Inaction After Cyber Risk Recommendations

May 15, 2023

What Causes Inaction After Assessment Recommendations?

One of the great ironies of human behavior is this: When a problem confronts us, we take the time and money to get outside expertise for guidance ― and then, with report in hand, we fail to implement it.

Case in point: It is well established that the biggest existential threat to an insurance operation, large or small, is a cyberattack. Far too often, insurance organizations have seen the need to take prudent steps to help safeguard their data and protect their long-term viability. They engage outside firms for help. Cyber risk assessments and recommendations are delivered. Then … nothing.

Why? It seems counterintuitive.

Could the reason be that the assessment process was too cumbersome, and the recommendations were more academic than practical? A cyber-risk assessment is successful only if the client is capable of implementing the preventative measures that are recommended. Are agents often finding markets to overlook challenges? An Insurance Policy bound under documented vulnerabilities may never pay a claim. So what is it that can drive action and make clients truly protected?

TEKRiSQ’s successful implementation rate proves that these four elements are key:

  1. Efficient data collection. While it is necessary to collect accurate, relevant data, we minimize the time it takes to as little as 30 minutes. We streamline the process using standard industry methodologies and questioning techniques (from the National Institute of Standards and Technology or NIST) that ensure reliability. Our assessment is designed to be practical, not an exercise in unneeded data collection.
  2. Personalized methodologies. Our approach eschews forms for clients to complete. And when we deliver an assessment, we also meet the client face-to-face online to explain the results and the implementation process.
  3. Understandable information. The staff must understand the assessment, how the recommendations fit within the organization’s operations, their relevance, and how to implement them in a practical way. Technological jargon will defeat the purpose and frustrate the client. As Don Henley sang, “I’ve been trying to get down to the heart of the matter, but my will gets weak, and my thoughts seem to scatter.”

    Context is everything.

    There is, for example, a common misconception that cyberthreats are a problem only for large businesses. But the small and medium enterprise (SME) is the cybercrime target that most needs outside assistance. A small firm cannot sustain an internal IT department. It’s unlikely even to employ a tech whiz. It’s dependent on affordable avenues to solve its unique business needs, including cyber-protection, and it needs understandable information to do that.
  4. Ongoing support. Most importantly, we know our work is not over when the assessment is presented. The goal is continuous improvement, so we employ tools that will illuminate for clients how the implementation process is going.

Incorporating these four elements into the cyber-risk assessment process creates a positive attitude among our clients’ staffs. They form the zeitgeist for our work, especially for our SME clients.

If your business needs an independent cyber risk assessment that minimizes tech jargon and is highly actionable, contact TEKRiSQ today.