Three investment tips to keep cyber threats at bay

The topic of cyber insurance is likely to be on the lips of business leaders across the country in the wake of two of the most serious data breaches resulting from cybercriminal attacks in Australia’s history. And so it should, but not in the way you think.

I’m sure we’ve all seen the media reports about insurance brokers being inundated with calls following the Optus hack, with company directors and CEOs alike growing concerned about their companies’ cyber posture and their personal liability if things should go awry.

In today’s digital landscape, there’s no doubt that investment in cyber insurance — a specialty insurance product designed to help deal with IT and data security risks — plays an essential role in organisations’ approach to their cybersecurity profile, but it probably shouldn’t replace investment in prevention.

As cyber insurance premiums continue to go up in line with the growing number, size and severity of claims relating to threats like ransomware — a particularly prevalent form of attack — the argument for increasing investment in such cover begins to waver.

After all, most companies have a finite amount of money to invest in cybersecurity. Are you better off spending the bulk of your cybersecurity budget on growing insurance premiums or redirecting it to prevention and mitigation for a stronger security posture?

Investing wisely

Personally, I don’t see the point of buying the most expensive home insurance I can find if I leave my front door unlocked every day when I leave the house. I’d prefer to spend more money on a decent door and a decent lock to adequately protect my assets so they’re not at any great risk in the first place.

In the same way, business security is something that needs to be invested in for the long term, because business itself should be for the long term. This is why organisations are often far better off investing in building stronger cyber resilience, especially when it comes to cloud security, to protect their digital assets than they are doubling down on cyber insurance.

It can in fact limit an organisation’s basic ability to go to market and meet customers’ requirements if cyber attack prevention tools aren’t in place. And with cloud infrastructure playing a central role in many companies’ operations and services, how can you possibly hope to deliver value for customers and shareholders if you don’t have adequate cloud security?

Indeed, the prevention aspect of cybersecurity is typically where companies can get the biggest return on investment from their cyber budgets, because it enables businesses to serve their customers properly, and in a way that builds trust, not fear.

And some of the very best ways to make those cyber dollars go as far as they can is by putting them into education, particularly around the zero trust security model, good planning and a decent security operations centre (SOC)-as-a-service offering.

Education

Individuals typically remain the weakest link in businesses’ cybersecurity defences. This is why education is the single most important and effective measure organisations need to take to protect their digital assets from attack.

One of the areas that should be focused on as a priority is zero trust. Zero trust is not a particular kind of technology but rather a strategic model of cybersecurity that assumes that no connection, user or asset is trustworthy by default, instead maintaining strict verification measures for system access at any level, by any person.

Planning

One of the most effective ways to mitigate the fallout from a data breach resulting from a cyber attack is having a clear plan in place that can be executed calmly and in an orderly way to cover all the major bases if something bad does happen.

Having a clear plan and defined ownership of various responsibilities will help to ensure no stone is left unturned if an attack or a breach should occur. It will also help a business move into the ‘what now’ stage, which will lead into long-term remediation.

SOC-as-a-service

To do more with less, especially in a tight labour market, SOC-as-a-service can be a major lever organisations can use to extend their existing resources by tapping into those of dedicated cybersecurity professionals.

In fact, I’d recommend all businesses work with their security vendors to identify an SOC-as-a-service model that will work for them. This way, businesses can get back to the core three things that should be their primary focus: customer success, staff satisfaction and financial growth.

These factors are central to many of the conversations I’m having in company boardrooms today, because there’s a great deal of uncertainty in the market. Another topic of discussion is data sovereignty and the growing desire for information to be hosted in Australia, something that Trend Micro has invested in, localising its services and the data to support them.

All of these things are important, and cyber insurance certainly plays an important part in the cyber mix, but prevention is key when it comes to protecting company assets and customer data, so invest in it.

Image credit: iStock.com/blackdovfx