Your own cyber risk management underpins client confidence when you ’practice what you preach’ says Tom Gill, information technology director at Willis Towers Watson Networks
There is much discussion around the exciting opportunities arising from being a Digital Broker, yet not so much around ensuring such digital interactions take place within a secure environment that suitably protects information. Insurance brokers are naturally active in the risk management space and Cyber Risk is an increasingly important topic for diligent brokers to advise their clients on.
The threats to, and vulnerabilities of information systems represent a real and growing risk, and brokers must firstly ensure they can demonstrate their own cyber defences are suitably robust. By doing do this it will put them in an authoritative place to offer Cyber Risk Management advice to their clients. Never has the term “practice what you preach” been so relevant.
The best approach to information security management is a holistic one; a statement from top management making it clear that it takes information risks seriously. This includes a clear instruction to ensure appropriate measures are taken to deal with risk and data information, and that safeguarding information is a critical issue for the whole organisation.
It is not possible to implement fool-proof cyber defences that rely on technology alone – our recent research indicates “two thirds of cyber breaches are caused by employee negligence or misconduct including losing laptops, the accidental disclosure of information or actions of rogue employees”. 2017 saw an estimated 2.5 million UK companies hit by a cyber breach. Debenhams and Wonga saw 26,000 and 250,000 records respectively affected by a cyber-attack. Mobile network Three, had 200,000 records affected just because an employee’s password was stolen. These are a few recent examples of cyber damage - imagine the costs and resource needed to rectify them. Potentially business crippling scenarios I would suggest any prudent business owner will seek to avoid.
To achieve this, staff education in “cyber hygiene” and creating a culture that is constantly alert to cyber threats is vitally important. Suitable guidance, policies and procedures around these issues need to be an important part of ongoing staff education and such policies should be reflected in your codes of good conduct and in employment contracts. Third parties involved in outsourcing, including contractors, should similarly be bound to safeguard information shared with them.
When you think of information security, think CIA - Confidentiality, Integrity and Availability.
- · Confidentiality means information must not be disclosed or made available to unauthorised individuals
- · Integrity means ensuring information is and remains complete and accurate,
- · Availability means information is accessible on demand by authorised users.
At Willis Towers Watson Networks, we are actively encouraging our Network Members to adopt best practices around information security and in particular, to attain Cyber Essentials (CE) certification for their businesses. Cyber Essentials is a government backed scheme to improve corporate cyber health, developed with SME organisations in mind to be affordable and achievable. It focuses on five areas of security:
- • Boundary management – controls around the gateways from your office network to the outside world, as well as physical, premises security
- • User access controls – how you control how staff or contractors get logons, email addresses, etc. to your systems and what privileges they have
- • Malware protection – protecting against viruses, Trojan horses, etc. not just with technology but through staff awareness and education as well
- • Patch Management – keeping software, operating systems, routers, etc. up-to-date
- • Secure configuration - making sure all equipment is set up securely with default passwords and any unnecessary software or features removed or disabled
We provide Network Members with guidance and a library of supporting materials around information security – templates, sample policies, procedures and training materials to help them achieve CE certification.
Network Members are also encouraged to purchase suitable Cyber Insurance cover for their own business, especially as more and more business is now done “on the move” via mobiles and tablets. We provide a specific scheme for our Network Members to ensure they have the right coverage so they too have the right cover in place.
All of the above ensures our Network Members are protecting their own businesses as best they can. They are then in a great place to better advise their clients around Cyber Risk Management.