<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2119418688374700&amp;ev=PageView&amp;noscript=1">

Cybersecurity is a Team Effort and Everyone Plays Defense

January 15th, 2020

4 min. read

By Jason Kilgas, Director of IT & Innovation

Circuit board with security lock

When we talk about cybersecurity, especially as it relates to cyber insurance, we spend a lot of time talking about everything that IT does in the background that protects a company—all the systems, the software, the company policies and procedures.

But we don’t spend enough time talking about the most significant risk (and the most common cause of a breach) … people. And that risk gets bigger the more employees you have.  

Believe it or not, when it comes to cybersecurity, computers are the easy part. We can program them to do exactly what we want them to do. People, on the other hand, are an unknown variable.

To protect against your employees unknowingly creating a security breach, they need to understand the real, everyday risks inherent to performing their daily duties and accept their responsibility for keeping company data safe.

A Breach is Just a Click Away

Imagine your busiest time of the year is the fourth quarter. Your employees are not only hustling every day to meet clients’ needs, but also juggling holiday preparations and scheduling meetings around days off. People. Are. Busy.

A tenured employee gets an email from a vendor asking her to confirm information for a new order. The employee quickly glances at the email message and clicks the link that takes her to the vendor’s website where she enters her credentials and … BAM! The vendor never sent an email—it’s a phishing scam and she has fallen for it—and your nightmare has only just begun.

It’s that easy. Just one click. In my career, whenever I have counseled an employee who has fallen victim to phishing, I always hear some version of the same thing, “I feel so stupid. I am just so busy. I was working so fast; I didn’t even take the time to look at it.”

Well, guess what? That’s exactly what cyber criminals are hoping. They want you to be vulnerable, and momentarily foolish, and just open it without even thinking.

Sure, But My Insurance Protects Me, Right?

Today, all businesses need cyber insurance. But you can’t just buy the insurance and then walk away and say, “OK, now we’re good, we don’t have to worry about security.” Just because you have car insurance doesn’t mean you drive like a maniac.

No one wants to go through the aftermath of a security breach. Your insurance will cover many of the losses, but there is still some financial liability, and you can’t insure your reputation.

If a breach is big enough, it doesn’t matter if you have insurance to cover it, you still have a problem if no one trusts you with their personal information. Some businesses are big enough to handle that and get beyond it, but it could put smaller companies out of business.

So, beyond insurance coverage, you need to put practices in place to help manage the risks. 

Building a Culture of Security and Accountability

Your lawyer will tell you that the severity of a data breach (and your potential liability) is determined by several factors, including the preventative measures your company takes to reduce risk. This includes not only the technical things IT does in the background, but also the organizational preparation (you know, the people side of things).

And what’s the best way to get people to do what you want them to do? Inspire them to want it, too! Here are some tips to help you build a culture around security at your organization:

Communicate Employee Handbook Policies and Procedures
A company needs cyber policies and procedures written down so employees can be trained and held accountable based on the known rules. The rules should be clearly communicated and repeated frequently and following them should be demonstrated from the top down.

Train, Test, Repeat
Training is an important part of your security communication. Security breaches can happen in a variety of ways from proper storage of client personal information (PI) to sending and receiving email. We all understand the allure of the blue link—it’s like candy—you just want to click and find out what’s hiding there. Employees need to be trained to look for the signs of a scam before they click.

One way IT can test employee knowledge is through social engineering tests provided by third-party security vendors. The idea is that the employee receives a simulated phishing email and needs to decide if it’s legitimate. If the employee recognizes it as fake, he doesn’t click and passes the test. If, on the other hand, the employee misses some key indicators and clicks a link or opens a document, he fails. Employees who fail can go through a coaching session to review key indicators, so they can recognize a scam in the future.

Knowledge is reinforced through repeated training and testing, but you want to keep employees engaged. Many companies keep employees involved by incorporating games and competition into ongoing security initiatives. For example, employees participate in trivia contests or role playing where they pretend to be hackers looking for ways into the system. You might even consider awarding small prizes to the winners.

Consistently Enforce Consequences 
No one really likes to talk about discipline, but we all know that rules are useless without consistent enforcement. For example, you can write a policy that says, “Employees will not send clients’ personal information (PI) in emails.” But does your policy prevent anyone from emailing PI? Nope. So, what do you do when a busy, rushed employee forgets and sends PI in an email?

There needs to be a clear, known consequence for a policy infraction and it doesn’t necessarily need to be severe. In fact, most employee relations experts agree that discipline should be progressive and correlate to the infraction (let the punishment fit the crime.) But the message must come from the top down that this is not how we do things—there are real risks involved and we are all responsible for keeping information secure.

Plan How to Handle a Breach and Its Aftermath
The reality is that even in a culture of security, at some point somebody is going to click, and it won’t be a test. What happens next is mission critical to your ability to halt the breach and mitigate the damage.

Employees need to be trained to think of IT as 911 in a breach. Get on the phone and let the right people know as soon as possible. Whether it’s a virus, malware, or you clicked on a link, the threat is now in motion. We will worry about the consequences later.

If you have built a culture where the consequences of mistakes have been reasonable and consistent, you substantially increase the likelihood that employees will self-report an incident immediately. This is especially important because time is of the essence during a breach. The sooner that IT can respond to a known threat, the faster they can shut it down and reduce losses. 

Security isn’t just about identifying risk, putting policies in place to reduce risk, and preparing for the worst. It’s how you handle a crisis in the aftermath that’s often met with the most scrutiny. Build a culture that can bounce back from a breach knowing everyone followed the game plan. Yes, there will be losses—that’s what your insurance is for—but if you cut the hackers off at the knees with your fast action, it might still feel like a win.

New call-to-action

Jason Kilgas, Director of IT & Innovation

In his role, Jason has complete oversight and management of Information Technology services for McClone. He has more than 10 years of experience in IT and he uses his skills and knowledge to support both internal personnel and clients seeking aid with cybersecurity.

What is a Waiver of Subrogation for Work Comp? Are there Risks?

May 20th, 2025|4 min. read

Your Experience MOD Factor Explained

April 28th, 2025|5 min. read
Closed sign

Does your cyber insurance cover contingent business interruption?

October 25th, 2023|2 min. read
Padlock on top of computer chip pathways

Playing Defense Against Fund Transfer Fraud and Social Engineering Attacks

September 7th, 2023|2 min. read
Paperwork being shared across a desk

3 factors businesses can control in a hardening insurance market

June 28th, 2023|2 min. read
Hardening Market Insurance Premium Increase Chart

Insurance Insights: How a Hardening Market Impacts You

January 6th, 2021|2 min. read

Learning from a Crisis: 5 Steps to Boost Business Success

June 24th, 2020|2 min. read
Is_Workers’_Compensation_the_Same_in_Every_State

Is Workers’ Compensation the Same in Every State? How Wisconsin Compares

June 11th, 2020|2 min. read
umbrella-1588167_1920

How High Should My Commercial Umbrella Limit Be?

May 29th, 2019|2 min. read
Top View of Boot on the trail with the text Safety First2

Safety Program: Internal Audits and Self-Inspections

May 8th, 2019|3 min. read
Under construction, helmet and bricks for building site-1

How to Avoid Common Compliance Oversights in Construction Contracts

March 20th, 2019|3 min. read
8 Must-Have Types of Insurance for Construction Companies

8 Must-Have Types of Insurance for Construction Companies

January 9th, 2019|4 min. read
Safety_Walkaround

3 Steps for Conducting an Effective Safety Walkaround

November 7th, 2018|2 min. read
Learn facts about business interruption insurance

What You Might Not Know About Business Interruption Insurance

August 15th, 2018|4 min. read
Importance_of_a_Business_Continuity_Plan

Importance of a Business Continuity Plan — Top 5 Best Practices

July 11th, 2018|3 min. read
Top_Business_Risks

Top 5 Business Risks for 2018 (And What to Do About Them)

July 3rd, 2018|2 min. read
Finding_the_Right_Insurance_Coverage

Finding the Right Insurance Coverage for Your Business

May 30th, 2018|3 min. read
Factors_that_Impact_Workers_Comp_Premiums

4 Factors that Impact Your Workers’ Compensation Premiums

May 2nd, 2018|3 min. read
caution-wet-floor-sign

The Top 10 Property & Liability Claims for Small Businesses

April 20th, 2015|2 min. read
cows-in-feild-at-dairy-farm

Dairy Margin Protection Program (MPP)

October 15th, 2014|2 min. read
wheat-feild-in-front-of-blue-sky

Important Changes to Replant Requirements

May 12th, 2014|1 min. read
money

The Insurance behind the Billion Dollar Bracket

March 19th, 2014|1 min. read
wheat-feild-in-front-of-blue-sky

GRP and GRIP Policy Changes

September 10th, 2013|2 min. read
tractor-pulling-farming-equipment-across-field

Implements of Husbandry

June 27th, 2013|3 min. read