IT and cybersecurity leaders can find a virtually endless stream of advice on steps they should take to protect their organizations against cyberattacks. But addressing every potential risk and adhering to every security best practice under the sun just isn't feasible for many businesses. They lack the personnel, tools, or time to follow every security guideline to a tee.
That's why a realistic approach to cybersecurity hinges on knowing which security practices to prioritize. If you can't do everything, what should you do to achieve the best possible tradeoff between resource utilization and security outcomes?
Leveraging cyber insurance guidance to shape cybersecurity strategy
Recent cybersecurity insurance research from the Ponemon Institute (which was sponsored by my organization, Recast Software) offers some valuable guidance. The research, which is based on survey responses from hundreds of IT leaders, focuses on the specific practices that cybersecurity insurance providers expect organizations to have in place to qualify for insurance protections.
To be sure, meeting cybersecurity insurance requirements should not be the sole focus of any organization's cybersecurity policy any more than paying car insurance premiums should be an excuse for driving dangerously. The primary goal should always be to prevent attacks and minimize their impact. Stopping attacks from occurring in the first place is preferable to having an attack happen but getting an insurance payout to cover it.
Still, for IT leaders looking for a set of guidelines to help shape their cybersecurity strategies, the mandates of cybersecurity insurance providers offer a great place to start. Cybersecurity insurers know a thing or two about what it takes to keep businesses safe and about the best practices that tend to align with positive security outcomes.
To that end, here's a look at what the Ponemon research reveals about the key cybersecurity best practices that insurance providers expect and how IT organizations can leverage them to plan their security strategies.
The importance of regular cybersecurity assessments
One of the most basic findings of the research is also the most illuminating: About half of cybersecurity insurance providers require regular security assessments of their clients. In other words, they expect their customers to be able to prove, on a routine and recurring basis, that they conform to a variety of security best practices.
This is notable because it shows that a large number of businesses are accountable to external stakeholders in the form of insurance providers when it comes to cybersecurity. The ability to prove compliance with security best practices is not important only for companies operating in highly regulated industries where regulatory frameworks like PCI DSS or HIPAA apply. It's critical for organizations that simply want to obtain cybersecurity insurance coverage, too.
Top cybersecurity best practices (according to insurers)
When they perform cybersecurity assessments, insurance providers look for evidence of the following key practices, according to a majority of respondents to the Ponemon survey:
- Security and training programs, which provide education that helps protect employees against risks like phishing.
- Investment of adequate budget in cybersecurity staffing, tooling, and other resources.
- The readiness of a cybersecurity incident response team that can react to incidents quickly, mitigating their total impact on the business.
- Regular reviews and audits of cybersecurity practices to detect shortcomings that might lead to attack.
- Regular vulnerability scanning to detect software that needs to be patched.
This is not an exhaustive list of items that insurance providers review during client assessments (for that, check out the complete report), but these are the top practices that IT leaders must prioritize to comply with what insurance companies consider cybersecurity best practices.
Interestingly, the least-cited information that cybersecurity insurance providers look for, according to survey respondents, is details about an organization's total costs due to past breaches. The evidence suggests that insurance providers are most interested in knowing that clients have a proactive and comprehensive set of cybersecurity protections in place, not that they have a history of suffering few breaches.
Meeting security priorities is hard but worth it
It's worth noting that most organizations reported difficulty meeting all of the cybersecurity guidelines described above. More than a quarter said it was "extremely difficult" to comply with cybersecurity insurance requirements.
However, the data also clearly shows that most organizations reap clear benefits when they overcome the difficulties and conform with their insurers' mandates – and I'm talking here about benefits that extend beyond merely achieving insurance coverage. Compared to respondents who said their overall security costs had increased since purchasing insurance, twice as many said their costs had gone down – an indication that adhering to the best practices insurers expect can bring greater financial efficiency within security operations.
Likewise, 22 percent of IT leaders said the frequency of cybersecurity attacks suffered by their organizations had decreased since purchasing insurance. Although slightly more said that the frequency had increased, the key contextual point to keep in mind is that overall, the rate of cybersecurity attacks is growing rapidly. The fact that a significant number of companies with insurance are seeing a decrease in attacks suggests that following insurers' mandates is a great way to defy the odds and reduce your organization's risk of attack in an environment where the overall level of risk is surging.
Conclusion: A more grounded approach to cybersecurity risk management
Again, there is an endless list of practices that can contribute to stronger cybersecurity postures. But the most important ones boil down to practices like security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
That, at least, is what cybersecurity insurance providers think businesses should prioritize today, and IT leaders would do well to heed their guidance.
Will Teevan is the CEO of Recast Software.