People are Often the Most Overlooked Weakness in a Company’s Cyber Security

How it plays out…

It’s morning, and a woman walks into your company’s head office. She tells the receptionist she’s the Real Estate Agent selling the building next door. She’s supposed to be showing around prospective Buyers. But in her rush from home, she forgot to bring the planning documents to show the Purchasers. She asks if she can quickly plug in her laptop, download the plans and print them off. The receptionist understands her predicament and agrees. Five minutes later the ‘Real Estate Agent’ has infected your computer systems with malware. And you know nothing about it. Sound far-fetched? Think again.

What this scenario clearly illustrates is that while a company can spend thousands of pounds on IT systems to safeguard its business, it can’t prevent employees undermining all that investment. Whether it’s by mistake, they’re under duress, or most commonly, through a simple lack of awareness.

Ignorance isn’t bliss

In fact, ignorance is one of the biggest threats to a company’s defenses against cybercrime. There’s a worrying perception, particularly among SMEs, that the cost of securing a business is not always equal to the risk of attack. This goes some way to explaining why so many companies are attracted by the IT vendors’ pitch of an automated solution – a one-stop shop for all their cyber security issues. This magical panacea does not exist. Yes, you need the robust technical defense, but you also need to invest time and effort to make sure your people aren’t going to subvert it by the most basic of errors. In this context, basic errors include clicking on a phishing email, weak passwords, and indiscreet conversations in the pub or on social media. All can open up a world of opportunity to the seasoned cyber criminal.

Being compliant doesn’t mean being secure

While tough to eradicate, companies can substantially reduce these errors by working towards being secure, rather than just being compliant with regulatory regimes. Instead of asking ‘have we ticked all the boxes?’, management should be aiming to embed a culture of security. This has to come from the top of the organization – from the CEO and CIO – right down to the security guards and receptionists. You need a well-trained, well-aware workforce looked after by a management clearly interested in the issue.

Prioritize your vulnerabilities

One problem is that many companies think they have nothing of interest to hackers. This is a monumental misjudgment. SMEs – particularly suppliers – are often used as a back-door route into the more juicy prey of larger corporations. An example of this is Target Corp, where hackers stole 40 million credit card numbers. Security and compliance can be a major drain on cash and resources but it’s about priorities. Reduce the amount you’re trying to make secure, and spend more time making that secure. Client data, how you pay money, how money is moved around – this is information always worth defending.

Education, education, education

One of those priorities should be people and their education, but management often plump for the online compliance packages that keep employees at their desk while satisfying the regulators (box ticked). But imagine if you got your employees in a room and talked about information security for a day. It’s all about keeping the idea of security front of mind. There’s also more chance of it sinking in and reappearing later when they might really need it – like that receptionist. Training is often seen as dead money. But if you think compliance is expensive, try non-compliance. Research suggests that up to 80% of unprepared businesses that suffer a serious cyber- breach and have no decent crisis management plan in place go out of business within 18 months.

In summary

No one and no company can be 100% secure. If someone promises you that, show them the door! Building a resilient defense means having the right culture. One that comes from proactive engagement from the top of an organization with the right priorities and a well-crafted governance regime. Do that and you’ll have a much better chance of weathering a breach, and of course, Purchasing the correct coverage.

ABOUT CHES SPECIAL RISK INC.

CHES Special Risk Inc., was established as a Managing General Agent and Wholesale broker in 2004, in response to broker demand to a hardening marketplace, commencing with a particular specialty in the entertainment and hospitality business, later becoming a fully accredited Lloyd’s coverholder in 2009. CHES Special Risk, commercial insurance companies in Canada are a fully Independent MGA delivering “A” rated capacity both in the hard to place, and standard lines classes and support their retail brokers in growing and developing their businesses.

Additional information regarding CHES Special Risk can be found at: chesspecialrisk.ca

FAQ

What are the most common cyber security threats that businesses face?
What are the most common cyber security threats that businesses face?

There are several common cyber cyber security threats that businesses face, including phishing attacks, malware, ransomware, and social engineering. Phishing attacks involve tricking individuals into divulging sensitive information through fraudulent emails or websites. Malware, short for “malicious software,” is designed to infiltrate a system and cause harm, such as stealing data or taking control of a system. Ransomware is a type of malware that encrypts a victim’s files and demands payment in exchange for the decryption key. Social engineering involves manipulating individuals into divulging sensitive information or taking actions that may compromise security.
How can businesses recover from a cyber security breach?
How can businesses recover from a cyber security breach?

Recovering from a cyber security breach can be a complex process, but there are several steps that businesses can take to mitigate damage and restore operations. These may include isolating affected systems, removing malware, restoring backups, notifying stakeholders and authorities, and implementing measures to prevent future breaches.
What should a business do if they suspect a cyber security breach has occurred?
What should a business do if they suspect a cyber security breach has occurred?

If a business suspects that a cyber security breach has occurred, they should take immediate action to investigate and contain the breach. This may involve isolating affected systems, collecting evidence, notifying stakeholders and authorities, and implementing measures to prevent future breaches.
How can businesses prevent phishing attacks?
How can businesses prevent phishing attacks?

Businesses can take several steps to prevent phishing attacks, such as providing regular training to employees, implementing multi-factor authentication, using email filtering and spam blockers, and regularly updating software and security protocols.
What are some cyber security risks associated with remote work?
What are some cyber security risks associated with remote work?

Remote work introduces several cyber security risks, such as unsecured Wi-Fi networks, personal devices with insufficient security, and a lack of physical security measures. Additionally, remote work may increase the risk of phishing attacks and other social engineering tactics, as well as insider threats from disgruntled or negligent employees.
How can businesses secure their networks for remote workers?
How can businesses secure their networks for remote workers?

To secure their networks for remote workers, businesses can implement several measures, such as providing virtual private network (VPN) access, requiring strong passwords and multi-factor authentication, implementing endpoint security measures, and providing regular training to employees.
How can businesses assess their cyber security risks?
How can businesses assess their cyber security risks?

Businesses can assess their cyber security risks by conducting regular risk assessments and vulnerability scans, identifying potential threats and vulnerabilities, and implementing measures to mitigate those risks. Additionally, businesses can seek the assistance of third-party cybersecurity professionals to conduct more comprehensive assessments and provide recommendations for improvement.

Google Reviews

My experience working with Ches and specifically Alex Blair Johns has been first class. In the midst of a hardening market, Ches has demonstrated to me that they are a partner committed to serve the Brokerage community and its Clients by positioning themselves as a solutions oriented leader.

James Asaad

Over all it's a very good company. I have brought Life science insurance from them and I am very much happy with them.

Richard Harris

CHES is a company that cares about the development of its employees and ensures that it brings real added value to its customers!

Francois Chretien