4 Important Differences Between Traditional and Cyber Business Interruption Policies

Cyber Business Interruption

Cyber Business InterruptionWhen organizations face large-scale disasters or other unexpected losses, ensuring business continuity is often a top priority. Yet, various losses may make it challenging for organizations to avoid operational disruptions or temporary shutdowns. In these instances, even brief closures can carry costly consequences. Fortunately, that’s where business interruption (BI) insurance can help.

BI insurance can offer much-needed financial protection when organizations’ usual business activities are interrupted due to covered losses. This type of coverage is typically available through a few different commercial insurance policies. Traditional BI coverage can be purchased as a supplement to commercial property insurance or a business owner’s policy (BOP), whereas an alternative form of BI coverage can be secured via cyber business interruption insurance.

Nevertheless, there are several differences between traditional and cyber business interruption policies, including when they apply and what they cover. As such, organizations should be aware of these differences and better understand their overall coverage capabilities. The following article provides more details on traditional and cyber BI insurance and offers a coverage comparison between these policies.

Traditional Business Interruption Insurance

Traditional BI insurance is typically added onto a commercial property insurance policy or comprehensive insurance package, such as a BOP. This coverage generally includes financial protection for the various expenses that can arise if an organization is forced to pause its operations or temporarily close its doors due to a covered loss. Such a policy may reimburse these operating costs:  

  • Income that an organization would be earning if it were running normally
  • Commercial mortgage, rent, lease, loan and tax payments due during a disruption
  • Payroll expenses to maintain employees’ wages amid a closure
  • Relocation costs related to an organization’s move to a new or temporary location during a disruption
  • Commission and training costs stemming from an organization having to replace damaged tools or machinery amid a closure and educate workers on how to use the new equipment
  • Extra expenses that an organization reasonably incurs (beyond typical operating costs) during a disruption to help it get back up and running

Examples of covered losses under traditional BI insurance include a range of perils, such as fires, theft, vandalism and certain natural disasters. For instance, if a fire destroys the kitchen in a restaurant, this coverage may help reimburse the business for lost income and employees’ wages while it temporarily closes for repairs.

With traditional BI policies, some insurers may also offer contingent business interruption (CBI) coverage, which provides financial protection for operational disruptions caused by covered losses among suppliers and business partners. Some insurers may also provide civil authority coverage, which can help compensate expenses stemming from government-mandated business closures (e.g., a citywide curfew, local evacuation order or temporary road closure).

Cyber Business Interruption Insurance

As its name suggests, cyber BI coverage is solely available through the purchase of a standalone cyber insurance policy. This relatively newer coverage offering has become increasingly common as organizations expand their digital operations and invest in various technological advancements, thus driving up their associated cyber exposures and leaving them more susceptible to disruptive attacks. Even so, not all insurers include BI coverage in their cyber policies; with this in mind, organizations should carefully review their policies for this offering rather than assume they have coverage.

Cyber BI insurance usually provides financial protection for costs stemming from an organization experiencing technology failures (e.g., system shutdowns or network outages) and related operational disruptions due to a covered loss. Such a policy may help reimburse many of the same operating costs as traditional BI coverage, including lost income, employees’ wages and extra expenses.

Examples of covered losses under cyber BI coverage include a variety of security and privacy events, such as data breaches, social engineering scams and ransomware attacks. For instance, if an online retailer’s website gets temporarily shut down due to a ransomware attack, this coverage may help compensate the business for lost profits incurred while the website is offline.

With cyber BI coverage, some insurers may also provide financial protection for digital disruptions caused by human errors (e.g., an employee accidentally downloading a harmful computer virus) or malfunctioning software (e.g., an organization’s network unexpectedly freezing during a routine system upgrade). Further, some insurers may offer cyber CBI coverage, which can help reimburse expenses arising from third-party cyber events that result in software provider shutdowns or cloud vendor outages. 

Coverage Comparison

Despite some similarities, traditional and cyber BI policies are not the same. Here’s a coverage comparison to highlight the main differences between these coverage offerings:

1) Coverage triggers—Both traditional and cyber BI policies have a waiting period, which refers to the amount of time that must pass once a loss occurs before coverage can be triggered. Under traditional BI coverage, the waiting period is typically 72 hours. With cyber BI coverage, however, this period is often shorter. Since cyber events happen quickly and are generally resolved faster than losses caused by property-related perils, the waiting period for such coverage is almost always less than 24 hours, usually between six and 12 hours.

2) Period of measurement—In the scope of BI coverage, the period of measurement pertains to the calculation of lost income caused by an operational disruption. Traditional BI policies primarily apply to commercial property losses that pause typical business activities for long periods, making it relatively easy to determine the period of measurement.

On the other hand, digital disruptions stemming from cyber losses may only last for hours or days, making it more difficult to calculate lost income correctly. To accurately determine the period of measurement and ensure sufficient reimbursement of lost income with cyber BI coverage, it’s best to collect more detailed loss data, such as hourly profit statements and sales records.  

3) Period of restoration—One key factor in determining the overall value of any BI loss is the period of restoration, which refers to the total length of an operational disruption. In most cases, the period of restoration is measured from the start date of a loss (e.g., when property damage occurs or a cyber event initially strikes) until the affected organization fully recovers and resumes normal operations (e.g., when property repairs are completed or digital assets are restored). The period of restoration is often pretty simple to determine when it involves property damage, but cyber events aren’t as straightforward. There can be far less certainty regarding when cyber events start and end, as there could be minimal evidence of physical recovery.

What’s more, some cyber insurers may even define the period of restoration differently than others, prompting more confusion surrounding cyber BI policies than traditional BI policies. Considering these difficulties, it may be necessary to closely review policy wording, consult forensic accountants and assess additional loss elements (e.g., how and when cyber events were detected and resolved, what technology was affected, and which operations were paused) to correctly calculate this period following digital disruptions.

4) Reputational losses—When organizations encounter traditional BI losses, they usually don’t have to worry about reputational damage, as these losses generally stem from perils out of their control. Yet, with cyber BI losses, stakeholders may partially blame organizations for their involvement in cyber events, especially if these events involve a breach of confidential data or are caused by preventable security failures.

Consequently, organizations may experience prolonged profit losses due to diminished customer loyalty even after recovering from cyber events and associated digital disruptions. That’s why cyber BI policies may offer coverage for reputational losses, whereas traditional BI policies do not.


While there are a number of differences between traditional and cyber Business Interruption policies, both forms of coverage can prove valuable and offer significant financial protection to organizations facing operational disruptions. Organizations can consult trusted insurance professionals to learn more about these coverage offerings and discuss their specific BI insurance needs.

Contact us today for further insurance solutions.

Debunking 5 Common Cybersecurity Myths

cybersecurity myths

cybersecurity mythsAlso known as IT security, cybersecurity refers to the act of safeguarding internet-connected systems, critical data and other digital assets from potential cyberthreats—threats that may attempt to exploit sensitive information, steal funds or disrupt normal business operations. In other words, cybersecurity consists of the strategies implemented to help protect people, processes and technology from cyberattacks and related losses.

Cybersecurity has become all the more important as organizations of all sizes and sectors expand their reliance on technology and other digital services in their operations. After all, cyberattacks can carry serious consequences, including damaged data and systems, prolonged business disruptions, diminished customer loyalty, lost revenue and potential regulatory concerns amid strengthening cybersecurity laws.

Even so, there are a variety of myths circulating regarding cybersecurity, many of which undermine the severity of possible threats and diminish the value of effective mitigation strategies. If organizations mistakenly assume these myths to be true, they could leave themselves increasingly vulnerable to cyberattacks and subsequent losses. The following article debunks five of the most common cybersecurity myths, giving organizations the information needed to better understand their exposures and implement appropriate risk management measures.

Myth #1: Cybersecurity measures are only necessary for large corporations.

Some organizations think small businesses are unlikely targets for cyberattacks, as they often have less data and funds for cybercriminals to exploit. As such, it has become a frequent misconception that adopting proper cybersecurity measures only makes sense for large corporations, particularly those that possess substantial capital and store sensitive information.

Large organizations are definitely susceptible to cyberattacks, but this doesn’t mean small businesses are immune to such incidents. On the contrary, some cybercriminals consider small organizations more attractive targets than their larger counterparts because these businesses are more likely to have weaker cybersecurity measures in place, thus simplifying the overall attack process. According to a recent study conducted by international IT services and consulting company Accenture, 43% of all cyberattacks target small businesses, and 66% of such organizations have experienced an attack within the past year. With this in mind, it’s clear that cybersecurity measures are necessary for organizations of any size, but especially small businesses.

Myth #2: Basic cybersecurity procedures are enough to protect against possible threats.

For certain organizations, cybersecurity consists of a few basic protocols, such as deploying firewalls, installing antivirus software and encouraging employees to maintain strong passwords. While these procedures can certainly prove useful, adopting such a single-layered approach to cybersecurity probably won’t be effective in minimizing all possible threats.

For instance, basic cybersecurity protocols aren’t as successful in protecting against brute-force incidents and social engineering scams, which are some of the most common attack techniques. To put this in context, a report from multinational cybersecurity firm Kaspersky Lab found that brute-force attacks contribute to nearly one-third (31.6%) of all cyber incidents; meanwhile, the aforementioned Accenture study revealed that 85% of organizations have encountered social engineering scams. This means that organizations would remain vulnerable to a sizeable proportion of cyberattacks with only basic protocols in place.

As the cyber risk landscape shifts and changes, organizations’ mitigation strategies should follow suit. By implementing a multilayered approach to cybersecurity and leveraging a wide range of protective measures (e.g., multifactor authentication, endpoint detection and response solutions, email authentication technology, patch management plans and data backup systems), organizations will be better equipped to handle their advancing digital exposures.

Myth #3: Cybersecurity measures aren’t worth the associated costs for small businesses.

Small organizations may initially be less inclined to invest in cybersecurity due to the related expenses, especially considering their limited budgets. Most of the time, this stems from these organizations thinking that cybersecurity measures aren’t worth the various benefits they provide; yet, the reality is quite the opposite.

As previously mentioned, small businesses are frequent targets for cyberattacks. What’s worse, these businesses are more likely to face financial ruin in the aftermath of such attacks. In fact, global cyber economy researcher Cybersecurity Ventures reported that 60% of small businesses close their doors within just six months of experiencing a cyber incident. Considering this data, small organizations simply can’t afford to ignore cybersecurity. Investing in sufficient mitigation strategies could make all the difference in helping these businesses avoid major losses and prevent financial devastation at the hands of cyber incidents.

Myth #4: Cybersecurity is the IT department’s job.

Even when organizations make the wise decision to invest in cybersecurity, they may still make the mistake of placing all related responsibilities on the IT department. Although these professionals definitely play a role in upholding adequate cybersecurity measures, they can’t act alone. The most effective cybersecurity models involve companywide participation, which requires support from corporate executives and routine training for all employees.

Without companywide participation, organizations are more likely to have poor cyber hygiene and awareness. Not to mention, businesses that don’t take cybersecurity seriously will likely pass the same attitude to their employees by neglecting to provide essential education on digital risks. This is particularly concerning, as recent research conducted by World Economic Forum, an international lobbying organization, found that 95% of cyberattacks stem from human error.

As a result, it’s imperative that organizations foster a strong working culture that encourages everyone to take responsibility for cybersecurity. This entails having company executives lead by example, training employees to detect and defend against prevalent cyberthreats, and recognizing those who demonstrate a continued commitment to security.

Myth #5: Cyberthreats are always external.

When most employers and employees picture a cybercriminal, they likely visualize an external threat actor. Nevertheless, cyberattacks can also arise from insider threats. An insider threat refers to an individual who has been entrusted with access to or knowledge of an organization’s confidential resources and information (e.g., an employee, vendor or third-party collaborator). Due to their unique privileges, insider threats have the potential to compromise organizations’ most valuable assets and leave them more susceptible to a range of cyber incidents (also called insider events).

More than 7,300 insider events took place throughout the past year, according to research from the Ponemon Institute. Further, a recent survey conducted by IT platform Cybersecurity Insiders found that the average insider event costs over $755,000. Therefore, it’s vital for organizations to consider both external and internal threats when developing their cybersecurity measures.


By adopting an informed approach to cybersecurity and understanding the reality behind common myths, organizations can effectively position themselves in this evolving digital risk environment and limit the likelihood of large-scale losses. Contact us today for more risk management guidance and insurance solutions.

The Importance of Cyber Security for Your Small Business

cyber security

cyber securityHigh-profile cyber attacks on companies such as Target and Sears have raised awareness of the growing threat of cyber crime. Recent surveys conducted by the Small Business Authority, Symantec, Kaspersky Lab and the National Cybersecurity Alliance suggest that many small business owners are still operating under a false sense of cyber security.

The statistics of these studies are grim; the vast majority of U.S. small businesses lack a formal internet security policy for employees, and only about half have even rudimentary cyber security measures in place. Furthermore, only about a quarter of small business owners have had an outside party test their computer systems to ensure they are hacker proof, and nearly 40% do not have their data backed up in more than one location.

Don’t Equate Small with Safe

Despite significant cyber security exposures, 85% of small business owners believe their company is safe from hackers, viruses, malware or a data breach. This disconnect is largely due to the widespread, albeit mistaken, belief that small businesses are unlikely targets for cyber attacks.

In reality, data thieves are simply looking for the path of least resistance. Symantec’s study found that 43% of attacks are against organizations with fewer than 250 employees.

Outside sources like hackers aren’t the only way your company can be attacked—often, smaller companies have a family-like atmosphere and put too much trust in their employees. This can lead to complacency, which is exactly what a disgruntled or recently fired employee needs to execute an attack on the business.

Attacks Could Destroy Your Business

As large companies continue to get serious about data security, small businesses are becoming increasingly attractive targets—and the results are often devastating for small business owners.

According to a recent study by the Ponemon Institute, the average annual cost of cyber attacks for small and medium-sized businesses is over $2 million. Most small businesses don’t have that kind of money lying around, and as a result, nearly 60% of small businesses victimized by a cyber attack close permanently within six months of the attack. Many of these businesses put off making necessary improvements to their cyber security protocols until it was too late because they feared the costs would be prohibitive.

10 Ways to Prevent Cyber Attacks

Even if you don’t currently have the resources to bring in an outside expert to test your computer systems and make security recommendations, there are simple, economical steps you can take to reduce your risk of falling victim to a costly cyber attack:

  1. Train employees in cyber security principles.
  2. Install, use and regularly update antivirus and antispyware software on every computer used in your business.
  3. Use a firewall for your internet connection.
  4. Download and install software updates for your operating systems and applications as they become available.
  5. Make backup copies of important business data and information.
  6. Control physical access to your computers and network components.
  7. Secure your Wi-Fi networks. If you have a Wi-Fi network for your workplace make sure it is secure and hidden.
  8. Require individual user accounts for each employee.
  9. Limit employee access to data and information, and limit authority to install software.
  10. Regularly change passwords.

In addition to the listed tips, the Federal Communications Commission (FCC) provides a tool for small businesses that can create and save a custom cyber security plan for your company, choosing from a menu of expert advice to address your specific business needs and concerns. It can be found at www.fcc.gov/cyberplanner.

Your Emerging Technology Partner

A data breach could cripple your small business, costing you thousands or millions of dollars in lost sales and/or damages. We have the tools necessary to ensure you have the proper coverage to protect your company against losses from cyber attacks. Contact us today to for additional cyber risk management guidance and insurance solutions.

4 Cybersecurity Best Practices For Your Small Business

Cybersecurity Best Practices

Cybersecurity Best PracticesCyberattacks are becoming more frequent and complex, and businesses of all sizes and industries are potential targets. In fact, cybercriminals increasingly go after small businesses since they contain much of the same types of sensitive information as larger enterprises but often have weaker cybersecurity defenses. Verizon’s Data Breach Investigations Report found that 43% of all cyberattacks target small businesses, and 60% of those victims go out of business within six months of the attack. There is a growing needs for your business to have cybersecurity best practices in place.  

Even if a small business survives a cyberattack, there can still be devastating consequences, such as high costs, reputational damage and unanticipated downtime. To best combat these risks, it is important for small business owners to be aware of common cyberthreats they may face, including:

  • Phishing—Phishing is a type of cyberattack that utilizes deceptive emails or other electronic communication to manipulate recipients into sharing sensitive information, clicking on malicious links or opening harmful attachments. While emails are the most common delivery method for phishing attempts, cybercriminals may also use text messages, social media messages, fake or misleading websites, voicemails or even live phone calls.
  • Business email compromise (BEC)—A BEC scam entails a cybercriminal impersonating a seemingly legitimate source—such as a senior-level employee, supplier, vendor, business partner or other organization—via email. The cybercriminal uses these emails to gain the trust of their target, thus tricking the victim into believing they are communicating with a genuine sender. From there, the cybercriminal convinces their target to wire money, share sensitive information (e.g., customer and employee data, proprietary knowledge or trade secrets) or engage in other compromising activities.
  • Malware—Malware is a general term that describes viruses, worms, Trojan horses, spyware, adware, rootkits and other unwanted software or programs. Once a malware program has gained access to a device, it can disrupt normal computing operations, collect information and control system resources. 
  • Insider threats—Workers with access to sensitive information, including contractors who have access to the company’s network, may be aware of existing security weaknesses and can exploit them more easily than an outsider. 
  • Password attacks—Using weak or easily guessed passwords or using the same password for multiple accounts can result in compromised data. In fact, over 70% of employees working at small businesses have had their passwords stolen or compromised, according to data from the Ponemon Institute.

To limit the risk of cyberattacks, small business owners should implement the following cybersecurity best practices:

  • Employee education—Employees are the most significant cybersecurity vulnerability to any organization, including small businesses. Workforce cybersecurity education is essential to teach employees to identify phishing attacks, social engineering and other cyberthreats.
  • Security software—A network firewall can prevent unauthorized users from accessing company websites, email servers and other sources of information accessed through the internet. In addition, high-quality antivirus software can perform automatic device scans to detect and remove malicious software and provide protection from various online threats and security breaches. The latest patches and updates should be installed as soon as possible to limit cybercriminals’ opportunity to exploit any network vulnerabilities.
  • Multifactor authentication (MFA)—Important accounts, including email, social media and banking apps, should require MFA to limit the opportunity for cybercriminals to steal data.
  • Data backups—Essential files should be backed up in a separate location, such as on an external hard drive or in the cloud.

As cyberthreats become more frequent and severe, small businesses should take protective measures to secure all company, personal and financial information. For more small business insights and risk management guidance, contact us today.

The Growing Need for Personal Cyber Coverage

personal cyber coverage

personal cyber coverageToday’s society has grown increasingly digital in nature, with many individuals leveraging smart devices within their daily lives. Although this technology can offer various benefits, it can also make individuals more susceptible to cybercrime. Such incidents have steadily become more common and costly. In fact, the FBI reported receiving more than 800,000 complaints regarding cybercrimes in the past year, totaling $4.2 billion in overall expenses.

These findings emphasize how critical it is for individuals to safeguard themselves and their families from cyber events. That’s where personal cyber insurance can help. Typically offered as an endorsement to a homeowners policy, this form of coverage can provide financial protection for losses resulting from a range of cyber incidents—including fraud, identity theft and data breaches. Keep reading to learn more about the growing need for this coverage and the key types of personal cyber insurance available.

The Growing Need for Personal Cyber Coverage

Technology has continued to advance in the past decade, playing a larger role in how individuals live, work, and entertain. A variety of online platforms have given individuals the ability to stream content, communicate with others, shop for goods and make electronic payments at the click of a button. Additionally, smart devices have allowed individuals to upgrade a number of household appliances (e.g., thermostats, fridges, doorbells and security systems). Altogether, this technology has contributed to the growing adoption of the Internet of Things (IoT), which refers to any devices that connect or send information to the internet. Looking ahead, insurance experts anticipate that the average household will possess as many as 50 IoT-capable gadgets by 2023.

While these devices certainly offer several advantages, increased technology utilization also comes with greater cyber vulnerabilities. As technology advances, so do the tactics of cybercriminals—resulting in more frequent and severe cyber events. Here are some of the most common cyber incident scenarios that individuals and their families may encounter:

  • Bank fraud—This form of fraud entails a cybercriminal gaining unauthorized access to an individual’s electronic bank credentials, allowing them to transfer and steal funds from the individual’s account. According to a recent report from NortonLifeLock, cybercriminals steal over $170 billion each year via bank fraud.
  • Identity theft—Such theft refers to a cybercriminal accessing an individual’s personal information (e.g., Social Security number or credit card number) and using it to commit fraud or other crimes under the individual’s name. The Federal Trade Commission confirmed that nearly 1.4 million complaints related to identity theft were filed last year, up 113% from the previous year.
  • Data loss—In the event that an individual’s device gets infected with a virus or other malicious software (also called malware), they face the risk of losing any valuable data stored on that device. Viruses and malware can come from numerous avenues, including harmful websites, dangerous email attachments or infected USB flash drives—thus making data loss a major threat.
  • Extortion—Ransomware incidents have contributed to a substantial rise in cyber extortion over the last few years. These incidents stem from a cybercriminal using malware to compromise an individual’s device (and any data stored on it) and demanding a ransom payment in exchange for restoration. In some cases, the cybercriminal may even threaten to publicly share the individual’s data if they don’t receive payment. According to cybersecurity experts, ransomware incidents have increased 500% since 2018, with the average ransom payment totaling over $300,000.
  • Cyberbullying—While social media platforms allow individuals to connect with others, these platforms can also, unfortunately, be used for negative purposes, such as cyberbullying. This type of bullying includes refers to harassment, threats or other intimidating language that occurs via electronic means. Although anyone can be a victim of cyberbullying, kids and teenagers are particularly vulnerable. The latest data from Pew Research revealed that 59% of teens have experienced cyberbullying.

Considering these risks, it’s clear that individuals can’t afford to ignore cybercrime. In addition to implementing effective cybersecurity practices (e.g., using trusted devices, browsing secure websites, conducting software updates, backing up data, creating unique passwords and knowing how to identify potential scams), having adequate insurance in place is crucial. By investing in personal cyber coverage, individuals can properly protect themselves and their families amid cyber-related losses.

Types of Personal Cyber Coverage

Personal cyber insurance varies between insurers. However, there are a number of key coverage offerings available:

  • Online fraud coverage—This coverage can offer reimbursement for financial losses that may result from the various types of online fraud, such as phishing scams, identity theft or unauthorized banking.
  • Online shopping coverage—Such coverage can help pay for the cost of any goods that were purchased online but arrived damaged upon delivery or didn’t get delivered whatsoever.
  • Identity recovery coverage—This coverage can provide reimbursement for the expenses associated with recovering from an identity theft incident (e.g., rectifying records with banks or other authorities, hiring a consultant to assist with credit restoration and taking unpaid time off from work to recover from the incident).
  • Data restoration coverage—Such coverage can help compensate the cost of having an IT specialist recover a device and restore any data stored on it if the device gets infected with a virus or malware.
  • Data breach coverage—This coverage can offer reimbursement for the necessary notification and recovery services in the event that private, nonbusiness data entrusted to the policyholder becomes lost, stolen or published.
  • Cyber extortion coverage—Such coverage can help pay for the expenses associated with responding to a ransomware event (e.g., consulting an IT specialist to mitigate the extortion attempt and restoring compromised devices or data).
  • Cyberbullying coverage—This coverage can provide reimbursement for the costs that come with recovering from a cyberbullying incident resulting in unlawful harassment or defamation of character. These costs may include psychological counseling services, legal advice, temporary relocation expenses and social media monitoring software. This coverage can also offer protection if an individual or their child faces engages in cyberbullying and faces subsequent legal action from the victim.

Because personal cyber insurance is still a relatively new type of coverage, it is usually only available as an add-on to an existing homeowners policy. Further, certain insurers only provide this coverage as an endorsement for high-value homeowners policies. Yet, some insurers may offer standalone personal cyber coverage. Moving forward, insurance experts expect the personal cyber coverage market to continue growing, allowing for more widely available policy options. In any case, individuals should consult trusted insurance professionals to discuss their specific coverage capabilities.

For further risk management resources and insurance solutions, contact us today.

Are You Using Penetration Testing To Keep Your Business Safe From Cyber Risks?

penetration testing

Keeping workplace technology up and running is vital to any organization’s success. While this task seems feasible, it’s growing harder and harder each year as cybercriminals expand their reach. It’s not enough to simply protect workplace technology with software and security protocols. It’s also critical for your organization to test the overall effectiveness of these protocols on a regular basis. That’s where penetration testing can help.

Essentially, penetration testing consists of an IT professional mimicking the actions of a malicious cybercriminal to determine whether an organization’s workplace technology possesses any vulnerabilities and can withstand their attack efforts. Conducting a penetration test can help your organization review the effectiveness of workplace cybersecurity measures, identify the most likely avenues for a cyberattack and better understand potential weaknesses.

Review this guidance to learn more about what penetration testing is, the benefits of such testing and best practices for carrying out a successful test within your organization.

What is Penetration Testing?

Put simply, penetration testing refers to the simulation of an actual cyberattack to analyze an organization’s cybersecurity strengths and weaknesses. This testing usually targets a specific type of workplace technology, such as the organization’s network(s), website, applications, software, security systems or physical assets (e.g., computers and smart devices). Penetration testing can leverage various attack methods, including malware, social engineering, password cracking and network hacking, among others.

Generally speaking, penetration testing is often performed by a professional from a contracted IT firm who is not associated with the organization being assessed in any way. This helps the cyberattack simulation seem as authentic as possible. Penetration testing is typically either external or internal in nature. The primary differences between these forms of testing are as follows:

  • External penetration testing requires the IT expert to attack an organization’s external-facing workplace technology from an outside perspective. In most cases, the IT professional won’t even be permitted to enter the organization’s physical establishment during external penetration testing. Rather, they must execute the cyberattack remotely—often from a vehicle or building nearby—to imitate the methods of an actual cybercriminal.
  • Internal penetration testing allows the IT expert to attack an organization’s internal-facing workplace technology from an inside perspective. This form of testing can help the organization understand the amount of damage that an aggrieved employee could potentially inflict through a cyberattack.

In addition to these testing formats, there are also two distinct types of penetration tests. How much information an organization provides the IT professional prior to the cyberattack simulation will determine the penetration test type. Specifically:

  • An open-box test occurs when the IT expert is given some details regarding the organization’s workplace technology or cybersecurity protocols before launching the attack.
  • A closed-box test occurs when the IT expert is provided with no details other than the organization’s name before conducting the attack.

Ultimately, the penetration testing format and type should be selected based on the particular workplace technology elements or cybersecurity measures that an organization is looking to evaluate.

Benefits of Penetration Testing

Penetration testing can offer numerous advantages to your organization, including:

  • Improved cybersecurity evaluations—By simulating realistic cyberattack situations, penetration testing can help your organization more accurately evaluate its varying security strengths and weaknesses—as well as reveal the true costs and of any security concerns.
  • Greater detection of potential vulnerabilities—If any of your workplace technology or other cybersecurity protocols fail during a penetration test, you will have a clearer picture of where your organization is most vulnerable. You can then use this information to rectify any security gaps or invest further in certain cyber initiatives.
  • Increased compliance capabilities—In some sectors, organizations are legally required to engage in penetration testing. For example, the Payment Card Industry Data Security Standard calls for organizations that accept or process payment transactions to execute routine penetration tests. As such, conducting these tests may help your organization remain compliant and uphold sector-specific expectations.
  • Bolstered cybersecurity awareness—Mimicking real-life cyberattack circumstances will highlight the value of having effective prevention measures in place for your employees, thus encouraging them to prioritize workplace cybersecurity protocols.

Penetration Testing Best Practices

Consider these top tips for executing a successful penetration test within your organization:

  • Establish goals. It’s crucial for you to decide what your organization’s goals are regarding the penetration test. In particular, be sure to ask:
    o What is my organization looking to gain or better understand from penetration testing?
    o Which cybersecurity threats and trends are currently most prevalent within my organization or industry? How can these threats and trends be applied to the penetration test?
    o What specific workplace technology elements or cybersecurity protocols will the penetration test target?
  • Select a trusted IT professional. Consult an experienced IT expert to assist your organization with the penetration test. Make sure to share your organization’s goals with the IT professional to help them understand how to best execute the test.
  • Have a plan. Before beginning the penetration test, work with the IT expert to create an appropriate plan. This plan should outline:
    o The general testing timeframe
    o Who will be made aware of the test
    o The test type and format
    o Which regulatory requirements (if any) must be satisfied through the test
    o The boundaries of the test (e.g., which cyberattack simulations can be utilized and what workplace technology can be targeted)
  • Document and review the results. Take detailed notes as the penetration test occurs and review test results with the IT expert. Look closely at which cybersecurity tactics were successful during the attack simulation and which measures fell short, as well as the consequences of these shortcomings. Ask the IT professional for suggestions on how to rectify security gaps properly.
  • Make changes as needed. Based on penetration test results, make any necessary adjustments to workplace technology or cybersecurity protocols. This may entail updating security software or revising workplace policies.
  • Follow a schedule. Conduct penetration testing at least once every year, as well as after implementing any new workplace technology.

For more risk management guidance and insurance solutions, contact us today.