Seven Bad Cybersecurity Habits of Highly Vulnerable Organizations

Seven Bad Cybersecurity Habits and How to Avoid Them

Helping our clients manage cyber risk goes beyond the mechanics of the insurance transaction. Accordingly, we have put together a list of the top 7 mistakes that organizations should avoid as they build out their cybersecurity program:
 
1. Not devoting resources to recruiting and retaining top talent. Cybersecurity professionals are in high demand and they are often overworked and underpaid.  Large, for-profit enterprises need to compensate them for their expertise, and make sure that they don’t get burned out. For smaller businesses and not-for-profit organizations, a virtual or fractional CISO (Chief Information Security Officer) may be a viable solution.
 
2. Misplaced trust in technology. Having the best firewall, antivirus software, or endpoint detection is important, but don’t underestimate the human element.  Train your staff to recognize phishing emails, practice good password management and limit admin privileges in terms of time, scope and personnel.
 
3. Ignoring the whistleblowers. Staff needs to be able to speak up about suspicious activity or careless privacy practices without fear of reprisal, and to be assured their concerns will be taken seriously. When loyal employees are rebuffed enough times, they become quiet. 
 
4. Poor vendor management. Do not assume that you can simply hire someone to run your organization’s Security Operations Center, store your data in the cloud, or manage your website and trust that everything will run smoothly. Ask about their controls, look at the contract wording to understand their duties as well as their limitations of liability, and ask for evidence of their Cyber and Technology Errors & Omissions (E&O) insurance.
 
5. Equating Compliance with Security. Many industries are subject to regulatory standards setting forth minimum cybersecurity practices, but these do not guarantee that a business will not fall victim to an attack. Regulations do not change on a dime with the threat environment, so plug into resources like the Cybersecurity and Infrastructure Security Agency (CISA) that provide real-time threat intelligence and actionable guidance to protect the homeland from evolving cyber risks. Your insurance broker can also be a valuable source of information in this regard, thanks to their experience handling cyber claims.
 
6. Not testing established processes. It is great to back up your data, but how often have you tested the backups to see how long they would take to retrieve?  Phishing training for employees, penetration testing for your network and tabletop exercises are also essential.
 
7. Not having an incident response plan. An organization should know what service providers will be engaged in the event of a data breach, business interruption or ransomware event.  Are these vendors pre-approved under your Cyber insurance policy?  Who decides whether to take down the network to prevent further harm? How will colleagues communicate if your email has been compromised?  Under what criteria will you negotiate with the threat actors in the event of an extortion of your network or data?  These decisions cannot be made on the fly; they should be discussed, reduced to writing and socialized throughout the organization.  
 
This list is by no means exhaustive, but it will  start the conversation about how to improve Cyber hygiene and better safeguard your systems against this complex and ever-changing risk.
 
* Alliant note and disclaimer: This information is designed to provide general information and guidance. Alliant does not own or operate the suggested diagnostic tools and is not responsible for the results of their use. Alliant Insurance Services disclaims any liability for any loss or damage from the information provided in this communication.

For more information:

 

Brian Dunphy
Senior Vice President
Brian.Dunphy@alliant.com
C: 212-504-1888
 

Robert Horn
Co-Cyber Product Leader
Robert.Horn@alliant.com
212-504-5828
 
John Loftus
Co-Cyber Product Leader
John.Loftus@alliant.com
917-572-8269