Tag Archives: wannacry

Cyber: Black Hole or Huge Opportunity?

You own a house. It burns down. Your insurer only pays out 15% of the loss.

That’s a serious case of under-insurance. You’d wonder why you bothered with insurance in the first place. In reality, massive under-insurance is very rare for conventional property fire losses. But what about cyber insurance? In 2017, the total global economic loss from cyber attacks was $1.5 trillion, according to Cambridge University Centre for Risk Studies. But only 15% of that was insured.

I chaired a panel on cyber at the Insurtech Rising conference in September. Sarah Stephens from JLT and Eelco Ouwerkerk from Aon represented the brokers. Andrew Martin from Dyanrisk and Sidd Gavirneni from Zeguro, the two cyber startups. I asked them why we are seeing such a shortfall. Are companies not interested in buying or is the insurance market failing to deliver the necessary protection for cyber today? And is this an opportunity for insurtech start-ups to step in?

High demand, but not the highest priority

We’ll hit $4 billion in cyber insurance premium by the end of this year. Allianz has predicted $20 billion by 2025. And most industry commentators believe 30% to 40% annual growth will continue for the next few years.

A line of business growing at more than 30% per year, with combined ratios around 60%, at a time when insurers are struggling to find new sources of income is not to be sniffed at.

But the risks are getting bigger. My panelists had no problem in rattling off new threats to be concerned with as we look ahead to 2019. Crypto currency hacks, increasing use of cloud, ransomware, GDPR, greater connectivity through sensors, driverless cars, even blockchain itself could be vulnerable. Each technical innovation represents a new threat vector. Cyber insurance is growing, but so is the gap between the economic and insured loss.

The demand is there, but there are a lot of competing priorities. Today’s premiums represent less than 0.1% of the $4.8 trillion global property/casualty market. Let’s try to put that in context. If the ratio of premium between cyber and all other insurance was the same as the ratio of time spent thinking about cyber and other types of risk, how long would a risk manager allocate to cyber risk? Even someone thinking about insurance all day, every day for a full working year would spend less than seven minutes a month on cyber.

It’s not because we are unaware of the risks. Cyber is one of the few classes of insurance that can affect everyone. The NotPetya virus attack, launched in June 2017, caused $2.7 billion of insured loss by May 2018, according to PCS, and losses continues to rise. That makes it the sixth largest catastrophe loss in 2017, a year with major hurricanes and wildfires. Yet the NotPetya event is rarely mentioned as an insurance catastrophe and appears to have had no impact on availability of cover or terms. Rates are even reported to be declining significantly this year.

See also: How Insurtech Boosts Cyber Risk  

Large corporates are motivated buyers. They have an appetite for far greater coverage than limits that cap out at $500 million. Less than 40% of SMEs in the U.S. and U.K. had cyber insurance at the end of 2017, but that is far greater penetration than five years ago. The insurance market has an excess of capital to deploy. As the tools evolve, insurance limits will increase. Greater limits mean more premium, which in turn create more revenue to justify higher fees for licensing new cyber tools. Everyone wins.

Maybe.

Growing cyber insurance coverage is core to the strategy of many of the largest insurers.

Cyber risk has been available since at least 2004. Some of the major insurers have had an appetite for providing cyber cover for a decade or more. AIG is the largest writer, with more than 20% of the market. Chubb, Axis, XL Catlin and Lloyd’s insurer Beazley entered the market early and continue to increase their exposure to cyber insurance. Munich Re has declared that it wants to write 10% of the cyber insurance market by 2020 (when it estimates premium will be $8 billion to $10 billion). All of these companies are partnering with established experts in cyber risk, and start-ups, buying third party analytics and data. Some, such as Munich Re, also offer underwriting capacity to MGAs specializing in cyber.

The major brokers are building up their own skills, too. Aon acquired Stroz Friedberg in 2016. Both Guy Carpenter and JLT announced relationships earlier this year with cyber modeling company and Symantec spin off CyberCube. Not every major insurer is a cyber enthusiast. Swiss Re CEO Christian Mumenthaler declared that the company would stay underweight in its cyber coverage. But most insurers are realizing they need to be active in this market. According to Fitch, 75 insurers wrote more than $1 million each of annual cyber premiums last year.

But are the analytics keeping up?

Despite the existence of cyber analytic tools, part of the problem is that demand for insurance is constrained by the extent to which even the most credible tools can measure and manage the risk. Insurers are rightly cautious, and some skeptical, as to the extent to which data and analytics can be used to price cyber insurance. The inherent uncertainties of any model are compounded by a risk that is rapidly evolving, driven by motivated “threat actors” continually probing for weaknesses.

The biggest barrier to growth is the ability to confidently diversify cyber insurance exposures. Most insurers, and all reinsurers, can offer conventional insurance at scale because they expect losses to come from only a small part of their portfolio. Notwithstanding the occasional wildfire, fire risks tend to be spread out in time and geography, and losses are largely predicable year to year. Natural catastrophes such as hurricanes or floods can create unpredictable and large local concentrations of loss but are limited to well-known regions. Major losses can be offset with reinsurance.

Cyber crosses all boundaries. In today’s highly connected world, corporate and country boundaries offer few barriers to a determined and malicious assailant. The largest cyber writers understand the risk for potential contagion across their books. They are among the biggest supporters of the new tools and analytics that help understand and manage their cyber risk accumulation.

What about insurtech?

Insurer, investor or startup – everyone today is looking for the products that have the potential to achieve breakout growth. Established insurers want new solutions to new problems; investment funds are under pressure to deploy their capital. A handful of new companies are emerging, either to offer insurers cyber analytics or to sell cyber insurance themselves. Some want to do both. But is this sufficient?

The SME sector is becoming fertile ground for MGAs and brokers starting up or refocusing their offerings. But with such a huge, untapped market (85% of loss not insured), why aren’t cyber startups dominating the insurtech scene by now? The number of insurtech companies offering credible analytics for cyber seems disproportionately small relative to the opportunity and growth potential. Do we really need another startup offering insurance for flight cancellation, bicycle insurance or mobile phone damage?

While the opportunity for insurtech startups is clear, this is a tough area to succeed in. Building an industrial-strength cyber model is hard. Convincing an insurer to make multimillion-dollar bets on the basis of what the model says is even more difficult. Not everyone is going to be a winner. Some of the companies emerging in this space are already struggling to make sustainable commercial progress. Cyber risk modeler Cyence roared out from stealth mode fueled by $40 million of VC funding in September 2016 and was acquired by Guidewire a year later for $265 million. Today, the company appears to be struggling to deliver on its early promises, with rumors of clients returning the product and changes in key personnel.

The silent threat

The market for cyber is not just growing vertically. There is the potential for major horizontal growth, too. Cyber risks affect the mainstream insurance markets, and this gives another source of threat, but also opportunity.

Most of the focus on cyber insurance has been on the affirmative cover – situations where cyber is explicitly written, often as a result of being excluded from conventional contracts. Losses can also come from ” silent cyber,” the damage to physical assets triggered by an attack that would be covered under a conventional policy where cyber exclusions are not explicit. Silent cyber losses could be massive. In 2015, the Cambridge Risk Centre worked with Lloyd’s to model a power shutdown of the U.S. Northeast caused by an attack on power generators. The center estimated a minimum of $243 billion economic loss and $24 billion in insured loss.

In the current market conditions, cyber can be difficult to exclude from more traditional coverage such as property fire policies, or may just be overlooked. So far, there have been only a handful of small reported losses attributed to silent cyber. But now regulators are starting to ask companies to account for how they manage their silent cyber exposures. It’s on the future list of product features for some of the existing models. Helping companies address regulatory demands is an area worth exploring for startups in any industry.

See also: Breaking Down Silos on Cyber Risk  

Ultimately, we don’t yet care enough

We all know cyber risk exists. Intuitively, we understand an attack on our technology could be bad for us. Yet, despite the level of reported losses, few of us have personally, or professionally, experienced a disabling attack. The well-publicized attacks on large, familiar corporations, including, most recently, British Airways, have mostly affected only single companies. Data breach has been by far the most common type of loss. No one company has yet been completely locked out of its computer systems. WannaCry and NotPetya were unusual in targeting multiple organizations, with far more aggressive attacks that disabled systems, but on a very localized basis.

So, most of us underestimate both the risk (how likely), and the severity (how bad) of a cyber attack in our own lives. We are not as diligent as we should be in managing our passwords or implementing basic cyber hygiene. We, too, spend less than seven minutes a month thinking about our cyber risk.

This lack of deep fear about the cyber threat (some may call it complacency) goes further than increasing our own vulnerabilities. It also the reason we have more startups offering new ways to underwrite bicycles than we do companies with credible analytics for cyber.

Rationally, we know the risk exists and could be debilitating. Emotionally, our lack of personal experience means that cyber remains “interesting” but not “compelling” either as an investment or startup choice.

Getting involved

So, let’s not beat up the incumbents again. Insurance has a slow pulse rate. Change is geared around an annual cycle of renewals. It evolves, but slowly. Insurers want to write more cyber risk, but not blindly. The growth of the market relies on the tools to measure and manage the risk. The emergence of a new breed of technology companies, such as CyberCube, that combine deep domain knowledge in cyber analytics with an understanding of insurance and catastrophe modeling, is setting the standard for new entrants.

Managing cyber risk will become an increasingly important part of our lives. It’s not easy, and there are few shortcuts, but there are still plenty of opportunities to get involved helping to manage, measure and insure the risk. When (not if) a true cyber mega-catastrophe does happen, attitudes will change rapidly. Those already in the market, whether as investors, startups or forward thinking insurers, will be best-positioned to meet the urgent need for increased risk mitigation and insurance.

Breaking Down Silos on Cyber Risk

The cyber attacks in the past year spread with startling frequency and intensity and demonstrated that cyber risk is not only a concern for organizations holding sensitive or regulated data, but also a material threat to businesses across all industries. The WannaCry and NotPetya attacks, for example, resulted in large-scale interruptions to global commerce, with companies reporting significant losses in sales caused by business disruption. Far-reaching regulations such as the EU’s General Data Protection Regulation (GDPR) open up businesses to large potential fines and consumer class action suits. The cost of cyber crime keeps rising, with data breaches predicted to cost businesses a total of $8 trillion over the next four years, exceeding worldwide IT security spending, which is expected to be upward of $120 billion by 2021. In this climate, executive teams must urgently stop thinking about cyber risk as an IT issue and lead a shift to managing its impact across the entire organization.

Companies’ cyber exposure has dramatically increased beyond the risks to their data and intellectual property (IP), exacerbated by the convergence of the physical and digital worlds. To drive efficiencies, organizations are bringing processes and infrastructure online, for example, through connected grid systems, supervisory control and data acquisition (SCADA) and industrial control systems (ICS). At the same time, the need to innovate and compete drives businesses to introduce an ever-increasing number of endpoints, significantly expanding the cyber attack surface – whether through a retail bank’s mobile app, a manufacturer of connected cars or even office equipment like printers or employee devices. Every change in a company, be it an M&A transaction, working with a contractor, introducing new software or moving data to the cloud, affects a company’s cyber risk posture. Securing this shifting target requires a holistic view of how all the activities of all departments affect the company’s exposure.

See also: How to Manage Claims Across Silos

One of the core business challenges hampering executives’ ability to look at the impact of cyber risk beyond individual silos is that members of the C-suite are not collaborating effectively over this issue. Every executive has a different lens on how to view, assess and manage cyber risk: The general counsel, for example, will be focused on compliance with information security regulations and disclosure requirements; the chief information security officer (CISO) and chief information officer (CIO) implement technical controls and remediation efforts; the chief risk officer (CRO) and chief financial officer (CFO) will be quantifying the financial exposure to cyber risk and mitigating it through insurance; product developers may view security as a roadblock to meeting product launch deadlines; and human resources (HR) will institute internal training for employees. Multiple parallel work streams like these exist in silos, rarely with any common framework for taking an integrated view.

The fragmented cybersecurity market reinforces these challenges, as organizations work with multiple providers for different elements of their security needs. For example, a company may contract with an incident response provider for post-breach services, separate external experts on assessments or penetration testing exercises and a separate insurance broker to assess the implications of cyber risk from a balance sheet perspective. Multiple providers such as these are working with different internal stakeholders, who aren’t effectively communicating with each other, exacerbating the ineffectiveness of the approach.

As companies wake up to the impact that cyber risk can have on their business, C-suites in mature companies will break down organizational silos to create a holistic view of their risk exposure. CROs and CISOs will work collaboratively with others across the C-suite, including IT, legal teams, HR and finance, to understand how technical vulnerability affects financial exposures and potential risk scenarios. This will happen in sectors beyond the early adopters in financial services, healthcare and retail. As an example, a shipping firm will assess how cyber risk affects physical operations and revenue-generating activities, such as tankers being remotely diverted by hacked GPS systems, or look at the potential benefits of smart contracts and blockchain technologies with regard to tracking goods and inventory and verifying manifests.

To support more coordination and informed decisions within organizations around their cyber risk management, they need a technology platform such as the one Aon Cyber Solutions is building to provide a single point of visibility into all aspects of an enterprise’s cyber risk profile, across all C-suite functions. The platform will enable companies to conduct cyber risk assessments, dynamically quantify risk across multiple dimensions, optimize efforts to remediate risk and reduce the organization’s overall risk posture. Executives can leverage quantitative information in real time to model security plans and budgets, as well as receive recommendations as the threat landscape evolves and requires new insurance options. Bringing together all the elements that affect cyber maturity across the organization through a centralized portal view enables anyone in the C-suite – whether it’s the chief executive looking for a high-level view, or the CFO or CRO prioritizing investment decisions, or the CISO examining the remediation activity – to have a more holistic understanding of how the activity within their function affects the company’s cyber exposure as a whole.

See also: How to Link Risk and Strategy  

The industry needs to collaborate to drive this holistic approach. For our part, Aon has teamed up with Apple, Cisco and Allianz. This combined solution helps protect a wider range of companies from cyber breaches associated with ransomware and other malware-related threats. Customers who deploy Apple devices and software and Cisco cybersecurity products, such as Cisco Ransomware Defense, and conduct Aon’s Cyber Resilience Evaluation, will be eligible to apply for more enhanced cyber insurance coverage than are available in existing cyber insurance products through Allianz. In addition, companies can take advantage of access to Cisco’s or Aon’s industry-leading incident response teams, should an incident occur.

Through these and other innovative solutions, Aon Cyber Solutions is focused on helping companies eliminate the silos that typically hamper effective cyber risk management. This is an urgently needed shift in thinking throughout a currently fragmented industry, so that clients can manage their evolving cyber risk exposure in a digital, connected and regulated world.

How to Immunize Against Cyber Attacks

Cyber-attacks see no signs of abating. In fact, deadly threats such as ransomware and malware have now become mainstream. Enterprises have no option but to expect cyber-attacks as a fact of life. They need to make their systems immune from such attacks.

The State of Cyber Attacks

Cyber-attacks increase in magnitude and scale with every passing day. A case in point is the WannaCry ransomware, which wreaked havoc in more than 200,000 systems across 150 countries in the world, during May 2017. This attack, the largest ransomware delivery campaign to date, held up everything from surgical operations to public information display systems, and from government initiatives to corporate work. And WannaCry is just one example. More than 4,000 ransomware attacks have taken place since the start of 2016.

Ransomware damages will touch $5 billion by the end of 2017, a 15X increase from the damage levels just two years ago!

Data-encrypting ransomware such as WannaCry is socially engineered malware. The hackers trick unsuspecting victims in many ways to install Trojan horse programs. They may:

  • Compromise an otherwise trusted site on a temporary basis, to offer a malicious download link.
  • Arrive as a rogue friend or application install request through mainstream social media.
  • The innovation of their attacks is matched only by the ingenuity in the ways they breach the network.

Close on the heels of socially engineered malware are password phishing attacks. A good proportion of the unsolicited emails try to pry out login credentials from gullible account holders. Despite the best anti-spam software, good phishing replicas of legitimate emails slip in. All it takes is a single careless employee for the hackers to breach the corporate network.

Countermeasures

Cybersecurity has been fighting a losing battle against cyber attackers for many years now.

Traditional security approaches, such as firewalls and antivirus suites, are now inadequate to protect against the entire gamut of attacks. Many enterprises realize this fact and now invest heavily in security. Gartner estimates information security spending to exceed $86.4 billion in 2017. However, many enterprises go after the latest tools and technologies, while neglecting the basics.

See also: Quest for Reliable Cyber Security  

Time-tested basic security hygiene is the basics of any countermeasure against cyber threats. Some of the basics include:

  • Installing advanced anti-malware suits
  • Regular patching and updating key software
  • Regular data backups
  • Controlled access to resources within the network
  • An Enterprise-wide whitelist of authorized apps and software.
  • Strong two two-factor authentication (2FA), with smartcards, biometrics, or OTP through SMS.

Another key component of basic security hygiene is training users on safe browsing. The ideal end-user education is ongoing. It covers the latest threats, and make employees aware of what to do in the face of various eventualities.

However, all these basics serve only as a foundation on which to construct sound security architecture for the enterprise. These basics alone are no longer effective in keeping cyber criminals at bay.

Patch Management: Vital for online security

Socially-engineered malware such as WannaCry spread across the organizational network without user interaction. The malware exploits latent vulnerabilities in the operating system of application software. Browser add-on programs such as Adobe Reader are especially rife with vulnerabilities, and hackers exploit it at will. In WannaCry’s case, the malware exploited “EternalBlue,” a known Microsoft Windows vulnerability.

Software vendors and cyber criminals are locked in a never-ending battle. Cyber criminals are always looking to unearth some vulnerability. The “good guys” try to beat cyber criminals to the game, to identify vulnerabilities before cyber criminals discover it first. Either way, the software developer releases a patch as soon as the vulnerability becomes known.

But, it is rare to find any enterprise with perfectly patched software. Enterprises do not install the patch updates even when one becomes available, owing to many reasons, such as:
Operational constraints and exigencies
Concerns about whether a newly patched version would contain some other bugs, rendering the system unstable.

Continuous Monitoring: Around the clock website check-ins

Today’s cyber criminals are sophisticated, and the attacks they launch are unpredictable.

Enterprises would do well to ensure continuous monitoring of the network environment. They would also do well to manage the implemented security controls on a proactive basis.

An effective network monitoring system offers end-to-end visibility of the network traffic. It:

  • Understands legitimate traffic patterns in the network, and issues prompt alerts when discovering unexpected traffic flows.
  • Triggers automated responses, such as shutting down the network, or blocking the user, on detecting anomalies.
  • Integrates threat intelligence capabilities, aggregating threat information from multiple sources.

Large enterprises could consider setting up an in-house security operations center, with robust incident response capabilities. Smaller firms could consider enlisting the services of a managed security services provider, to monitor their network and respond to incidents in real-time. Either way, proactive network monitoring is essential to keep the network safe.

See also: Paradigm Shift on Cyber Security  

Security Assessment: Third party independent security reviews

Network security does not work in isolation. An effective security set-up offers tight integration, without leaving any loose ends. Enterprises would do well to conduct a thorough security audit to ensure such a state.

A sound and comprehensive review compare the existing state of cybersecurity with best practices, in terms of:

  • The integration of basic and advanced controls to the security architecture
  • Integration of the existing security environment architecture with the business and IT vision
  • How the security framework leverages latest technologies, such as Machine learning, behavior analysis, and threat modeling, to detect and mitigate identified threats
  • The scalability of the security architecture to defend against future threats
  • The preparedness of the architecture to deliver Intelligent and flexible responses

The state of cybersecurity is fluid. Enterprises need to adopt an adaptive and evolving approach the security. They need to re-evaluate security processes, practices, policies, platforms, and tools, on a regular basis.

With cybercrime damage estimated to touch $6 trillion annually by 2021, the stakes have never been higher.

What if You Had a Cyber Risk Score?

There have been three major global cyberattacks in the last six months. These attacks have caused extensive system damage and monetary loss. Some companies affected remain crippled weeks or months after the attack. Will this rate of “one every other month” continue? Nobody knows, of course. But, as a recent Wall Street Journal op-ed suggests, ransomware will remain the dominant attack method of choice, and the problem “isn’t going anywhere.” The article claims that “cybercriminals launch hundreds of millions of attacks daily across the globe, and recent studies have found that as many as 60% involve ransomware.” Why? Because they are easy, and they work.

Without a robustly secured network, it is impossible for most entities to withstand a targeted or random cyberattack. So most companies, big or small, generally enlist the help of third-party vendors, which traffic a multitude of software products, modules or platforms to keep cybercriminals from exploiting vulnerabilities. But, because nothing is fail-safe, companies must still consider buying insurance to protect against the staggering potential of loss that a global cyberattack can cause.

See also: Why Buy Cyber and Privacy Liability. . .  

Cyber is no different from other risks that an organization could be exposed to (e.g., fire, burglary, flooding, power failure, strikes and liability issues). Businesses have to consider insurance against cyber-attacks and the relating financial consequences. This kind of insurance policy is known as Cyber Liability Insurance Coverage, or CLIC. With the estimated annual costs to the global economy from cybercrime estimated between $375 billion and $575 billion in 2014 alone and the average cost of a corporate data breach at more than $3 million per incident, it is understandable why cyber insurance is catching on.

Still, there seems to leave a lot of room for error, rounding or otherwise, in a market where U.S. insurers wrote approximately $1.3 billion in cyber coverage last year. This is expected to reach $14 billion by 2022. There is industry data that shows insurance premiums could range from $800 to $1,200 for SMEs/SMBs with revenues of $100,000 to $500,000 (on the low end) to more than $100,000 for SMEs/SMBs with revenues in the millions. Allianz SE, the largest insurer in the world, expects these premiums to skyrocket by 2025. Furthermore, the Insurance Information Institute estimates that the third-largest risk for companies worldwide is cybercrime, not in the least due to cyber attacks such as WannaCry and Petya/NotPetya.

As it stands right now, insurance companies have limited resources to address the growing number of CLIC applicants. There are the obvious factors that come into play when calculating an insurance premium: the nature of the business, the vulnerability (attractiveness for cyber crooks) of the data, the size of the company and the amount of revenues, etc. But pinpointing the exact risk is still evolving. Currently, insurers mostly rely on questionnaires or third-party onsite assessments to estimate the cybersecurity posture of applicants, which is time-consuming and expensive. Because this branch of insurance is not mature enough, there is a lack of specialized and qualified personnel that have the experience and expertise to perform cyber risk assessments. In many cases, the onsite assessments are conducted by junior staff members of the insurer and junior security consultants using non-standardized methods.

My guess is that insurance companies still don’t know exactly what they are insuring and what to charge, because there are still inefficiencies in the market. There are conflicting definitions of what exactly makes a system “secure” and what constitutes a threatening vulnerability that must be decided upon. Knowledge still has to be gained to determine how to manage risk. Most insurance companies are large enough to have a staff of security officers and to use third-party vendors to protect themselves from cyber vulnerabilities. But what to do about assessing insurance candidates?

The good news is that there is progress being made where advanced simulation can help assess the various attack vectors that are being used today. The value of such a CLIC assessment would derive from being able to put an aggregate “risk score” on an insurance candidate. The score would be based on known and acceptable risk calculating methods such as NIST, CVSS3 and DREAD. It would be provided to each applicant based on the results from a simulated assessment done on its network, testing all its security controls.

See also: How Data Breaches Affect More Than Cyberliability  

The value from such technology comes from insurers being able to know within a few hours if they should provide coverage to an applicant based on demonstrated risk, how much coverage to provide the applicant without putting the insurers at risk and how much in premiums to charge based on an accepted risk score provided after the assessment. Providing a uniform score for cyber insurance applicants reduces the exposure level for insurers, possibly saving millions of dollars and could even lead to revenue growth by raising premium prices to match the risk level.

How to Anticipate Cyber Surprises

The WannaCry attack, the biggest ransomware attack in history, is not over. It has had an impact on companies in at least 150 countries, leaving organizations around the world wondering if they might be affected by subsequent waves.

It’s critical to keep in mind that effective mitigation of ransomware (and similar) attacks is accomplished with good governance and risk management, not with the acquisition of expensive security solutions.

Detecting and mitigating risks effectively requires an integrated approach. It requires understanding the dependencies and overlapping activities between entities or departments.

See also: Quest for Reliable Cyber Security  

Technology necessary for a robust cybersecurity program already exists in most organizations. The missing piece — strong governance — is the key to putting internal policies into practice and maximizing the effectiveness of existing technology.

With that in mind, there are a few fundamental steps organizations should take. Enterprise-wide risk management procedures must be used to automate the assessment and monitoring of these processes. Timeliness and frequency are key to sustaining protection. The creation of corporate policies does not assure that those policies are followed equally across business areas out to the front lines. In fact, without enterprise risk management, they rarely are.

Back up data; use patches

The first step is to make sure off-site backups are kept up to date. Automatic notifications should alert the security team at preset intervals, reminding them to verify that data is fully backed up at an off-site location. It’s critical to use a risk-based approach to prioritize which data needs monitoring and testing.

Once data has been protected, companies should ensure approved patches are implemented. Although most organizations have approval procedures to force implementation, inconsistency causes massive, preventable vulnerabilities. Without risk-based monitoring, critical assets are left unprotected as priorities interfere with one another.

Virus detection software is typically reviewed and updated in a similar manner. Security teams need the guidance of centralized governance so they can monitor systems effectively.

Limit access

Managing access rights — which can be achieved by first implementing internal password policies and asset management — is critical when minimizing cyber exposure. The “principle of least privilege,” by which the company grants employees only the access rights they need to perform their job responsibilities, is particularly important. This also should apply to vendors and other third parties. Conceptually this is simple, but, in practice, a risk-based approach is needed to connect process owners to the security team. This is where most access rights programs fail.

Automated monitoring also should be applied to company virtual private networks. VPNs are important tools that sustain security and access, but if they are not managed correctly and don’t time out according to a preset timeframe, they create vulnerabilities that can be exploited. Once again, vendors should be held to similar standards.

Business continuity and disaster recovery (BC/DR) plans, much like data backups, must be tested (and optimized) at regular intervals. If a company has a plan in place but does not regularly test its ability to implement a “clean recovery,” it’s highly unlikely it will get back on its feet after an attack within the required time period.

Keep recovery time short

Centralized risk management allows subject-matter experts to assess each device, application and data store. Recovery time objectives (RTOs) measure how long business objectives can be met without a particular asset. The security team, after receiving automatic notifications, should test to ensure the clean recovery timeframe is smaller than the shortest RTO.

See also: 10 Cyber Security Predictions for 2017  

The steps above remove cybersecurity vulnerabilities by improving governance, not by mandating the acquisition of new IT resources. Good governance enables the operationalization of security procedures, closing the gap between senior leadership and everyday activities. A risk-based approach reduces both exposure and the cost of effective security operations.

This article originally appeared on ThirdCertainty. It was written by Steven Minsky.