As we all know, doing business in the modern world comes with the fairly new and highly significant risk of cyber-attack.
To counter this, you will already have a few services which try to keep you safe: antivirus, firewall, backup, etc... You will also have cyber insurance in one form or another, as the safety net in case everything else fails and your defences are not enough when you get attacked.
However, you may not be as insured as you think...
Let’s look at the underwriter Lloyd’s of London: big, secure, and very well established. What could possibly go wrong there? Strangely enough, it’s the War clause. Picking through the wording and turning it into something intelligible, this roughly means that if you happen to be included in an attack which is deemed to be orchestrated by a nation state, you are probably not covered…
A good example of a nation state attack would be the 2017 attack by Russia on the Ukraine using NotPetya. This took down a lot of businesses, not least the global shipping company Maersk. Maersk was reduced to a level where it could not function; there were ships holding position outside of ports unable to dock, storage containers in ports all over the world and nobody had any idea what was in any of them. It caused total chaos.
Imagine something like that hitting your business, and then you discover that your insurance is not going to pay out because this was one nation state attacking another...
Where is the line drawn?
The obvious question is what constitutes this sort of attack, and where is the line drawn in the murky world of countries getting hacker groups to unofficially act against another country’s infrastructure? When is it an act of cyber war / terror, and when is it just some hackers doing what hackers do? This seems to be a bit ambiguous, but is roughly along the lines of the victim state has had a very damaging attack on something that it requires to function such as; financial markets, health services, or transportation infrastructure. The alarming part though is the next question: who gets to decide whether the attack that you are trying to make a claim about falls into this category? You guessed it, the underwriters. It is up to these guys to decide whether or not they can get away without paying out on a policy.
Cyber insurance may not be such a great safety net after all. This leaves you with a potential problem: how can we significantly reduce the overall risk to the business so that trying to claim on cyber insurance is less likely? Almost all cyber-attacks start with someone in your organisation making a mistake, like clicking on a phishing email or having their credentials harvested. The best thing that you can do is to get your people trained to spot the threats before they become incidents.
KnowBe4
Managed KnowBe4 security training provides ongoing training including phishing simulations to keep your employees on the ball and able to spot threats. Prevention is much better than waiting until everything has gone wrong and then trying to deal with the ensuing crisis.
