Pen’s Perspective on prioritising prevention in cyber and ramping up resilience
Published On : 04 Mar 2024
Recent data and business surveys reveal some worrying trends for those of us dedicated to cyber risk mitigation: cyber security has reportedly dropped down the priority list for businesses, and there are suggestions cyber resilience is going backwards, with SMEs disproportionately affected.
The first trend emerged from the 2023 Department for Science, Innovation and Technology’s annual cyber security breaches survey, where competing priorities in a business environment of rising costs, high inflation and economic uncertainty saw prioritisation decrease. The percentage of businesses categorising cyber security as high priority had been on an upward trajectory from 69% in 2016 to 82% in 2022, only to fall back to 71% in 2023 .
Meanwhile, the World Economic Forum’s ‘Global Cybersecurity Outlook’, published in January this year, cited a 30% drop in organisations overall maintaining minimum cyber resilience, singling out SMEs as having shown a “significant decline” .
But it doesn’t have to be that way. Cyber risk management has been central to our approach at Pen, ever since we began specialising in comprehensive, standalone cover back in 2015. In such a new (in insurance terms) area of risk, where the threat landscape continues to shift and evolve, it is especially important to recognise and reward the efforts of those seeking to mitigate that risk and proactively reduce their exposure.
This is not only because where businesses and their risks are well-managed it typically cuts down the length of disruption and thus size of any claims. Prioritising prevention rather than cure, and having an insurance-backed response plan should the worst happen, could be the difference between an SME surviving or not when hit by a cyber attack.
Knowing where to turn in an unknown world:
Consider this scenario comparison. Faced with flooded premises, an SME with no insurance but significant contingency savings could arguably muddle through finding alternative business accommodation, replacing lost stock and securing various trades to make good the property. They would know who to call or at least where to go for recommendations.
Yet, how many SMEs, even with the necessary funds available, would know where to turn if they faced the double whammy of a ransomware attack and data exfiltration?
Should they pay the ransom? How do you even pay a ransom? Can they regain access to encrypted systems and files without doing so? Can they avoid having further sums extorted under the threat of the stolen data being published? And how do they manage and communicate with customers while offline?
Similarly, what if the nature of the attack was actually the theft of those large cash savings through a successful, socially-engineered phishing deception targeted at an employee, who inadvertently gave access to them?
By far the best scenario for broker and client is to do whatever is possible, affordable and accessible to avoid suffering a cyber attack or data breach in the first place. That’s why our proposition prioritises prevention.
Ramping up risk prevention and cyber resilience:
Towards the end of 2022, we invested in significantly expanding our focus on customer resilience by launching our UK strategic partnership with cyber security specialists Paladin Cyber – now known as Upfort – having already proven the effectiveness of working together in the US.
This provided all UK cyber policyholders with access to ongoing, proactive and practical vulnerability scanning and incident-prevention tools, through their broker, at no added cost to them.
In 2023, Pen cyber insureds implementing Upfort’s ‘Shield’ undertook more than 50,000 targeted and tailored training sessions totalling over one million hours.
Upfort also conducted more than 50,000 simulated phishing attacks, scanned more than 25 million emails, detected over 1.5 million phishing language or links; and blocked over 21,000 malicious downloads and URLs.
But perhaps the most impressive numbers are these: in a 2023 study of more than 20,000 policyholders, among those fully implementing Shield there were zero ransomware claims, zero fraudulent funds transfers, such as those precipitated by a socially engineered phishing attack, and an 81% drop in claims frequency.
What better way to bring to life the benefits of taking a proactive approach to cyber resilience and risk management. So make sure your chosen cyber insurance partner is able to provide your clients with the all-important, ongoing risk monitoring and management tools, and can identify changing vulnerabilities in order for them to be patched or fixed as they emerge.
Most important of all, never forget the power of employee training. The UK Information Commissioner’s statement in October 2022 still holds true: “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company.” After all, multiple data sources, including the World Economic Forum, put human error as the cause of up to 95% of cyber security incidents.
That’s why we prioritise prevention, to support brokers and their customers in reducing their vulnerability and having less claims. Then, if the worst should happen, rapid response. The value of cover lies in being able to source and pay for experts in breach response, forensic investigations, data recovery, system restoration, crisis communications and much more. But it is also about taking advantage of the cyber savviness and risk prevention tools made available to you as part of that cover to decrease the likelihood of an event ever arising.
1. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023/cyber-security-breaches-survey-2023#chapter-1-introduction
2. https://www.weforum.org/publications/global-cybersecurity-outlook-2024/
3. https://www.upfort.com/blog-articles/study-upfort-shield-lowered-claims
4. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/10/biggest-cyber-risk-is-complacency-not-hackers/
