Whether online-related or not, insurance is insurance. So, shouldn’t there be discounts for organizations who demonstrate cyber-responsibility?
Nearly every insurance company offers discounts based on conditions that demonstrate you’re less a risk. Their actuary-type folks internally have done the math and figured out ways that lower the risk of the insurance company paying out. And so, they offer discounts to encourage you to be insured under optimal conditions. For example, having an alarm in your home makes it less likely you’ll be a victim of a break-in. Showing your student driver has over a certain GPA makes them less likely to be in an accident.
So, shouldn’t insurers offering cyber insurance have discounts around phishing prevention? After all, most cyber insurance revolves around the insured (that is, your organization) being a potential victim of a data breach. And, if you can demonstrate that you have taken additional measures to lower the risk of attack, it makes sense that those measures should warrant a discount.
Why focus on phishing specifically? If you follow industry data, you already know a majority of cyber-attacks start with phishing – depending on whose data you’re looking at, it’s as high as 91% of attacks.
So, the answer to the serious question of “why aren’t their discounts?” is likely because the insurers haven’t done the research to determine the most effective way to reduce the risk of phishing attack. They don’t have the cyber-expertise themselves to quantify exactly how less-likely an organization is to be a victim of an attack should the put this protection measure in place or that one.
We did some research of our own earlier this year in our 2018 Threat Impact and Endpoint Protection Report, and found the following:
- An average of 13% of organizations experienced a ransomware attack, and 25% of organizations experienced an external attack, regardless of the type of security software in place (shown below). The solutions covered the most common types of software solutions used today.
- The organizations continually performing Security Awareness Training, as well as periodically testing employees with phishing emails saw the lowest percentage of ransomware attacks (8%) and malware-based external attacks (14%)
In both attack scenarios, the use of Security Awareness Training and Testing saw a 37% decrease in the success rate of phishing attacks than those organizations simply relying on security software.
So, I ask you, with a 37% decrease in the likelihood of 91% of all cyber-attacks ever being successful – shouldn’t organizations with Security Awareness Training in place get a discount on their cyber-insurance?
I think so.