5 ways insurers can strengthen cyber resilience

Cybersecurity awareness among employees has never been higher. Most organizations now understand the threats and take the necessary steps to protect their networks. But fatigue, complacency and increasingly sophisticated threat actors using AI are creating new blind spots.

Employees, frustrated by continual multi-factor authentication (MFA) prompts, actively seek workarounds and shortcuts. Small and midsize businesses tend to underestimate their exposure. All the while, attackers are using tools designed to expose the weakest link inside of every organization: the human on the other side of the screen.

Systemic risk exposure grows

As organizations become more dependent on software vendors and cloud service providers, hackers are beginning to target third-party systems and bring down entire industries. A prime example was last year's ransomware attack on CDK Global's SaaS platform—used by almost every automotive dealership nationwide—which essentially shut down car sales for a week and most recently the Amazon Web Services outage, which could have a much wider affect with some experts saying the financial impact of the outage could be in the billions.

This growing interdependence on third-party software has fueled a dangerous misconception: that shifting operations to a third party also shifts the risk. The reality is that the original data owner remains responsible for any breach or outage, even when that data is hosted or managed externally. This puts the obligation to protect that data squarely on the organization, not on its vendor.

Small businesses underestimate risk

While large-scale attacks make headlines, small-to-midsized businesses are just as vulnerable. Yet many business owners still believe they are too small to be targeted by hackers. This false assumption reflects a lack of understanding about the Internet of Things (IoT) and the extent to which every organization relies on interconnected devices and systems today.

Should a hacker infiltrate any element of these companies' operations, it will lead to catastrophic outcomes, especially considering most small businesses do not have the capital wherewithal to sustain major financial losses and penalties from a breach.

Insurers in the crosshairs

Insurers themselves are frequent victims of cyberattacks, which gives them unique authority to help educate their policyholders to develop cyber resilience.

For example, a wave of social engineering attacks carried out this summer by Scattered Spider disrupted operations for many insurers, including Aflac, Erie and Philadelphia Insurance Companies. Most of the breaches were contained within hours, but disruption to core systems, such as customer service and policy administrative platforms, lasted for more than a month.

Scattered Spider infiltrated insurers' networks by calling employees, posing as IT and helpdesk staff, and convincing workers to share their MFA credentials. While it is unclear whether AI was directly involved, advances in generative AI tools are making it easier for attackers to mimic human behavior and emulate their tone of voice.

The rising risk for these types of phishing attacks underlies two harsh realities. First, it takes only one wrong click for hackers to obtain massive amounts of data and cause widespread disruption. Second, no matter how strong your MFA policies or Endpoint Detection and Response (EDR) capabilities are, there is no way to mitigate the human element of network vulnerability.

5 ways to build cyber resilience

The growing frequency and sophistication of cyberattacks requires business owners and their insurers to improve their resilience. Insurers, agents and brokers should encourage their policyholders to follow these five key action tips to protect their organizations:

1. Implement MFA thoughtfully
MFA is still an essential cyber insurance requirement, even if some employees have grown weary of the practice. While it is not a sole hedge against threats, MFA is one of the most important key security layers to mitigate human error. Implementing it on email, remote access, all privileged accounts and backups should be mandatory but done in a thoughtful manner.

2. Deploy EDR
Some cyber policies now require companies to implement endpoint detection and response (EDR) with 24/7 monitoring by a security operations center (SOC). EDR provides continuous visibility into network activity, so IT teams can identify threats and act quickly, mitigating damage or preventing breaches altogether.

3. Understand vendor contracts
Review the fine print in third-party vendor contracts carefully so you know who is responsible in the event of a breach. Many often limit liability to fees paid. Some may offer business continuity credits in the event of outages. Also, vet all vendors to ensure they are staying ahead of the curve with their own security practices.

4. Take extra precautions for large payments
Establish a policy to confirm wire transfers with a phone call to a trusted number or other secure methods. Implement dual sign-off for all large payments, with role-based approvals to provide an extra layer of protection.

5. Raise employee awareness
Staff members cannot help secure an organization if they do not understand the risks. Conduct ongoing employee training to reinforce best practices and keep staff updated on new threats.

It's when, not if

AI is helping hackers move so fast that it's nearly impossible for humans in the IT department to keep pace. That means breaches are a matter of when, not if. Insurers, agents and brokers should encourage policyholders to invest in both their human and technical cybersecurity resources, along with cyber policies that can protect them when the inevitable happens.