All businesses have 'people problems' when it comes to this risk | Insurance Business Canada
Employees can be an unpredictable bunch, and, even with the best training, they can click on emails that end up costing a company thousands of dollars.
A quarter of claims in the NetDiligence dataset of incidents that occurred between 2013 and 2017 involved the actions of insiders. A further breakdown revealed that 19% were the result of unintentional insider actions, while 6% involved the actions of malicious insiders, according to the 2018 NetDiligence Cyber Claims Study. The aggregate total breach cost for malicious insider activity, was $55 million – about half that of unintentional insider activity.
“We’re still seeing a lot of [incidents of] an employee accidentally sending out something that they probably shouldn’t have. Those human errors are going to occur all the time – even really smart, sophisticated people make mistakes,” said Jennifer Beckage, founder of Beckage PLLC, a technology and business growth-focused law firm, and a speaker at the recent NetDiligence Cyber Risk Summit in Toronto.
“The hackers and the bad guys are very sophisticated. No more are you getting an email [claiming it’s] from an uncle who was a prince and left you some inheritance. These are sophisticated emails that are well-planned, and people who are very intelligent and bright can easily [get tricked by] these emails unintentionally.”
The best thing companies can do is train employees to try and prevent these incidents, but in spite of all best efforts, self-induced breaches do still occur, so incident response preparedness should be a key focus.
“Having worked with clients on a number of these, having a plan that really designates roles and responsibilities is important,” said Beckage. “Sometimes, clients will talk about what the organization is going to do, but not who individually is going to be responsible. [It’s important not to name] the individual by name, Bill or Sue, but rather the title because people come and go out of the organization. You want to identify the director of human resources or the director of communications.”
It’s also crucial to elevate and escalate the incident to the appropriate stakeholders so that they can prepare an appropriate response, added Beckage.
Read more: Why public entities can’t lag private sector peers with cybersecurity measures
Now that all businesses are targets of hackers, and not just those who have personally identifiable information or credit card numbers on hand, it’s important for brokers to bring up cyber-related people problems to their clients across the board.
“Really understanding what [data] the organization has [at risk] is important, and a lot of carriers and brokers seem to go through that analysis to find out what you have, but also who may want it, so are you more likely to have an insider threat or are you more likely to have an external threat, based on the type of information that you’re holding?” explained Beckage. “Brainstorm those worst-case scenarios and then identify what they might be to do that risk assessment.”