Trevor Johnson
Associate Vice President, Business Insurance
It’s well known that cybercrime, cyberattacks, and data breaches are on the rise. As their frequency increases, so does their level of sophistication. And with artificial intelligence (AI) technologies advancing in leaps and bounds, that sophistication will only continue to become more convincing. This poses a growing, potentially significant threat to any business.
Social engineering—using psychological manipulation to prompt human error and gain access to sensitive information—has emerged as one of the most costly and cunning cyber threats impacting organizations of all shapes and sizes.
No business is invulnerable to social engineering threats. To stay protected, companies from startups to Fortune 500s must ensure they have the right insurance and protections in place to prevent potentially significant financial and legal consequences.
Understand social engineering attacks
According to the Cybersecurity and Infrastructure Security Agency (CISA), approximately eight out of 10 organizations for which the agency conducts cybersecurity assessments have had at least one individual fall victim to a phishing attempt. This statistic highlights the widespread vulnerability to social engineering tactics across various sectors.
The act of social engineering starts with attackers finding personal information about their victims to discern the most vulnerable points of entry. Next, the intruder seeks to gain the victim’s trust by exploiting those perceived weaknesses.
The three most common methods of social engineering include:
- Phishing: Cybercriminals send emails posing as colleagues or departments (often IT), requesting password resets, sensitive information, payments, or opening attachments. Once clicked, these links allow access to the business’s network.
- Smishing: Similar to phishing, smishing uses fraudulent messages via SMS texts. A common tactic is when attackers text an employee assuming the identity of a coworker or supervisor, expressing the need for an urgent purchase (such as a $500 gift card).
- Vishing: Attackers use voice renderings to impersonate individuals, often representing a bank, government agency or organization to persuade a victim to give away their personal information (e.g., bank accounts or Social Security numbers).
Gauge the financial impact of social engineering attacks
The financial impact of social engineering attacks on businesses can range from harmful to devastating. The average financial cost of these breaches is $50,000 whether through stolen money or destroyed data.
The monetary impact of social engineering events often includes legal fees and data recovery, but that’s only one piece of a bigger puzzle. Many companies don’t initially think about the non-monetary costs these attacks incur.
Brand reputation, customer trust, productivity and the time it takes to recover data all significantly impact a company in the wake of a social engineering breach.
Get comprehensive cybersecurity & commercial crime coverage
Consider a castle in need of protection from enemies. The gate might be secure, but what about the tower windows, moat and bridge? Do the guards have the right weapons?
Cybersecurity requires a similar approach. You need various tools, systems, processes and professionals in place to protect a business. Additionally, you need a robust cybersecurity insurance policy—sometimes complemented by commercial crime coverage—to protect against the threats that do make it past the first lines of defense.
In the Venn diagram of coverage, cybersecurity and crime policy protections can overlap—but their distinguishing characteristics lie in the types of risks they address. Where cybersecurity insurance protects businesses from the financial and reputational impacts of cyberattacks and data breaches, commercial crime insurance (or fidelity bonds) broadly navigates the physical and financial impact of criminal activities like forgery, embezzlement, theft and fraud.
Even with complementary crime and cybersecurity policies, vulnerabilities may remain—making it critical for businesses to proactively supplement with specialized solutions.
Add value beyond basic cybersecurity & crime policies
While broad policies that protect against crime-driven financial losses provide a critical foundation, additional coverage may be necessary for a comprehensive and effective plan. Companies should consider additional policies to reinforce their cybersecurity insurance, such as:
- Social engineering fraud coverage: This specifically covers phishing, smishing and vishing scenarios where employees are tricked into giving away private data.
- Funds transfer fraud coverage: This insurance guards from instances when a perpetrator impersonates an authority or business partner to convince an employee to conduct an unauthorized electronic transfer of company money.
- Business email compromise (BEC) coverage: BEC insurance covers the financial impact of criminals who use fake email accounts to deceive employees.
Fortify your cybersecurity with additional protections
Alongside assessing coverage gaps from standard cybersecurity insurance policies, businesses should look for other “cracks” in their cyber castle. For example, part of maximizing cyber insurance and protection is making sure employees have the right type of training to ward off attacks. Processes must be established to ensure every employee knows how to identify and report social engineering scams.
To properly train employees, companies should undergo a full audit of social engineering vulnerabilities to truly assess how an attack could impact the business. Multi-factor authentication, data segmentation, data scrambling and penetration testing are all additional layers of protection to reinforce a business’s cyber architecture against social engineering breaches. Once weaknesses are detected, business leaders can implement the necessary level of training and mitigation.
Strengthening cyber defense against evolving threats
As social engineering threats evolve, it is increasingly crucial to fortify your company with robust cybersecurity protections.
Marsh McLennan Agency has an extensive line of cyber insurance solutions and protection plans for businesses of every size and industry. To learn more, please reach out to one of our cyber experts today.
