In today’s volatile cybercrime landscape, businesses need protection against the potential massive loss in revenue caused by a cyberattack. Companies are almost guaranteed to experience at least one successful cyberattack in their lifetime, and that can be enough to put a company out of business. 60% of businesses hit by a successful cyberattack leave within six months. But there are measures that companies can take to stave off that lousy end. Cyber insurance is one of them. Is it something every business should have, and do companies with cyber insurance experience fewer or different security challenges than companies without one?

• Do businesses commonly carry cyber insurance?

A majority of businesses already carry cyber insurance. In our Datto SMB Cybersecurity for MSPs Report study, we learned that seven in 10 of our respondents currently have cyber insurance, with 69% reporting that they have cyber insurance, 23% saying that they do not have it, and 8% unsure. Cyber insurance is often a must-have for compliance for businesses in tightly regulated industries. Many companies also want to get cyber insurance if they don’t have it already. Over a third of the remaining respondents without cyber insurance said they would likely get it in the next 12 months. Companies in Australia and New Zealand, Singapore, and The Netherlands were most likely to have cyber insurance, while companies in the U.K. were the least likely to have cyber insurance.

• Are businesses without cyber insurance in the market for it?

If a company doesn’t have cyber coverage, are they looking to get it in the next year? In general, businesses that don’t currently carry cyber insurance are in the market for a policy to protect them from catastrophic loss due to a cyberattack. More than three-quarters of our respondents said that they are likely to pursue obtaining cyber insurance in the next year. However, 26% of respondents do not plan on getting cyber insurance in the next 12 months. Looking by region, companies in North America were most likely to purchase cyber insurance within the next year (80%), and companies in Germany were least likely to be in the market (38%).

• Security awareness training is often a cyber insurance requirement:

Cyber insurers aren’t just going to cover anybody. Insurers want organizations to demonstrate a commitment to security before they agree to provide cyber insurance, with a shifting list of requirements to obtain or maintain coverage. One common item on that list is regular security awareness training, including phishing simulation for every employee. Sometimes, cyber insurers require potential clients to meet a specific cybersecurity framework benchmark, like HIPAA or SOC 2, to obtain cyber coverage. Both of those frameworks require security awareness training for compliance.

Of course, security awareness training is also a must-have for every organization. Beyond meeting cyber insurance requirements, security awareness training brings significant security improvements to companies without a hefty price tag. Researchers in a U.K. study discovered that the improvement in employee behavior that companies see when they engage in security awareness training is stark.

1. At the beginning of the study, as many as 40% to 60% of the employees surveyed were likely to open malicious links or attachments.
2. After six months of security awareness training, the percentage of employees who took the bait dropped from 20% to 25%.
3. When the employees completed three to six months more of security awareness training, only 10% to 18% of them fell for phishing messages.
4. Ongoing training is essential for organizations to receive benefits like these. Each employee should receive 11 sessions per year.

Source: I.D. Agent