To offer maximum value to our insureds and stand out from the competition, we as insurance professionals need to do more than just offer our clients good coverage. We also need to help them with the bigger risk management picture.
For example, you may sell your client a workers’ comp policy, but you could also provide them with employee training materials geared towards reducing on-the-job accidents.
Similarly, when selling cyber insurance, we need to be thinking about other facets of risk management beyond risk transfer via a policy: Strengthening network security, educating employees on best practices, developing a breach response plan, and more.
One simple step towards the goal of shoring up network security is to evaluate the ability of the network to resist outside attacks. This is done through a penetration test (also called a “pen test”) – a method to open the insured’s eyes to their digital weaknesses which attackers could use to break into their systems, applications, devices, files, and networks. Penetration tests are foundational in defending IT assets.
Sometimes the phrases “vulnerability scan” and “penetration test” are used interchangeably, but they are not the same. A vulnerability scan is automated and focused on the inside of the network, while a penetration test requires the time of a security expert to manually verify vulnerabilities from the outside of the network.
A pen test attempts to gain access to the digital assets the insured values most. If a security hole is uncovered that could lead to a chain of threat actions, then it is understood as a significant weakness which requires immediate attention.
The IT professional conducting a penetration test will look in all sorts of areas for potential problems, including connectivity, configurations, application code, certificates and encryption, and even human behavior. All of these and more must be tested.
The pen test culminates in a lengthy report of findings. Unfortunately, these reports are infamously confusing, utilizing weakness rankings indirectly connected to the actual needs of the businesses. For this reason, they often gather dust and are used mainly to tick off key tasks on a regulatory checklist.
What’s missing from nearly all pen tests is a clear evaluation and quantification of sensitive data (customer information, financial accounts, employee files, proprietary business plans and trade secrets, etc.) and business processes truly at risk. If there’s no direct correlation between a weakness found and a real, quantifiable impact on the business, then it is impossible to justify the cost to repair the weakness.
INSUREtrust’s security services division, ASSUREtrust, offers penetration testing that focuses on the specific data and business operations of an individual insured. Small and medium sized businesses need robust security, but don’t have big IT budgets. We get it. Our pen test solution is easy to understand, and gets right to the point of how an insured can fortify their security using a practical, reasonable outlay of resources.
Contact us today to find out how to help your clients get real value from their limited security dollars.