More Like This
-
Capability Overview
Cyber Resilience
-
Article
Mitigating Insider Threats: Your Worst Cyber Threats Could be Coming from Inside
Technology touches nearly every aspect of business. As new threats continue to emerge and threat actors grow in sophistication, mitigating cyber risk and building cyber resilience are ongoing challenges for businesses of all sizes. During Cyber Security Awareness Month Aon will be highlighting four key elements within the cyber resilience journey – assess, mitigate, transfer and recover.
Global Cyber Leader Christian Hoffman and Cyber Chief Trust Officer Kate Kuehn begin the month by looking at how organizations can work to build strong cyber security practices — which can help build overall operational cyber resilience:
Christian Hoffman: Cyber risk is business risk, first and foremost – therefore it is essential for risk buyers and chief information security officers (CISOs) to have a solid relationship with their boards and the C-suite and understand how their company’s business initiatives tie back to cyber security.
That said, cyber security is no longer simply a point-in-time exercise —businesses need a model that reevaluates their cyber posture on a continuous basis.
That’s because cyber evolves quickly, often faster than other risk exposures a business faces. Threat actors continue to enhance their tactics and businesses are encouraged to create a resilient structure for the best possible defense, and then continuously reevaluate it.
Kate Kuehn: Let’s take the ransomware threat as an example. After five quarters of declining frequency in late 2021 and 2022, ransomware attacks rebounded in the first six months of 2023 with a 176 percent frequency increase, according to Aon data. We’re seeing many circumstances that may have caused that lull, but the risk was always present, and threat actors continue to figure out new attack methods. It was critical that businesses didn’t think that the risk was mitigated because it is back.
Artificial intelligence is also being used to automate attacks, scan surfaces, and generate realistic-looking phishing content. AI has helped threat actors innovate and develop new attack strategies, enabling many of them to stay a step ahead of cyber defense strategies.
Kate: You’re right that the journey does not end. The cyber resilience journey has a financial component from a risk transfer perspective, a technical component, a human component and there is also a compliance or regulatory component. You must consider all four when looking at the journey holistically and realize that, given the non-static nature of business, there will never be a beginning and end to resilience.
Resilience can be achieved through actions that include linear thinking – starting with assessing and identifying where risk lives within your organization and its cyber impact. And then taking proactive steps to mitigate that risk. That’s where leveraging brokers and security controls to understand what a mature security posture can look like helps you go from assessing and identifying risk to actually creating risk transfer solutions like cyber insurance. And then making sure you have a holistic program in place and also pre-planning to be ready for when things go wrong.
Christian: Cyber resilience also needs to be looked at from a holistic view of compliance, and whether you are doing the things to help ensure that your organization is not only cyber mature but also aware of regulatory and external pressures and artificial intelligence and how they're going to be impacting both opportunities for digital disruption within your industry and from a cyber perspective.
From a risk transfer perspective, applying scenario-based financial modeling and applying that to building an insurance program that is bespoke to a particular organization, including the risks it has, the industry it is in, and the challenges it faces. Then ultimately, you’re using all that information to build an informed risk program, including transfer, retention, captives, etc.
Christian: Sure, and it is important to note that organizations may start at any of the four points depending on where they are in their current cyber security journey:
Kate: People remain the easiest target and also the best defense in cyber security. We are all too often the simplest way for an attacker to gain access to systems and networks, but we are also the first line of defense in identifying suspicious activity that can lead to a breach. As a result, cyber security first and foremost has always been about people, and that is even more important now that we are in an extended hybrid work environment.
Nearly half of all compromises are due to human error; employees clicking on a link in a phishing email, reacting to a business email compromise message that falsely comes from an executive, and more. Training and creating a culture around cyber preparedness is incredibly important. HR leaders should be brought onboard to reinforce the importance of periodic training, and support frequent, clear communications.
Christian: A key component of cyber defense is to create a top-down culture of compliance throughout the organization, inclusive of cyber security, working across all human resources specialties including onboarding, learning and development and change management. Every person in an organization must have an awareness and understanding of the role they play in the company -- cyber culture is often one of the best lines of defense for an organization.
Make sure it is known that the organization takes security seriously and has a zero-tolerance policy on breaches of compliance and security protocols. Cyber security is about protecting the greater good. The end goal is to build a resiliency model where people approach cyber security in their everyday lives – both personally and in the business.
Kate: The reality is that artificial intelligence has been around for more than 50 years, and the opportunities we see to enhance digital innovation and digital disruption are now being realized across many organizations, though many have been in production for over a decade. Whether it's helping prevent data leaks, make decisions, or supporting things like precision agriculture, autonomous vehicles, or helping relieve traffic congestion, AI is here to stay. And we're seeing a major shift in how we're leveraging AI from traditional machine learning to rapid advancements around generative AI and Natural Language Processing.
However, as we continue to innovate with all types of AI, so do the threat actors. They are leveraging it as well to look for vulnerabilities and exploitations in code, to automate attacks, generate authentic-looking phishing content, to break passwords more quickly, and more. There are two sides to the coin.
If companies don't start adopting more holistic methodologies around AI and how they approach looking at opportunities and risks from a cyber perspective, they may find they're going to miss the boat because many of our adversaries already are there.
Christian: It’s important that we demystify AI and teach people about its evolving human threats to us. Meaning, we must understand how AI impacts human psychology and exploits human behavior, which in turn further can heighten the security risk.
That’s why teaching people – professionally and personally – to think about resiliency and the steps that must be taken is so key. Every time someone sits behind a computer they should be thinking about cyber resilience as a way of life.
As AI continues to become more mainstream, I also want to stress the importance of establishing business governance practice with the policies, procedures and controls to help ensure that AI models are developed in compliance with regulatory and ethical standards.
Capability Overview
Cyber Resilience
Article
Mitigating Insider Threats: Your Worst Cyber Threats Could be Coming from Inside
General Disclaimer
This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.
Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.
Expert Views on Today's Risk Capital and Human Capital Issues
The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.
Stay in the loop on today's most pressing cyber security matters.
Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.
Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.
Explore Aon's latest environmental social and governance (ESG) insights.
Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.
How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.