Cybersecurity, and the cyber insurance that provides cover against cyber attacks, can both be significantly boosted by building a strong cyber risk profile that uses the right tools to assess digital risk, says Patrick Evans, CEO of SLVA Cybersecurity.
The digitalisation of the world is being driven by the enormous benefits it offers to businesses, such as greater levels of efficiency, improved productivity, reduced operational costs, better customer experiences, increased agility, and improvements to employee morale, communication, transparency, and decision-making capabilities.
Of course, as this digital transformation takes place within businesses, they open themselves up to the possibility of becoming a victim of the rapidly growing problem of cybercrime.
With so much valuable information that can now potentially be lost to a data breach or hack, protecting one’s environment from such cybercrime has become vitally important. Any company with an online presence, and a responsibility to protect their customers’ data, requires effective cybersecurity.
This approach is even more crucial in South Africa, considering that a 2021 Interpol report indicated that SA tops Africa in respect of cyber threats, and is, in fact, third on the global list, with some 230 million threats detected.
Under such circumstances, it is no surprise to learn that the CSIR estimates that cybercrime costs the South African economy somewhere in the region of R2.2 billion per annum.
The challenge for businesses is that even if they ensure strong and effective security within their own environment, they still face the growing security threat that is connected risk. This risk is defined as the risk created for a company by third-party breaches when cybercriminals use third-party applications to attack an organisation.
One only has to look at the staggering number of supply chain attacks that took place in recent years to understand just how lucrative the third-party method of attack has become. Businesses are now interconnected. Their systems and applications engage digitally. However, not all organisations are at the same levels of cybersecurity maturity, or understand the business risks involved, or have the same degrees of cyber resilience enabling cybercriminals to piggyback on these ‘holes’ to bypass security.
Cybercrime insurance
It is for this reason that cybercrime insurance is a vital part of making any business future fit for the digital world. Much like other insurance products, cyber insurance focuses on providing the protection necessary to enable a company to bounce back from any business interruptions and financial loss incurred as a result of cybercrime. Cyber insurance also helps with the practical side of getting IT experts to restore systems, recreate data and pre-empt new threats.
Of course, as with other forms of insurance, obtaining such cover will require an assessment of your environment by the insurer, in order to determine the strengths and weaknesses in your security posture, your susceptibility to ransomware attacks, and the quality of your systems, processes and controls.
This is no different to how car insurers, for example, operate. Most insist that the vehicle has some form of immobiliser and tracking device fitted, and failure to do so either results in significantly higher premiums, or their refusal to provide insurance cover at all.
So, how can you ensure that your business is as insurable as possible in a cyber-context? The answer lies in talking to experts who can undertake a proper assessment of your security environment and demonstrate which areas are most vulnerable.
So, where to start? A digital risk assessment tool, when used properly, will help to drive down your cyber insurance premiums. One exceptional example of this is Black Kite. Should a company want to know if it is insurable, it can undertake a outside-in assessment of their security controls, grading each one of the controls from A+ to F, to help them determine its insurability.
SLVA CyberSecurity has introduced a service with Black Kite to help both insurers and the insured better understand their cybersecurity posture. SLVA Cybersecurity delivers this in two ways: The first way is as a managed service through its MSSP partner Securicom, where Black Kite is set up, monitored, and workflows for remediation with the IT and security teams are established to ensure the solution takes the necessary steps to maintain the company’s requisite insurance grade. The second way is via a self-service initiative whereby organisations manage their own third-party risk.
Globally, cyber risk insurers use Black Kite as one of their tools to assess an organisation’s cybersecurity readiness, where a C-grade or worse renders an “uninsurable” decision. Black Kite also presents a ransomware susceptibility index [RSI] on a scale of 0-1, where anything above 0.5 results in ransomware not being covered.
On the positive side, a secure environment with a B-minus grade or above offers the chance to negotiate more favourable rates. Increasingly we see organisations use Black Kite results as evidence of an organisation’s desire to safeguard their own IP and any of their own and their stakeholders’ Personally Identifiable Information (PII).
The benefits of digital risk assessment
In the simplest terms, a tool like Black Kite is designed to help the Chief Information Security Officer (CISO) gain awareness of what is most relevant in the threat landscape, both across their organisation and, crucially, potential third-party risks. What makes it so effective is that it is a non-intrusive intelligence-gathering platform, one which identifies critical vulnerabilities, pinpoints compliance gaps, and quantifies cyber risk in financial terms.
What makes it so efficient is that the solution’s reporting mechanism is able to offer concise and actionable insight into exactly which areas an organisation is doing well in, with regard to their cybersecurity approach, and which areas require immediate attention to protect what matters.
In addition, by virtue of utilising data and machine learning, Black Kite’s RSI™ is able to discover the likelihood that an organisation will experience a ransomware attack, by providing a multi-dimensional view of third-party risk.
This is vital since ransomware and unauthorised network access are considered to be two of the most common types of attack. The latter generally involves leveraging or cracking weak passwords and taking advantage of any vulnerabilities present in access control.
Therefore, having a strong defence strategy means carefully monitoring an entire cyber ecosystem by adopting a holistic approach to vendor risk management, and recognising that this requires intelligence from every angle. Black Kite’s protection goes beyond simple self-monitoring, as it instead takes the time to ensure that every last vendor is monitored for vulnerabilities.
With cyber insurance becoming an increasingly crucial part of an organisation’s budget, proving your company’s insurability is more important than ever. To this end, Black Kite uses the industry’s most accurate and comprehensive cyber intelligence, to provide unique, standards-based cyber risk assessments.
What sets it apart is that it analyses your company’s supply chain cybersecurity posture from all three critical dimensions: namely technical, financial and compliance. This not only enhances business security significantly but also facilitates easier access to additional protection provided by cyber insurance companies.