Introduction

For ISN’s Cyber Tool Team, the spookiest aspect of October is cybersecurity risk. We continuously analyze internal and external data to build tools for our Clients that mitigate the likelihood of a cybersecurity incident. In this process of making data-driven decisions, we observed an annually increasing trend of importance placed on tracking cyber risk.

A good example is within the insurance sector; these corporations are undeniably experts at calculating and managing risk. The Council of Insurance Agents & Brokers (CIAB) reported that cyber insurance premiums have escalated by an average of 28% [1] just within the first quarter of 2022. There are numerous data points that could account for the drastic increase, but here are some notable standouts:

  1. USD $9.44 million average cost of a data breach just within The United States [2]
  2. USD $4.35 million average cost of a data breach across the globe [2]
  3. 277 days on average to identify and contain a data breach [2]
  4. 83% of organizations have had more than one breach [2]
  5. 847,376 cybercrime complaints reported in 2021 [3]

Historical data shows most of these statistics increasing yearly and so far, there have been no indicators of the rate slowing down. If a business uses electronic equipment to perform work, they should take cybersecurity into consideration and realize they can pose a cybersecurity risk to the organizations they are connected to.

Cybersecurity Awareness Month

October is Cybersecurity Awareness Month, and the purpose is to empower organizations to protect their critical data. This starts with cultivating a culture of security awareness from within. Most individuals have heard and understand the basics of data security but fostering a security culture is more challenging.

We refer to security culture as a group of security-related values, attitudes, assumptions and norms that can be seen in the actions and behaviors of all personnel within an organization. These security influences can be evidenced within an employee’s day-to-day tasks, but also should impact the products and services that an organization delivers. There are a few key ways to instill security culture within the organization:

  1. Require a base level of Security Awareness Training (SAT) and provide advanced courses for the personnel who need to secure products and services or hold a high access level.
  2. Ensure employees understand that security is a shared responsibility among all personnel.
  3. Make cybersecurity topics an engaging and fun portion of an employee’s development.
  4. Provide rewards or incentives to strengthen positive security culture.
  5. Prioritize cybersecurity concerns that are most likely to occur: [4] Social Engineering, Malware, Hacking, Error. (Definitions can be found at the bottom of this article and on source link 4 - page 14)

Cybersecurity Training Resources

Cybersecurity is a topic that may seem overwhelming to train at first glance, and it may be difficult to know where to start. There is an abundance of free and publicly available resources to help organizations take measurable first steps to incrementally improve their own security posture from providers such as:

  1. National Institute of Standards and Technology (NIST)
  2. Cybersecurity & Infrastructure Security Agency (CISA)

Security Awareness Training is also included within ISNetworld’s Learning Management System (LMS). Contractor employees can complete registered third-party training at no additional fee. Our Training Library is an expanded way of viewing, assigning and completing high-quality, computer-based training materials that can satisfy Client requirements.

Need more information?

ISN helps organizations standardize a tiered, third-party risk management program across all supply chain participants that pose a cybersecurity risk to your organization. We accomplish this by establishing a baseline of cybersecurity due diligence, then increasing that level of review as suppliers become higher risk. Common first steps in this process are collecting Cyber Questionnaire responses, requiring Cyber Liability Insurance and reviewing a supplier’s Cyber Risk Rating. As a supplier’s risk level increases, we can verify internal cybersecurity policies through Document Collection and even assess a supplier’s internal security posture with Cyber Plus.

If you are a current ISN Hiring Client subscriber, contact your account representative about incorporating cybersecurity tools into your supplier information management program.

If you are interested in learning more about ISN’s supplier management system to help you reach your cybersecurity goals, contact ISN to request a demo of ISNetworld.

Definitions:

· Social Engineering: The act of using deception, manipulation, intimidation or other techniques to exploit humans and information assets.

· Malware: Any form of malicious code, script or software designed to run on an information asset that alters its state or function without the consent of the asset owner.

· Hacking: The attempt to deliberately harm or access information assets without the consent of the asset owner.

· Error: Any action that is done or left undone incorrectly or inadvertently.

Sources:

1.     CNBC: Rising premiums, more restricted cyber insurance coverage poses big risk for companies

2.     IBM: Cost of a data breach 2022

3.      Federal Bureau of Investigation: Internet Crime Report 2021

4.      2022 DBIR Master's Guide