The CAGR (Compound Annual Growth Rate) of the global cyber insurance market is expected to be 35.92% from 2022 to 2027. Quite impressive!

Negotiating a cyber insurance policy has become complex

The uncertainty does not benefit either the insured or the insurer.

• The insured faces a surge in insurance premiums. This surge increases the risk of having to deal with litigation in the event of a claim. There is no worse situation for a business leader than delaying the coverage of a loss that occurred today and has immediate financial consequences. Business interruption, penalties, and the need to rebuild production capabilities: the consequences of a cyberattack are abrupt and require immediate resources.

• For the insurer, the situation is not ideal either. There remains a significant level of uncertainty regarding the actual effectiveness of the insured’s cybersecurity and resilience measures. This is particularly true for medium-sized companies. The cost of verifying the effectiveness of cyber insurance capabilities quickly becomes prohibitive compared to the expected insurance premiums.

The increasing adversarial nature of the cyber environment, with random or highly targeted attacks, does not help clarify the situation. Traditional means of assessing protection measures do not provide insurers with a comprehensive view:

• Declarative control solutions inherently rely on self-reporting, making it impossible to verify the effectiveness of the stated measures.

• Functional or technical audit solutions (pentests, code audits, bug bounty programs, etc.) only target specific areas and come with high implementation costs.

• Vulnerability scanners provide a limited view of security and the effectiveness of SecOps capabilities.

Next-generation attack simulation solutions can significantly change the landscape

With cyber defense capability scoring, such as BlackNoise, it is possible:

• To continuously assess the ability to detect and respond to attacks as early as possible.
  
• To confirm that all technical solutions in use are effective and properly implemented and configured.
  
• To ensure the absence of regressions or blind spots over time.

This does not involve decommissioning the usual solutions for auditing and compliance control of security policies. Nor does it mean turning away from risk management models and ISMS (Information Security Management Systems). However, for a healthier cyber insurance market for all stakeholders, it seems essential to transition to continuous scoring of the effectiveness of cyber defenses.

The post Score, cyber insure, breathe! appeared first on Erium.

Introduction

In the age of the digital revolution, cybersecurity has become a central concern for organizations of all sizes, both in the public and private sectors. In fact, it’s the top risk for businesses in 2023 according to the Allianz Risk Barometer.

The risks and threats associated with cyberattacks, which are becoming increasingly sophisticated, can lead to significant damages, whether they are financial, legal, or related to reputation. Although the technological aspect is sometimes involved in the success of cyberattacks, in 90% of cases, the security breach primarily results from human error, a phenomenon known as “brain hacking.”

For this reason, cybersecurity awareness, targeting employees for a genuine understanding of best cybersecurity practices, has become essential in protecting organizations from online threats.

Why is Cybersecurity Awareness Training Important?

Many companies underestimate the importance of basic cybersecurity knowledge. The significant consequences and financial impacts make it essential to raise employee awareness about cybersecurity. Erium offers an effective, engaging, and online Serious Game to prevent common errors that can be costly to your business. We explain it below.

The Consequences of Computer Security Breaches

A successful cyberattack can have disastrous repercussions for an organization. Among these consequences is the leakage of confidential data concerning customers or partners. These losses can lead to legal disputes, financial losses, and a deterioration of the company’s image (loss of trust, a decline in reputation).

Ransomware attacks, which use malicious software to encrypt access to computer systems in exchange for a ransom payment, disrupt daily operations and result in business downtime, revenue losses, and decreased productivity.

But cyberattacks are not limited to data breaches and ransomware; they come in various forms, and cyber attackers continually strive to harm organizations and make a profit. Among the most common attacks are identity theft to gain access to confidential data and to exploit employees’ trust for fraudulent activities. These attacks also cause financial and reputational damage to companies.

The Financial Impacts of Cyber Attacks

Cyberattacks have significant financial costs for businesses, including both direct costs (such as productivity loss or downtime) and indirect costs (remediation, recovery, reputation damage, and the implementation of new security measures). In US, in 2021, the global cost of cyberattacks was estimated at 6 trillion USD, with more than 50% of companies facing attempted cyberattacks.

Is providing training sufficient for raising employee awareness?

Considering all of this data, it is clear that cybersecurity awareness is essential for protecting organizations against cyber risks.

In the age of the digital revolution and evolving norms, traditional awareness efforts may seem outdated. Moreover, capturing and sustaining employees’ attention and good cybersecurity practices over time is a challenging endeavor. Conventional training, which tends to be overly theoretical, is often perceived as boring, with limited impact on employees’ behavior, as demonstrated in the white paper “Cybersecurity Awareness: Dream or Reality?” produced by Erium in collaboration with the Forum des Compétences.

Interactive, Engaging, and Effective Awareness Training

Shifting from the theoretical approach of traditional awareness training to an interactive and immersive one can make a significant difference. A platform like Cyber Investigation enables employees to change their perspective by stepping into the shoes of a hacker, thus helping them internalize best practices differently. A playful and interactive approach engages participants more effectively, allowing them to learn while having fun.

What should a cybersecurity awareness program include?

In light of the limitations of awareness, even if it is effective, a program to go beyond is essential.

The Cyber Investigation platform offers realistic scenarios simulating real-life situations (phishing, CEO fraud, social engineering). Employees face challenges with investigations to solve, putting them in the shoes of a hacker.

These challenges are complemented by videos, reflex sheets, and quizzes, allowing IT security managers to assess the organization’s level of maturity in cybersecurity practices and subsequently steer security measures to be implemented.

By targeting scenarios based on risks, employees learn to recognize the signs of a cyberattack attempt and take measures to protect themselves. Best practices such as using a secure password manager, reporting suspicious content to a cyber correspondent, following security procedures, and using two-factor authentication are then integrated.

It’s simple: raising cybersecurity awareness is essential, but the real goal is to take action and engage in these cybersecurity reflexes!

How to engage employees in developing sustainable cybersecurity habits?

To derive concrete benefits from cybersecurity awareness and transition from awareness to cyber acculturation, it is crucial to capture and maintain the organization’s employees’ attention.

To maximize employee retention, the learning pyramid teaches us that reading a theoretical course allows for the retention of up to 5% of information, while practical training can help retain nearly 75%.

This observation drives the creation of an immersive game rather than a simple theoretical training delivered by a cybersecurity consultant.

To engage employees in their cybersecurity awareness, Erium, in its collaboration with the Forum des Compétences, has also highlighted key points for achieving content with optimal engagement. The content should be:

• Humorous and playful
• Short
• Concrete
• Useful, both professionally and personally
• Realistic, with practical scenarios
• Multimedia
• Recurrent

Steps to Start Training Your Employees

For a successful cyber acculturation and awareness, it is important to follow some key steps.

First, the organization needs to assess its cybersecurity needs and identify its risks. The Cyber Investigation platform allows managers to target user journeys based on the risks they are most likely to be exposed to.

Next, the organization should define personas (internal and external) and differentiate them based on their exposure, behaviors, and common cybersecurity concerns.

Thirdly, the company should set objectives with actions tailored to the user’s maturity level (e.g., raising awareness of cyber risks by targeting them specifically and reinforcing associated reflexes).

Finally, the organization should plan the implementation of training. Mandatory training yields better results than optional training, and it should be monitored according to the results obtained.

Monitoring progress, measuring the cybersecurity maturity level of employees, listening to feedback, and guiding new cyber awareness initiatives are steps to be taken for genuine cyber acculturation within organizations.

Cyber Investigation – The Serious Game for Cybersecurity Awareness and a Path to Genuine Training

As the first cyber acculturation platform, Cyber Investigation is an interactive and immersive platform designed to raise employee awareness about cybersecurity best practices.

Its gamified approach allows for four times more cyber retention compared to traditional training because employees take action and practice their cybersecurity reflexes on the internet, putting themselves in the shoes of a hacker (for example, they must retrieve usernames and passwords using information available online).

Available in 8 languages, Cyber Investigation is suitable for all levels of cybersecurity maturity, and its program can be tailored to various cybersecurity objectives and risks, with customization options for businesses.

It measures 8 major risks (phishing, access compromise, CEO fraud, data leakage, ransomware, etc.), and KPIs help enhance long-term cybersecurity maturity.

The combined benefits of this cybersecurity awareness and acculturation platform are manifold:

• A platform that fosters collective energy, promoting positive competition and team rankings.
• A platform that enhances the retention of cybersecurity reflexes through immersion and practical learning.
• Security awareness tailored to different profiles and their roles within the organization.
• Precise measurement of maturity level and the persistence of cybersecurity reflexes over time (after 1 month, 6 months, 2 years) through defined KPIs.
• A customizable experience with 100% customizable communication kits.

Examples of best practices that are adhered to after awareness training

Employee education and training on security best practices

Following an extended cybersecurity awareness campaign supplemented by a comprehensive training program, employees should have grasped and appreciated the importance of understanding and maintaining good cyber habits over time.

They should be sensitized to social engineering techniques like phishing or CEO fraud to detect cyberattack attempts. Moreover, they should have internalized security procedures to follow in the event of a cyber attack attempt (react, inform their cyber contact, avoid clicking).

Lastly, they should be trained in daily cybersecurity practices that strengthen online security, including using a password manager, enabling two-factor authentication, connecting to secure internet networks, and separating professional and personal storage spaces, among other things.

Establishing a cybersecurity culture within organizations

Transitioning from cybersecurity awareness to cyber acculturation involves creating a strong cyber culture capable of preventing incidents and proactively responding to emerging threats.

Florent Skrabacz – President of the Erium Group

Creating a cyber culture extends beyond implementing cybersecurity awareness training. It also involves promoting a reporting culture, where security incidents and suspicious behaviors can be reported without fear of repercussions, facilitating a swift response. Additionally, it means establishing regular internal communication about the implemented security policies and their updates, engaging the leadership in promoting cybersecurity as a strategic priority, and creating high-impact events, such as during Cybersecurity Awareness Month.

Useful Questions and Answers

What is the price of a combined cybersecurity awareness and training program?

For a cyber acculturation training with the Cyber Investigation platform, various subscription packages are available, ranging from 60 to 20 euros per user per year.

How long does a cybersecurity awareness training last?

Subscriptions are designed to last for one year, but there is no specific time limit in cybersecurity awareness. The crucial point is that with each new individual engaged, continuous training is established to counter new emerging threats and evolving modes of attack.

What are the benefits of cybersecurity awareness for teams?

The benefits of cybersecurity training are numerous for an organization’s teams.

• With a better understanding of cybersecurity threats and risks, teams enhance their ability to protect sensitive information and data, both professionally and personally
• Moreover, each team member feels involved in the company’s cyber culture and contributes to its security, thereby increasing their overall engagement in the organization
• Cyber Investigation, which promotes positive inter-team competition, strengthens bonds and fosters a greater appetite for challenges within the company
• Finally, cyber acculturation builds trust among clients and partners towards the teams, demonstrating their commitment to safeguarding the company and its data

Who organizes and monitors the training?

The training is led directly by the CISOs (Chief Information Security Officers) from the platform, where they have access to team progress based on risks and can oversee teams according to results. They can also implement new cybersecurity measures from this platform.

The post Cybersecurity Awareness Program: Enhancing Protection Through an Acculturation Strategy appeared first on Erium.

Almost all relational and transactional activities of organizations are conducted on the Internet, and this presence entails a risk. This risk is considered the primary threat in the age of the digital revolution: cyberattacks. Indeed, for nearly a decade, the number of cyberattacks has been on the rise. Cyber attackers continually devise new methods to profit from their attacks. This threat continues to grow, with no fewer than 385,000 successful cyberattacks reported against organizations, both public and private, in France in 2022.

Businesses and organizations are constantly facing the challenge of protecting their data from cyber threats such as data breaches and ransomware attacks. Any such incident can cause significant harm to them. In such cases, organizations have to deal with dual risks – legal consequences due to sensitive data breaches and financial losses resulting from business disruptions. To mitigate such risks, businesses can opt for cyber insurance. This type of insurance provides coverage for both the financial and legal repercussions of cyberattacks. For companies, obtaining cyber insurance to receive compensation for losses resulting from cybercrime has become a necessary and prudent measure to ensure their online presence securely.

Why choose cybersecurity insurance ?

Benefits and cost associated with cyber incidents

Many businesses obtain cyber insurance to cover the expenses resulting from cyber-attacks. Astères estimates that the total cost of successful cyber-attacks in France in 2022 was 2 billion euros. The costs related to data breaches fall under direct costs such as lost productivity, ransom payments, and lost work hours. According to a study by the Ponemon Institute, businesses in France are estimated to face a cost of 4.34 million dollars for a data breach in 2022. The study also reveals that 83% of the 550 companies surveyed reported experiencing data theft. Organizations must consider subscribing to cyber insurance to ensure their sustainability in the event of a cyberattack. Cyber insurance can help reduce the financial losses and liability caused by a data breach. However, due to the increasing number of cyberattacks, the amount of compensation paid out has tripled within a year. As a result, insurance premiums are higher, and obtaining cyber insurance requires fulfilling certain prerequisites

The prerequisites for subscribing to cyber insurance

With the increasing insurance premiums, the prerequisites for subscribing to cyber insurance are becoming more numerous and evolving over time. Insurers now require organizations to have effective cybersecurity policies with defined risk management procedures and optimized protection systems.

A clear cybersecurity policy

So, it is essential to have all these prerequisites and stay informed about their evolution through insurance brokers. Before subscribing to a cyber insurance policy, it is important to have a solid cybersecurity policy in place. This policy must be effectively communicated to all stakeholders, including suppliers, partners, and IT service providers. Additionally, employee awareness and training programs should be implemented to ensure that everyone in the organization is aware of the policy and best practices for maintaining cybersecurity.

Protection tools

Next, it is mandatory to have, at a minimum, deployed endpoint protection tools such as EDR, antivirus, antimalware, and a firewall to detect and prevent potential threats.

An email filtering solution must also be in place to reduce the risk of phishing and email-based attacks. Two-factor authentication must be enabled, especially for admin accounts and remote access, adding an additional layer of protection for sensitive accounts. GDPR compliance is necessary to protect the sensitive data of your partners and clients, which should be stored securely.

For larger accounts, cyber insurers will require a managed EDR or XDR within a SOC (Security Operations Center), essential for quickly detecting, analyzing, and responding to security incidents when applying for cyber insurance.

Regular assessments

Regular evaluation audits to measure cybersecurity maturity and identify vulnerabilities to be addressed will also be among the prerequisites needed to subscribe to cyber insurance.

It is also crucial to be prepared for a cyber crisis by having emergency response and incident response plans in place, which can be done through crisis management exercises.

It is important to optimize security protocols related to IoT to prevent potential compromises.

Finally, by using a cyber rating solution, the company can obtain a diagnosis of its cybersecurity status and identify areas for improvement before subscribing to cyber insurance. This approach is primarily declarative and can be enhanced by attack simulation scenarios that demonstrate the actual effectiveness of the measures in place. By strengthening the cyber scoring, these approaches provide evidence of cybersecurity effectiveness to the insurer, paving the way for negotiations.

Implementing these prerequisites enhances the company’s cybersecurity posture, reduces the risk of costly incidents, and protects against successful cyber-attacks with insurance.

What attacks and compensations does cyber insurance cover ?

Understand your insurance policy and negotiate to match your cybersecurity needs. Cyber insurance can cover expenses like:

• Data breach: Cyber insurance can cover the costs associated with the recovery, restoration, or replacement of stolen data. If sensitive data has been compromised, the insurance may cover the expenses related to potential lawsuits and regulatory obligations.
• Business interruption: Cyber insurance compensates for financial losses due to business interruptions caused by cyberattacks.Recovery and restoration expenses: Cyber insurance covers costs related to restoring information systems.
• Fund losses: Whether it’s losses of funds transferred due to events like fraud, social engineering, or extortion, cyber insurance may cover a portion of these losses and provide compensation to victimized organizations.

Of course, this list is not exhaustive, and it is essential to check with your insurer for any coverage exclusions.

What are the prices of cyber insurance ?

There are no general rules regarding the price of a cyber insurance policy, as it depends on several factors such as the type of business, size, cybersecurity history, industry sector, annual revenue, and geographical location.

An insurance premium can start at a few thousand euros per year for a small business with low cyber risks and can increase significantly for an organization with strong cybersecurity needs.

For example, sectors like healthcare or finance are more susceptible to cyberattacks, which can significantly impact the cost coverage provided by cyber insurance.

To obtain an accurate estimate of the price of cyber insurance tailored to your organization, it is necessary to contact an insurance company to obtain a personalized quote.

The uncovered elements by cyber insurance ?

While each insurance policy is unique, and clauses vary from one organization to another, there are certain elements that are generally not covered by cyber insurance. Among these, we find:

• Malicious acts committed by internal parties, such as employees or subcontractors.
• Security failures (flaws or vulnerabilities) known to the company but not addressed, thereby resulting in the exclusion of coverage for resulting incidents.
• Non-compliance with established security policies.
• Expenses resulting from acts of war, terrorism, or conflicts of a geopolitical nature are sometimes excluded from insurance policy indemnification clauses.
• Attacks attributed to or supported by governments or intelligence services.
• Loss of intellectual property, which is often excluded based on the circumstances.
• Physical damages (fire, flood, etc.) are excluded from cyber insurance and covered by other types of insurance.
• Failure to meet the notification deadlines to the cyber insurance company.

When subscribing to a cyber insurance policy, it is essential to be aware of the terms, conditions, and potential exclusions in the policy to ensure that the coverage aligns with the organization’s needs and to avoid unpleasant surprises in the event of a successful attack.

How to choose the cyber insurance ?

To choose the best cyber insurance, which is most suitable for the organization’s cybersecurity needs, several factors need to be considered.

Understanding your context

A thorough assessment of your context (industry, size, revenue) and the cyber risks to which the organization is most exposed is essential. This will help evaluate the company’s maturity level and determine the threats it is most likely to face to ensure their coverage by cyber insurance.

Real-conditions Cyber Assessment, implemented by Erium, evaluates a company’s cyber effectiveness with a score ranging from 0 to 100. It considers the cyber maturity of the organization’s employees (assessed using the Cyber Investigation cyber awareness platform), defense and response capabilities against cyberattacks (evaluated with the Breach and Attack Simulation tool BlackNoise), and crisis management and cyber resilience capabilities (evaluated with Cyber XP, real-world crisis exercises).

Real-conditions measurement tools provide a genuine overview of the organization’s cyber risk coverage. This allows for the establishment of appropriate cybersecurity policies and the negotiation and selection of the most suitable cyber insurance.

The extent of coverage

It is essential to choose a cyber insurance provider with experience and a strong reputation in the field of cybersecurity, capable of understanding the cybersecurity challenges and threats that organizations face. While price is an important factor, it should not be prioritized at the expense of the quality or extent of insurance coverage.

The extent of coverage provided by cyber insurance, as well as any exclusions, is the primary criterion to consider when subscribing to an insurance policy. It is crucial to ensure that all the risks the company is exposed to are covered by the insurance. The terms and conditions, which must be understood before committing to an insurance contract, are also important in order to comprehend the mutual commitments of both parties.

By taking these various factors into account, it will be easier to choose a cyber insurance policy that will protect the company in the event of a successful cyber-attack.

How to subscribe to cyber insurance policy ?

Once the assessment of cyber risks and the company’s cyber coverage needs have been established, the process of obtaining cyber insurance involves several steps.

First, it is necessary to conduct an insurance assessment that clarifies the coverage needs and cyber vulnerabilities to be addressed.

In addition, you will need to choose a competent insurance broker with expertise in cyber risks, who will assist the organization throughout the process. The broker guides the company in identifying the cyber insurance that best suits its needs, taking into account its size, sector, and various activities.

Working in conjunction with the broker, the scope of coverage and the coverage limit are defined and communicated to the chosen insurer. The insurer then conducts a risk analysis that assesses the cyber maturity of its client. Based on this analysis, the cyber insurance provider offers a premium amount that reflects the company’s level of readiness to face cyber threats.

Finally, the negotiation phase begins with the aim of reaching an agreement on the extent of coverage, the coverage limit, and the insurance premium amount. Once all parties are satisfied, the cyber insurance policy contract can be signed, providing the organization with strong and targeted protection against the cyber risks it faces.

Best practices to enhance cyber insurance

Cybersecurity awareness for employees

To enhance cyber insurance coverage, strong cybersecurity best practices should be adopted. Awareness, or rather acculturation, to cybersecurity for the organization’s employees forms the foundation of this approach. This awareness is achieved through a clearly communicated internal cyber policy that establishes rules and responsibilities for everyone.

Regular cybersecurity training for all employees against cyber risks and threats ensures that each person understands the cybersecurity issues and knows how to identify and respond to potential cyber threats. It is also crucial to assess the cyber maturity of these employees in order to take appropriate protection measures based on the results.

A platform like Cyber Investigation is ideal for training employees interactively and in an engaging manner. This immersive tool allows individuals to put themselves in the shoes of a hacker, promoting an understanding of the mechanisms of a cyber-attack. Enriched with supplementary content (quick reference guides, quizzes, videos), it educates employees about proper cyber practices. The platform also provides CISOs with the ability to measure their employees’ performance, allowing them to subsequently implement measures based on the specific risks to which they are exposed.

Software and system updates

In addition, keeping software and systems up to date is an essential practice to strengthen defense capabilities against a cyber-attack. Whether it’s software, websites, antivirus, or firewalls, updates help to fix vulnerabilities and security flaws.

Any sign of suspicious activity should be reported, allowing for a quick and effective response in the event of a potential incident. When a security flaw is detected, necessary measures must be applied to correct and minimize risks.

As an example, a Breach and Attack Simulator (BAS) like BlackNoise allows for real-time attack simulations to assess the company’s ability to detect and respond to cyberattacks. This innovative and proactive approach helps identify vulnerabilities and correct them, thereby facilitating continuous improvement in security measures.

In conclusion, adopting a cyber acculturation policy, keeping systems up to date, and being prepared to respond in times of crisis are the key elements to optimally complement your cyber insurance coverage.

Cyber insurance in the Age of AI

Erium couldn’t conclude this article without addressing the role of AI, which now holds a central position in the technology sector.

The emergence of artificial intelligence in recent years has brought about a significant and global transformation in various industries, including that of cyber insurance. This innovative and revolutionary technology can automate tasks, analyze massive volumes of data, and make decisions based on these analyses.

Benefits of Artificial Intelligence

In the field of cyber insurance, AI is transforming the underwriting process by automating its operations. With its data analysis capabilities, AI can provide insurance companies with information about the cyber risks to which businesses and institutions are most exposed. As a result, the automated process becomes more efficient and effective. Furthermore, AI enhances the claims processing and settlement by automating the collection of claims-related data, promoting efficiency and accuracy in claims settlements.

For insurers, AI also offers the advantage of being able to detect fraud and fraud attempts, thereby strengthening the security and integrity of the cyber insurance sector.

Limitations and challenges

However, despite its advantages, AI has limitations and poses challenges for the cyber insurance sector. Cyber risks are complex and constantly evolving, so AI may struggle to assess the risks associated with cyber insurance coverage accurately. Similarly, AI may have difficulty predicting the impact of new technologies and regulatory developments related to cyber threats, leading to inaccuracies in its assessments.

Furthermore, AI can perpetuate biases based on the data it was trained on, which can result in unequal or unfair treatment among clients.

Lastly, the role of AI may diminish that of human underwriters and claims adjusters, leading to a loss of expertise, personalized experience, and reduced levels of service.

AI has a significant impact on the cyber insurance sector. It offers the potential for improving underwriting and claims settlement processes, as well as a new way to protect against fraud for cyber insurance companies.

However, it faces limitations with the perpetuation of biases since it relies on the operational knowledge of its user and the data provided at a specific point in time, and with the diminishing role of humans. It is essential to keep in mind that AI is a tool and not a substitute for human underwriters and claims adjusters.

More than ever, it is important to adopt a critical approach to the information provided by artificial intelligence and to use it responsibly, in conjunction with human skills and judgment.

To conclude

The cyber insurance market is rapidly evolving. To make the most of it, it is essential to :

• Work with an efficient and specialized broker.
• Implement a cybersecurity policy to reduce cyber insurance premiums.
• Avoid any disputes in the event of a cyber claim by establishing control over the effectiveness of this cybersecurity policy.
• Demonstrate the policy’s effectiveness in real-world conditions to support any legal claims if disputes arise.

The post Cyber Insurance: the comprehensive guide to protecting your organization appeared first on Erium.