trouble if I don’t expedite this transaction; what do I do?
Phishing and social engineering attacks are insidious because they are inherently predatory, and the predators seek to exploit human weaknesses, such as fear. But they also prey on the best of our nature, like the desire to help a stranger who appears to be in distress.
How do we handle these situations in the real world? If your employees don’t know, you have a security gap. In the parlance of our industry, this is commonly referred to as “the human element of risk.” The good news is there’s also a human element of security: a well trained work force. That’s one of the benefits of RiskTool, our web-based risk management and training platform. It’s an easy way to train your team to be on alert for the scams and attacks that prey on both the best and worst in human nature.
Training is critical. How much does it matter? Well, consider that a leading insurer bundles RiskTool with its cyber insurance policies. Through RiskTool, 286 active customers were able to assign training to more than 70,000 employees over the past year. If insurers use it to help mitigate risk for their insureds, then it just might make a difference to your company’s security, too. Check it out here.