Underwriters often ask about an applicant's employee training on cyber security and whether there is a key employee responsible for such training and its administration. Statistics show that companies that provide cyber insurance training are more likely to avoid loss. Employee training and awareness should address the following topics:
- Phishing attacks are one of the oldest threats, yet remain highly effective. Verizon's "2021 Data Breach Investigations Report" found phishing emails were the most common threat action in cybersecurity breaches, and that phishing attacks increased by 11% in 2021. As a result, your cyber insurance training must show your employees how to recognize and handle phishing attacks.
- Social engineering attacks don't always use phishing emails. Be sure to remind employees they might find social engineering scams in front of them at a customer service counter, on the other end of a telephone call or even sitting in the next cubicle. Employees should understand the techniques used by social engineers and how adhering to security practices can frustrate those efforts.
- Password hygiene is a constant battle. Most organizations have addressed this threat with the implementation of multi-factor authentication, but password security remains crucial because not all systems support MFA. Employees who reuse passwords on multiple websites may expose corporate credentials during security breaches. Awareness programs can educate these team members about these risks and help them adopt password managers that encourage strong and unique passwords for each site they visit.
Secure remote work practices became significantly more important beginning in 2020, when large portions of the workforce suddenly began working from their homes with little or no preparation due to the pandemic. Cybersecurity awareness programs should focus on ensuring that employees understand corporate policies around storing and accessing information outside of the office.