Cyber risk losses, primarily breaches, come from hackers & employee errors (or both), and both impact Cyber Risk Insurance losses. Good IT risk management is critical to protecting an organization, but one practitioner does not include unrealistic expectations of employees as a primary component of IT risk management.
Employee errors account for a bit less than 50% of Cyber Risk losses, although the estimates vary depending on the criteria for defining employee errors. The typical breach involving an employee error is a lost laptop containing personal information. But employee error can also involve the increasingly common phishing and subsequent hack attack – involving both employee error (the click) and a hack attack (see here & here).
An experienced IT security practitioner believes it is unrealistic to expect employees to have the same level of security expertise as IT professionals, and recommends constructing IT security accordingly (see here). In a Wired article, Rich Howard comments (here):
Expecting non-security professionals to be able to identify and stop the intrusion methodologies of today’s cyber adversaries is unrealistic, costly and provides little benefit for the effort required… We should not be spending time trying to make employees experts at spotting phishing emails or determining which web sites are good or bad based on how the URL looks….Protecting the enterprise is the security team’s job. If one of your security team’s best security controls is relying on an end-user to stop the bad guy, then your program has some serious issues.
The article includes recommended approaches to IT security strategy in line with his expectations concerning employees. And Cyber Risk Insurance should be an essential component of any IT security plan for protection from both criminal attacks and employee error; it should not be optional.
Tennant Risk Services is a specialty wholesale broker and underwriting manager, and delivers expertise, markets and exemplary services to our retail insurance agent clients in the placement of professional liability insurance (E&O, D&O, EPL, Cyber). We excel at hard to place accounts. Review our expectations here.
Specialty Insurance Expertise: Tennant Risk Services