Cyber insurance plays a key role in managing and reducing cyber risk. As cybercrime becomes more common and costly every day, the cyber risk continues to increase for all organizations. Insurance providers are seeking to reduce their costly claims for ransomware and business email compromise (BEC) attacks with security awareness training incentives and requirements.
Security awareness training is the leading solution insurance providers are asking companies to implement to improve potential customers' security posture and reduce their cyber risk.
We've created a security awareness training framework for training content based on the NIST Special Publication 800-50 and CIS Critical Security Controls v8 cybersecurity frameworks.
1. Conduct a needs assessment to understand known cybersecurity risks
2. Create a security policy and inform all end-users about their IT Security responsibility to follow the policy.
3. Develop an awareness and training plan that covers the 6 training topics described below.
4. Set the metrics for a successful security awareness program based on your company culture and company needs. This should relate to the needs assessment developed in step 1.
5. Evaluate the training plan to determine if it is effective and repeat step 1.
Watch Cyberattack Preppers: Leveraging SAT in your cyber insurance plan
HacWare CEO Tiffany Ricks and FifthWall Solutions' VP & Channel Chief, Wes Spencer discuss the intersection between cybersecurity awareness training and your MSP and client's cyber insurance plans.
Watch the video on YouTube: https://youtu.be/KGSkZpqk6DQ
6 Must-Have Security Awareness Training Topics to comply with Cyber Insurance
Every security awareness program must address all 6 of these topics to improve their cybersecurity posture to comply with cyber insurance requirements or receive pricing incentives on insurance premiums.
Topic 1 - Identifying Phishing Attacks
The security awareness program must prepare your end-users on how to identify and report phishing attacks to the proper authorities. It should explain the various types of phishing attacks like BEC scams, Smishing, Vishing, Quishing, and other social engineering attacks to lure your end-users into providing access to sensitive information.
Topic 2 - Securing Passwords
The security awareness program must prepare your end-users on how to secure their password and best practices for avoiding the most common password cybersecurity attacks. The program should address best practices for setting up multi-factor authentication (MFA) and using password managers. The program should also explain the company's password policy for when to change a password.
Topic 3 - Securing Your Data and Understanding Data Privacy
The training should explain what is Personal Identifiable Information (PII) and how their industry and state require them to secure PII. The company should communicate the policy for who gains access to information and when access should be revoked.
Topic 4 - Securing your Devices
The security awareness program should explain the best practices for protecting your personal computer and other smart devices from information security attacks.
Topic 5 - Clean Desk Policy
It is important for your training program to cover why it is important to follow a clean desk policy at work and while working remotely to protect data privacy.
Topic 6 - Securing Software Vulnerabilities
Your security awareness program should address application vulnerabilities. It should explain why it is important to update software applications to the most recent version. If your company has a web developer, software developer, or IT professional that is coding, it is important to include secure code training best practices in your security awareness program to avoid application security breaches. This security awareness training program should explain what is OWASP and why it is important for software developers to patch software vulnerabilities.