"An attacker only needs to succeed once to compromise their target, whereas the target must succeed 100 percent of the time to avoid compromise."
This is a fact that many businesses overlook when assessing their cyber security posture.
Despite this, more businesses are turning to cyber insurance as a solution, resulting in a 92 percent increase in cyber insurance costs in the UK during 2021, simply because insurers have no tangible way of tracking what security tools their customers actually have.
Insurance companies understand, perhaps better than most, that prevention is better than cure, which is why a layered approach to security is required and recommended.
- Cyber Essentials/Cyber Essentials Plus
- Security Awareness Training and Advanced Email Filtering
- Multi-factor Authentication
This also opens up opportunities when speaking with end-user prospects by simply asking if they have cyber insurance.
If they say yes, you should be able to offer them the following solutions to meet the demands of the insurers:
- Endpoint Security and Firewalls should already be in place at the very least
- Patch management for all applications, not just the Microsoft suite
- OS and infrastructure security configuration
- Password security in the form of a password management solution for businesses
- Advanced email filtering, which includes more than just spam filters, but also effective protection against advanced threats
- Security awareness training, including effective phishing tests to identify organisational risk
- Multi-factor Authentication
The most important thing for businesses to understand about insurance is that if a claim is filed, they will need to show evidence of having all of these measures in place, so reporting should be a key factor for MSPs and businesses alike when implementing these tools.
The good news for businesses that already have Cyber Essentials in place is that they already get £25k of cyber insurance. However, as many businesses have discovered the hard way, £25k is barely enough to cover the recovery from an incident, let alone the cost of staff wages and lost revenue during any downtime, and, one of the biggest killers for businesses, reputational damage.
This is why every business should have cyber insurance, but the overarching message to end users should be that prevention is better than cure, and that without the proper prevention tools in place, the risk is not removed or even reduced, and the cost of insurance will also be higher.