Insuranceciooutlook

Three Steps to Reducing Cyber Risk in Your Organization

By Pete Schwanke, Westfield’s Chief Risk Officer, Westfield Insurance

Pete Schwanke, Westfield’s Chief Risk Officer, Westfield Insurance

Cyber risk is seemingly everywhere and everchanging, creating a daunting challenge for all businesses.  It can be easy to either spend endlessly on technology and resources with minimal impact on the risk or just to concede that bad things may happen and there is little that can be done.

Even with a solid security program, your next cyber event may only be an unwitting click away.  Studies, such as Shred-it’s 2018 State of the Industry Report, show employee negligence remains the largest cyber risk in an organization. Social engineering is the most common root of the issue that results in potential data or monetary theft, ransomware, or denial of service attacks, to name a few.

While technology is important, employee education is paramount to reducing risk. In fact, education is quite possibly a business’ most cost-effective cyber risk reduction investment.  With a commitment by leadership and a relatively small investment in time and technology, an organization can greatly improve its cybersecurity posture. Within the realm of social engineering, let’s focus on improving the risk posed by email phishing.

A successful program consists of three components that are enabled by technology and predictive analysis.  The first of these is instruction.  Instruction can take many forms, but results improve when more than one method is utilized.  For example, instructor-led classes, online modules, office signage, “lunch & learns,” etc. all provide for knowledge sharing and interaction.  As to course content, the basics include awareness of email file attachments and grammatical errors, how to hover over embedded links to reveal URLs, and how a subtle nuance may be a red flag, such as the use of a formal name as opposed to a casual name (i.e., Joseph rather than Joe).

Second is a reporting mechanism.  While deleting suspicious emails is one solution, it doesn’t provide the employee with the tools to deal with a questionable email: one that may be legitimate but also raises suspicion.  This can be solved by providing an email address to forward potential phishes for analysis or, more simply and more functional, using a commercially available product that allows for single click reporting from the email client.  The suspicious email must then be analyzed by a security professional, which admittedly may not be a small task, but who then provides the employee with a response.

"While technology is important, employee education is paramount to reducing risk"

Finally, to allow for continuous improvement, the same single click reporting product should be part of a suite of tools that facilitate the routine testing of employees.  By starting with easy to spot phishes, gradually increasing the difficulty and then varying the difficulty over time, employees become accustomed to spotting and reporting both real and test phishing emails.  Employees can receive instant feedback and encouragement by reporting these attempts and being routed to a congratulatory or educational splash page.  Organizations might also consider publishing a real-time counter that shows how long it’s been since a phishing link was clicked.  Most importantly, this process fosters a partnership between the employee and the security team: “when in doubt, click the reporting button.”

While this program proves very successful over time, the critical component is to add effective automation and predictive analysis. Otherwise, the constant flow of reported emails can overwhelm the security team.  Just like the employee test phishing emails, this process begins with the basics and progresses over time.

The first round of automation begins with systematically checking indicators, such as links and attachments, against security subscription services that track known malware.  Using this information allows for a quick and consistent response to users as to what action should be taken with a particular email.  Unfortunately, these decisions are based solely on whether the subscription services know about a particular threat.

As an improvement, custom security indicators can be added to improve where security subscription services are lacking, which occurs primarily because of how fast new threats arise. These indicators are predominantly created from security professionals’ expertise and experience and may include common phishing URL types, specific file extensions, non-popular websites, etc.  This sets the table for an automated response, such as auto-blocking websites found to be malicious, eliminating the need for security professionals to manually respond.

Lastly, using this threat intelligence information combined with thousands of real-world emails, a machine learning model (or predictive model) can be created.  This model, based on statistical analyses of the available data above, can designate most reported emails as phishing, spam, or legitimate with a high degree of confidence.  For the relatively few emails where the model doesn’t generate a high level of confidence, a security professional can manually review them and even test them within a malware sandbox before responding.  The knowledge gained from this step then informs the model in a continuous improvement loop.

This combination of educational efforts, technology, and predictive analysis has bolstered Westfield’s program and positively impacted our click-thru rate on both real and test phishing emails, providing a real reduction in risk emanating from social engineering.

Read Also

Ensuring your Seat on the Leadership Table

Ensuring your Seat on the Leadership Table

David Otte, CAO and Former CIO, Bingham Greenebaum Doll LLP
How to Make a Notoriously Reactive Industry Proactive

How to Make a Notoriously Reactive Industry Proactive

Mike Gulla, Senior Director of Underwriting, Hippo Insurance

Weekly Brief

Top 10 Risk Management Tech Companies - 2018

Risk Management Special