Cyber breaches: Human element remains by far the biggest vulnerability

March 1st, 2024
x
Bookmark

By Rob Rafferty

I was sitting in a client’s reception, paging through an October 2022 edition of De Rebus, when my eye caught a well written article ‘The need for cybercrime insurance’ by Mapula Oliphant (2022 (Oct) DR 3). It was interesting to read that the Legal Practitioners Indemnity Insurance Fund NPC (LPIIF) differentiates between professional indemnity as a risk versus cybercrime as a risk. I agree wholeheartedly. Cybercrime is a business risk and is not unique to the legal profession. With the result that cybercrime is not covered by the LPIIF. I then started paging through the other De Rebus editions and only found a few articles touching on cyber insurance as a solution to cybercrime.

I, however, do not think that cyber insurance is the solution. Let me explain.

Cyber insurance is a complex, and expensive solution, and guess what? It still does not mean you are covered. There are companies who provide software and data-related work to many banks and attorney firms, and as such, have really had to beef up their risk management and cyber security. But many people reading this article, probably think that they bought a better firewall, or a better anti-virus … again, let me explain.

The human element remains by far the biggest vulnerability for you and your business. AAG, an international provider of information technology and cyber security, published that, in 2023, 82% of all cyber security breaches against businesses in America, involved a human element (Charles Griffiths ‘The Latest 2023 Cyber Crime Statistics (updated January 2024)’ (https://aag-it.com, accessed 31-1-2024)). This ‘social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables’ (Clayton State University ‘Social engineering’ (www.clayton.edu, accessed 31-1-2024)). Users (ie, you or your staff) are lured into exposing data or spreading malware infections or giving others access to restricted systems. These hackers, in short, rely on, and then exploit, a user’s lack of knowledge.

If you do not have processes in place to limit this exploitation and increase these user’s awareness of cybercrimes, you are at risk.

Now, let us fast forward and look at the biggest reasons why cyber insurers will deny your claim.

  • You cannot demonstrate that you have proper security measures in place: Your insurer will want to see tangible evidence, in the form of documentation, regarding the preventative measures you have implemented to ward off cyberthreats. To avoid any hassles, you need to have thorough, accurate and updated documentation at all times.
  • Poor prevention practices: ‘Perhaps the most obvious reason companies are denied cyber insurance is simply due to lack of protective cybersecurity measures’ (ARIA ‘Top 5 Reasons Companies Are Denied Cybersecurity Insurance’ (https://blog.ariacybersecurity.com, accessed 31-1-2024)). By not having sufficient prevention practices in place, you could be handing the insurance company an easy reason to deny your claim. Keep in mind that your insurance policy most likely lists data security practices that you must implement in your business’ network. Non-adherence would be fatal to your claim.
  • ‘Inadequate endpoint security’: ‘Companies must focus on using a comprehensive approach to cybersecurity if they hope to get an insurance claim paid. Relying solely on antivirus software as the only preventative security measure is no longer a sufficient form of protection for an organisation … . One area that insurance agencies specifically look for is endpoint security’ (ARIA (op cit)). Endpoints are devices like mobile phones, laptops, printers, USB’s and even your smartwatch, that log into your network. ‘Lacking proper endpoint detection and response tools, is one of the fastest ways for a company to get denied an insurance claim’ (ARIA (op cit)).
  • A third-party stakeholder is at fault: When a business is trying to protect itself ‘against cybersecurity attacks, their network is only as strong as the weakest link in their supply chain. Due to the interconnectedness of modern technology, attackers can target outside providers as a means of gaining access to an organisation’s systems … . Supply chain attacks can allow easier access to networks if the third-party organisations do not have the same level of security measures as their partners, making cyber insurance companies hesitant to offer claims to companies that work with unprotected partners’ (ARIA (op cit)).
  • ‘Poor internal cybersecurity training and awareness’: ‘Human error in the cybersecurity realm can refer to anything from inadvertently downloading malware, to not using strong passwords. A company with even the strongest and most secure forms of cyber protection cannot adequately protect against attacks if their own employees are consistently providing attackers with internal access to their network. If a company cannot demonstrate they have implemented the necessary safeguards and given their employees comprehensive training on how to prevent attacks, insurance agencies can refuse their request for a claim’ (ARIA (op cit)).
  • You get what you pay for: Cyber insurance typically does not cover things like sales losses (eg, losing your legal documents and billing info), property damage (imagine your server is so corrupt you must replace it), third party providers or reputational damage. You need to dissect your insurance and really, really, know the nuts and bolts of the policy if you embark on this road.

The bottom line is this: Your insurance provider will assess whether you took ‘due care’ to protect your business from being compromised by a cyberattack, before approving your claim.

This is why I believe the proactive ‘due care’ part, plays a much bigger role in cyber security, than trying to cover your business retrospectively with cyber insurance. Do not get me wrong, cyber insurance may be very important, but if you do not implement the right tools, policies, training, and practices, in your business, you are getting the basics wrong, and you are simply under a false sense of security.

In the next article, I will endeavour to look closer to these prevention practices and how to incorporate them into policies.

Rob Rafferty BProc (UFS) LLM (UNISA) Adv Tax Cert (UNISA) Post Grad Financial Planning CFS (UFS) ISO 27001 Practitioner Certificate is a non-practising lawyer, director, and the CFO of FutureSoft in Centurion.

This article was first published in De Rebus in 2024 (March) DR 12.

X