By this point, we know that state-sponsored cyber attacks are a thing. Time and again, we see headlines to this effect, whether it’s election hacking, IP theft, or mega-breaches. For your average consumer, it’s troubling. But for executives at organizations that are targeted, it’s a nightmare.
The accompanying PR headaches, customer churn, and operational and reputation losses are bad enough; but when big companies think they’re protected by cyber insurance only to find out they aren’t, things go from bad to worse.
Are You Really Covered?
Indeed, per the New York Times, “Many insurance companies sell cyber coverage, but the policies are often written narrowly to cover costs related to the loss of customer data, such as helping a company provide credit checks or cover legal bills.” In other words, many organizations think that because they’ve purchased cyber insurance, they are protected and will be reimbursed for any expenses related to suffering and mitigating a cyberattack.
But that’s not necessarily the case. Insurers are increasingly citing a “war exclusion” clause —which “protects insurers from being saddled with costs related to damage from war”— to avoid reimbursing losses associated with cyberattacks.
Huh? How can that be? We’ve seen the US Department of Justice identify APT-10 as a Chinese state-sponsored corporate hacking group, attacking both Hewlett Packard Enterprise and IBM.
In addition, the now infamous NotPetya (for which the U.S. assigned responsibility to Russia in 2018), affected companies are considered collateral damage in cyberwars. This is the nightmare scenario that played out for both Mondelez and Merck in 2017, after both organizations suffered hundreds of millions of dollars’ worth of damages resulting from the NotPetya attack. Unsurprisingly, both Mondelez and Merck are respectively fighting back—in court. But these cases will likely take years (and an astounding amount of legal fees) to resolve. Which begs the question: what are companies to do in the meantime when cyber insurance fails to protect the business?
Protecting Your Business
Well, first thing’s first. Prioritize security, don’t treat it as an add-on or wait until you’ve been hit with an attack to beef it up. Build it into the very fabric of your company’s foundation. As I wrote last year, doing so enables an organization to scale and focus on security innovation, rather than scrambling to mitigate new threats as they evolve. Besides, baking security into your products and/or services can be leveraged as a competitive differentiator (and therefore help produce new revenue streams).
Additionally, there are several other steps to take to help protect your organization against large scale cyberattacks:
Install comprehensive DDoS and application security protection. Such solutions will optimize business operations, minimize service degradation and help prevent downtime.
Educate employees. This can’t be emphasized enough; employers should educate their employees about common cyberattack methods (like phishing campaigns), and to be wary of links and downloads from unknown sources. This may sound simplistic, but it’s often overlooked.
Manage permissions. This holds particularly true for organizations operating in or migrating to a public cloud environment; excessive permissions are the number one threat to your cloud-based data.
Use multi-factor authentication. Again, this is low-hanging fruit, but it bears repeating. Requiring multi-factor authentication may seem like a pain, but it’s well worth the effort to safeguard your network.
And, as always, let the (security) experts handle the (cybercriminal) experts. Don’t hesitate to engage third-party experts in your quest to provide a secure customer experience.
