How are Cyber Insurance & Human Vulnerability Related?
The podcast discussion highlights that cyber insurance carriers increasingly mandate comprehensive and frequent employee cybersecurity training and testing to mitigate human vulnerabilities, as human error remains a primary cause of breaches, thereby linking effective human vulnerability management directly to insurance eligibility and risk reduction.
Podcast Discussion: Cyber Insurance & Human Vulnerability
Participants: Connor Swalm (Host, CEO of Phin Security), Wes Spencer (Cybersecurity Expert)
Introduction
Connor Swalm welcomes listeners to the Gone Phishing podcast, focusing on cybersecurity threats and human vulnerability. He introduces Wes Spencer to discuss the intersection between cyber insurance and human vulnerability management.
The Relationship Between Cyber Insurance and Human Vulnerability
- Cyber insurance carriers are increasingly recognizing the importance of human vulnerability management.
- Training employees on cybersecurity reduces both the likelihood and impact ("blast radius") of breaches.
- Human error is almost always a factor in security breaches.
- Carriers are now questioning whether organizations are training their people and may refuse to insure those who do not.
Human Involvement in Breaches
- Many breaches are attributed to human mistakes, such as falling for phishing emails or failing to report incidents.
- There is a growing awareness among carriers that untrained employees represent a significant security risk.
- Organizations often underestimate the potential cost and impact of a breach.
Technology vs. Human Vulnerability
- Discussion on whether technology is becoming more secure or humans are becoming more vulnerable.
- Many clients do not relate high-profile breaches to their own organizations and underestimate the risks.
- There is a need to educate clients about the real dangers and costs associated with breaches.
Cyber Insurance Requirements for Training
- Carriers typically ask if every user is trained in cybersecurity and how often this training occurs.
- The minimum expectation is usually annual training, which is considered outdated by the speakers.
- Carriers also ask if organizations test their employees (e.g., phishing simulations) and how frequently.
- Both speakers agree that more frequent, relevant, and realistic training is needed.
Improving Human Vulnerability Management
- Effective human vulnerability management goes beyond annual training and basic phishing tests.
- Real-world simulations tailored to the specific organization are recommended.
- Continuous, relevant training helps employees recognize and respond to threats more effectively.
- Celebrating failures in simulations can increase awareness and preparedness.
Issues with Current Training Approaches
- Some organizations tie employee compensation to phishing test performance, which can create a negative dynamic.
- Employees may feel punished and develop adversarial relationships with security teams.
- Long, infrequent training sessions are ineffective; employees often ignore them and do not learn.
- The goal should be to support employees in being safe, not to penalize them for mistakes.
Conclusion
- The discussion emphasizes the importance of engaging, continuous, and relevant security awareness training.
- Organizations should focus on building a positive security culture rather than relying on punitive measures.
- Connor Swalm invites listeners to learn more about creating effective awareness training programs.
For more information about creating high-quality awareness training programs that engage employees and change habits, visit Phin Security at phinsec.io.