Are You Naked? Is Cyber Insurance A Must?
- 15% of SME’s have cyber insurance.
* 1.955 million Australian businesses are not insured.
* 70% percent of all businesses are unprepared for a cyber-attack.
* 34% of breaches involve malicious internal actors.
* 59% of orgs experience at least one malicious insider attack over the last 12 months.
The Attorney General George Brandis once said: Most personnel strive to conduct themselves in an ethical and professional manner. However, it would be negligent to ignore the risk of someone deliberately causing harm or exploiting their positions of trust. The ‘trusted insider’ represents a real and enduring risk to everyday business practices. It is an important risk consideration for both Government and the private sector. Insider activity is at the very least embarrassing and damaging to an organisation’s reputation, but it can also be disruptive, expensive and life threatening.
If you were an insurance provider there seems to be a lot of business to write, but given the sobering statistics you will not be in business for long!
A policy-holder’s cybersecurity risk profile is a combination of (1) the value of its intellectual property (measured both in quantitative monetary and qualitative security terms), (2) how likely external & internal threat actors are to target them, and (3) the attributes of the policy-holder’s computer systems. Insurance providers can establish evidence-based best practices potentially providing discounted premiums to induce an improved baseline level of cyber hygiene.”
In underwriting policies, cyber insurance firms would ideally assess the second point above — that is behaviours of a customer’s employees as part of its risk profile. In the past, doing so has been challenging.
The introduction of a screening/vetting evaluation program that uses government suitability standards allows for a whole-of-company ‘insider’ vulnerability risk assessment. Vetting personnel & other insiders will increase the visibility and actionable intelligence of a policyholder and demonstrate an improved cyber risk posture. Importantly, it is a determining factor for cyber risk insurance.
Quantifying and reducing human error is hard, but none-the-less crucial. As policyholders gain greater clarity and management of their hidden human risks, they can demonstrate remediation actions that will reduce risk. Cyber insurance therefore plays an important catalyst role in the digital age.
Birthed from a national security vetting background, Cleard Life Vetting Agency (CLVA) products and services are an effective way in reducing cyber risk and is a catalyst for PERSEC cyber solutions. Policyholders that adopt CLVA’s solutions may qualify for enhanced terms and conditions on cyber insurance policies from insurers.
CLVA: Six features that will boost your Cyber Hygiene and Cyber Insurance attractiveness.
- Reduction of cyber risk: demonstrated ability to address major enterprise cyber risk such as data breach, theft or corruption; business interruption; or cyber extortion. National security clearance processes are necessary, extensive but remain prohibitively lengthy and expensive — eg. The top-level clearance costs more than $11,000 per check and a ‘complex case’ on average takes 792 days to reach a decision. Most security personnel vetting programs around the world now use the ‘critical path to insider risk’ model which evaluates candidate’s background for specific personal predispositions, stressors and concerning behaviours. It can predict or anticipate a trusted insider threat.
The scan detects and deters ‘unsuitable’ people from accessing highly sensitive, personally identifiable, commercial sensitive, or classified information. This in turn limits the motive and opportunity for a person to undertake a hostile act, or some other counter-productive workplace behaviour manifesting — including a malicious cyber act or misuse of information. Therefore, the practice reduces cyber risk considerably.
2. Key performance metrics: demonstrated ability to quantitatively measure and report on factors that reduce the frequency or severity of cyber events. In conjunction with the critical path protocol, evaluating a workforce for character and integrity also means addressing seven factor areas (21 sub areas) used in national security clearance processes (eg. Protective Security Policy Framework — Personnel Security — PERSEC). CLVA uses proprietary AI software to undertake candidate investigations, the whole-of-person analysis and through supervised learning algorithms, assists with creation of timely recommendations.
3.Viability: client-use cases and successful implementation. CLVA has a 24/7 vetting-as-a-service platform so that implementation is easy to carry out. Users create an assessment at any time, the candidate is then contacted immediately for the interview to begin 24/7. The result can be completed as-fast-as next business day and the cost as-low-as $135 per assessment. The ability to deeply understand not only the red or amber lights, but also see, in aggregate, which weak areas of the organisation should be addressed and remediated is especially helpful. We are working with Cyber Indemnity Solutions (Crimson Risk) and Avantia Cyber Security consulting firms.
4. Efficiency: demonstrated ability of users to successfully implement and govern the use of the product to reduce cyber risk. The solution reveals hidden risks and highlights weak areas. By drilling down to aggregated factor areas results, users can take action or use CLVA consultants who can offer risk mitigation advice, tools and board level presentations and recommendations. Actions might include adjusting HR policies & practice, or training staff, or setting up an employee assistance program, or social media monitoring etc.
5. Flexibility: broad applicability to a range of companies/industries. CLVA is industry agnostic and a broad user-base already exists for security vetting. Why? Because people are same wherever you go. Patterns without pivots are important. Rule-breaking behaviour outside of the workplace tends to become rule breaking behaviour inside the workplace. Serial data breaches tend to be ‘lax’ again. Untreated mental health concerns have security implications. The CLVA AI engine also has direct national security vetting efficiency and state-based screening units implications that could reduce determination timeframes considerably.
6. Differentiation: distinguishing features and characteristics. Even though malicious insiders are blamed for a large proportion of breaches (IBM research has the percentage as high as 44.5%), PERSEC has been the missing link in the marketplace. It has been either ignored or dismissed as too hard. There has never been a non-discriminatory, standardised suitability clearance that has the speed, accuracy, affordability, or scale — until now. The user (be it a cyber consulting company or the organisation directly) now has the option to complete a one-time audit, periodic check-ups for the current workforce, change-of-circumstance evaluations, inclusion into preemployment procedures for cyber hygiene, vetting of third party personnel and/or tender shortlisting due diligence.
Conclusion
Research says you can detect early indicators of a hostile act before they happen. We know its true.
Get in touch today! We look forward to serving you and helping with your insider threat program or your cyber hygiene.
