We get it, you’ve read countless blogs about how important cybersecurity awareness training is. You may have seen the startling statistics, too, with the latest ones showing that global cybercrime costs may reach $10.5 trillion annually by 2025. But we’re not here to say the obvious. We’re just redirecting your focus to a more pertinent issue.
Cybersecurity awareness training has long been viewed solely as a compliance or check-of-the-box activity. Not anymore. If 2022’s headlines-hitting Travelers MFA case is anything to go by, insufficient or subpar training could leave businesses open to denied claims from a cybersecurity insurance perspective.
In this blog, we’ll review the Travelers MFA case, how it could apply to cybersecurity awareness training, as well as look at other benefits of this training. Even better, we’ll let you in on how NetTech can help deliver cyber awareness as part of a managed IT plan.
Some Background on the Traveler MFA Case
Believe it or not, misinterpretations on an insurance policy can cause an organization to miss out on cyber coverage, as one company in Illinois recently found out.
In a one-of-its-kind federal case that kicked off on July 6, 2022, Travelers Property Casualty of America filed a complaint against its insured, International Control Services, Inc. (ICS). Travelers’ claims centered on allegations of material misinterpretations made by ICS during the application process for a Travelers cyber insurance policy. Specifically, Travelers asserted that ICS misinterpreted the extent of its utilization of multifactor authentication (MFA).
The alleged misinterpretations were brought to light when ICS experienced a ransom attack in May 2022. Upon being notified of the incident, Travelers conducted an investigation and claimed to have discovered the following discrepancies in ICS’s insurance application:
- MFA was not being employed to safeguard a server
- ICS solely utilized MFA to protect its firewall and neglected to employ it for any other digital assets
Travelers argued that because ICS had not utilized MFA to protect the server and other digital assets at the time of application, the statements made by ICS in its application constituted misrepresentations that justified the rescission of the policy.
Following an agreement by ICS to allow the court to issue a judgment rescinding the policy, the lawsuit was dismissed on August 26, 2022, with a judgment in favor of Travelers.
Understanding How the Travelers Case Could Apply to Cybersecurity Awareness Training
The Travelers vs. ICS case might have faded into the background. However, the message it sends to organizations taking cybersecurity training for granted will resonate for a long time to come. Of course, its overarching message is that organizations should take great care and focus when completing cyber insurance applications. But think about it, if an insurer is unwilling to pay a claim because of a limited MFA adoption, wouldn’t they refuse to pay a claim if they learn that employees have not gone through the required cybersecurity awareness training?
Many organizations fail terribly when it comes to ensuring that their employees give cybersecurity awareness training the seriousness it deserves. Often, employees are to blame; some are simply too aloof and not willing to corporate despite the organization’s best efforts. Some companies, perhaps oblivious of how sophisticated today’s cyber attacks are, don’t train their employees at all. This, as you’d imagine, results in a lack of knowledge about phishing and social engineering scams.
In nearly every cyber insurance application, there is a question regarding whether the organization provides cybersecurity awareness training to its employees. Should an improperly trained employee be directly responsible for a cyber attack, chances are excellent the insurer won’t cover the damages blindly. If anything, they have every right to investigate the attack in its entirety. At the end of it all, the insurer may refuse to pay the claim, arguing that the employee wasn’t trained yet the organization attested that employees are being properly trained on cybersecurity.
This doesn’t seem significantly different than not implementing MFA in the Travelers case.
Other Benefits of Cyber Awareness Training
The biggest takeaway so far is that the best cybersecurity awareness training is one that’s truly all-encompassing, continuous, and leaves no stone unturned. It should go beyond mere check-a-box compliance, motivated by regulatory and liability penalties, and evolve towards actually preventing security breaches at the people layer.
However, if you’re wondering why else you should implement security training in your organization, this section is for you. Here are additional benefits for executing training that is as exhaustive as it is human-centric:
Keep Valuable Company’s Assets Intact
Cybercriminals’ primary aim is to steal companies’ funds and valuable data. A successful breach cause severe financial loss as well as reputational damage to a business. You needn’t look any further than the recent T-Mobile data breach to understand the repercussions of a well-planned, perfectly-executed breach. T-Mobile claims they may “incur significant expenses” from the May 2023 breach. This is their second in a space of a few months.
A business can lose thousands to millions of dollars following a compromise. Such funds could have served as reinvestment to grow the business. Cybersecurity awareness training will reduce the risk of your company losing its most coveted assets to cyber criminals.
Eliminate Human Error
But these are not anomalous cases. Verizon’s 2022 Data Breaches Investigations Report revealed that 82% of data breaches involve a human element. This includes incidents in which employees expose information directly (for example, by misconfiguring databases) or by making a mistake that enables cybercriminals to access the organization’s systems.
The good news is, by establishing a comprehensive security awareness program, you can greatly diminish the risk of being targeted or experiencing a data breach. As they say, prevention is better than cure.
While at it, it’s important to ensure that your training programs are not just one-time events, but rather ongoing initiatives. This approach serves to reinforce the significance of maintaining vigilance and keeps employees up to date with emerging threats. The more knowledgeable and well-exposed your staff is, the more effectively they can safeguard your sensitive information and business against cyber attacks.
Saved Costs and Downtime
Cybercrime has cost American businesses approximately $6.9 billion in 2021 alone. In terms of unscheduled downtime, enterprises need 50 days on average to solve an insider’s attack and 23 days to recover from a ransomware attack. Investing in quality cybersecurity training is thus well worth it to prevent this. This is because worst-case scenarios often prompt small or start-up companies to shut down completely.
Aside from improved precautions, proper training can also help employees detect and manage intrusions early on, minimizing potential damage. It is worth noting that, on average, it takes workers approximately 286 days to identify an intrusion. However, with the right identification tactics acquired through proper training, you can significantly reduce this timeline.
How NetTech Can Help Deliver Cybersecurity Awareness as Part of a Managed IT Plan
All successful cyber attacks have one thing in common—someone, somewhere, was reckless or ignorant when they should’ve done the opposite. Even with today’s most advanced protection, organizations remain vulnerable because of one key factor: human error. The truth is that your employees are the weakest link in your business’s cybersecurity defense chain.
Thankfully, rigorous and continuous cybersecurity awareness is capable of transforming your employees into a trusted line of defense. With NetTech’s Awareness Training, you can measurably reduce risk while gaining new and unexpected allies in the ongoing battle to protect your organization’s assets and work. We know that as an SMB, you might not have the capability, expertise, or resources to run a fully-functional program on your own. Our goal is to relieve you of that burden by offering security training as part of a managed IT plan.
Our program brings together all elements of effective cybersecurity awareness. It also serves as a launchpad for reduced risk and a more resilient organization. Here are some of the components that it entails:
- Training modules. Employees are enrolled in quality, interactive training modules. Here, they will learn how best to identify and defend against cyber attacks, both simple and complex.
- Simulated attacks. We send customized company-specific phishing emails to your staff. This serves as a test to see if they click on the links and proceed to enter their credentials. This helps us gauge the cybersecurity culture maturity within your business and identify where an uplift is truly needed.
- Re-enrollment of compromised users. We enroll any users who might have failed a simulated attack back into the program where they’re retrained until they’re fully resilient and breach-proof.
- Reporting and feedback. You’ll receive an assessment of your employees’ progress with data that measures improvements.
However you look at it, cybersecurity awareness training is undoubtedly a critical piece of an organization’s IT security jigsaw. It keeps insurers happy, ensuring that you never suffer the same fate as ICS. That means zero financial consequences and ample peace of mind. In the same vein, it saves you costs and downtime, greatly reduces the chances of human error, and protects your company’s assets and work from cybercriminals’ reach. The best part is, if you choose NetTech to help deliver cybersecurity awareness through its managed IT plan, you’ll reap even greater benefits. Think minimal operational costs, ongoing dedicated expertise, and proactive monitoring and support. A big win, we’d say.
At NetTech Consultants, we’re proud to be Jacksonville’s leading MSP. We look forward to providing you with top-notch managed IT services that you can always rely on. Unlike other MSPs, we say less and do more. We under-promise and over-deliver. Hop on a call with us today to learn how we can help you.