top of page

Cybersecurity Risk Management Overview

  • Menicucci Insurance
  • Oct 6
  • 5 min read

What is a cyberattack?

A cyberattack is a malicious actor’s attempt to gain access to, steal data from, or damage computers, networks, or other computing systems. One or more people can launch a cyberattack from anywhere using various tactics.


With artificial intelligence (AI) advancements, cyberattacks have become increasingly simple to launch. According to IBM’s report, generative AI has helped criminals craft highly personalized emails, voices and videos that mimic real people and brands. The report revealed that 16% of breaches involved attackers using AI to manipulate humans through phishing (37%) and deepfake (35%) attacks.


Cybersecurity and data privacy risks don’t just come from a single source, like outside hackers. Insider threats cost businesses $4.92 million, followed by supply chain and third-party vendor intrusions, at $4.91 million. Governmental and international regulations only add to the costs after a breach.


Why prepare for a cyberattack?

If that isn’t enough reason to prepare your organization for a cyberattack, consider the indirect costs of a cyberattack that are harder to measure:


Reputational damage. Your customers might lose confidence in your ability to protect their data. The media chatter could tarnish your brand, causing it to lose value. Breaches often cause clients to leave because they no longer feel safe.


Lost business opportunity. The cyberattack could cause a decline in sales or contracts because other businesses see you as a risk. Recovering from a cyberattack takes time. You could have product delays or miss contractual deadlines. Any of these could result in a lawsuit in addition to lost revenue.


Lawsuits. Affected customers, partners or vendors might sue your company for failing to protect their information.


Regulatory compliance risk. If personally identifiable information (PII) or other sensitive information is exposed, you might face government inquiries or audits from regulatory authorities. Most states have laws requiring companies to notify customers and entities if their data was exposed and offer free credit monitoring.


Lost productivity. Cyberattacks disrupt operations. Your employees won’t be able to access systems or work until you get the network safely and securely online. A cyberattack can distract employees and cause frustration over cybersecurity concerns. High-value employees might start looking for a new job.


Added recovery costs. Beyond network restoration, you’ll need a forensic IT pro to identify where the intrusion was and help you correct it. You’ll need to invest in cybersecurity tools to prevent future attacks. Without proper mitigation, cybercriminals might leave behind a back door account to override your systems and hack you again. If you don’t correct the original entry point, they’ll attack you using the same methods.


Increased insurance premiums. Your cyber policy could increase or not be renewed if you have repeated breaches. Having robust cybersecurity and a cyber incident response plan will help you respond and make your business more attractive to insurance carriers.


Common cybersecurity threats

Common threats to organizations include:

  • Unauthorized access: A malicious actor, malware or an employee error can result in unauthorized access to your data.

  • Misuse of information by authorized users: An insider may misuse information by altering, deleting, selling or using it without authorization.

  • Data leaks: Threat actors or cloud misconfiguration may cause PII or other sensitive data to be leaked.

  • Loss of data: Poorly configured backup processes may lead to ransom attacks, data loss or accidental deletions.

  • Service disruptions: Downtime may cause reputational and financial damage. One cause of downtime is a denial-of-service attack, which bombards a website with automated requests so legitimate users can’t get through.

  • AI: According to the IBM report, 13% of AI-related breaches happened because of a lack of security on AI access. Ninety-seven percent of the AI-related breaches came through the supply chain (vendors), compromised apps, application programming interfaces (APIs) or plug-ins. These incidents caused broad data compromise (60%) and operational disruption (31%), which points to AI being a major target.


How to prepare for a cyber threat

Cybersecurity risk management involves prioritizing threats and creating action plans to eliminate or minimize them. It ensures that the most critical threats are handled quickly.


Assess your risks

Start by identifying, analyzing and evaluating your potential cyber threats. This will require reviewing your entire IT infrastructure to identify possible threats from:

  • Vulnerabilities within your systems

  • People, processes and technologies

  • Cyberattacks (internal and external)

  • Supply chain vulnerabilities

  • AI-related permission settings and lack of human oversight


Back up your data

One of the most basic measures you can take is to back up your data regularly. How often depends on your organization, the amount of critical data you typically collect over the course of a business day or week, and what it would mean if that data were to be breached, lost, or stolen.


Use strong passwords

While frequent password changes were a standard cybersecurity practice in the past, they are now considered counterproductive. This is largely because of password fatigue. One of the most effective ways to safeguard your company’s sensitive data is to teach your employees password best practices. The password security company Keeper says longer passwords are more secure than shorter ones. Surprisingly, short passwords using complex characters (uppercase, lowercase, numbers and symbols) are more vulnerable than long, simple passwords. Keeper has published a table that estimates the time a cybercriminal would take to crack certain passwords based on length. For example, it would take a cybercriminal eight hours to crack an eight-character, complex password. However, it would take 2,000 years to crack a 12-character password with only one uppercase letter.


Train your employees

Lastly, train your employees on cybersecurity. Educate them on the types of cyber threats they may encounter and your password-protected systems. Make this training mandatory for all new hires, with periodic refresher training throughout the year. Track your internal cybersecurity training so you have a record of who completed the training and that they understood. Have your IT team send out fake phishing emails to see how many employees fall victim to the scam email. If many employees fall victim, reassess the effectiveness of your training; you might need a better method. An internet search on “cybersecurity awareness training for employees” will yield results. Retraining and reminders will keep your staff vigilant.


The risk management process

Each organization is unique, and so is its technology infrastructure. There is no cookie-cutter approach to managing cybersecurity risks. You can start by reading about general risk mitigation methods, like the International Organization for Standardization’s (ISO’s) standard 31000. This standard offers a framework for risk management.


The cybersecurity risk management process involves:

  • Risk strategy. Determine the processes and controls your business needs. Do you have internal staff who can detect intruders and deploy countermeasures if you’re attacked? Or will you outsource your IT solutions?

  • Risk analysis. Understand the specific threats your business faces. Do you use cloud solutions, on-site networks or a combination of both? Are your APIs secured? Do you have a remote or hybrid workforce? If you experienced a cyberattack, would you have the revenue to recover from lawsuits and government and state fines? Could you restore your networks quickly so you wouldn’t lose revenue during downtime? Could you identify how the intrusion occurred so you could fix it?

  • Implementation. Implement your security measures. Use an internal or outsourced IT team to fill your cybersecurity gaps.

  • Risk training. Train your staff on their role in cybersecurity. Human error, like clicking on a fake link or trusting a deepfake, is still one of the biggest cybersecurity threats.

  • Monitoring. Send fake scam emails and test your cyber incident response plan. Adjust your plan as needed.

  • Risk transfer. Transfer your remaining risk by obtaining a cyber liability policy to help after a cyberattack.


Ultimately, risk management is about weighing the benefits of risk reduction against the costs. Your cybersecurity risk management strategy should acknowledge that you cannot eliminate all system vulnerabilities or block all cyberattacks. But getting ahead of your cybersecurity risk will help you address the most critical flaws, threat trends and potential attacks.


Learn more and stay ahead with Menicucci Insurance Agency – contact our expert agents at 505.883.3683

 
 

p: 505.883.3683

f : 505.883.2827

bmenicucci@mianm.com

 2116 Vista Oeste NW Bldg 5 Albuquerque, NM 87120

© Copyright 2019 · Menicucci Insurance Agency · All rights reserved.

bottom of page