In today’s threat landscape, cyber insurance alone isn’t enough to protect organizations from devastating ransomware attacks or help them make a full recovery. The reality of modern cybersecurity is stark: CyberArk reported 93% of organizations that experience one breach will experience multiple breaches, and IBM noted the growing average cost of a data breach, which reached $4.88 million in 2024 and which they expect to exceed $5 million in 2025. While cyber insurance is valuable, and qualifying for it requires financial and operational investment, it can (and often does) still contain loopholes and limitations that leave your organization vulnerable. Choosing to supplement your cybersecurity insurance with key internal controls and strategic business practices can significantly enhance your cybersecurity posture and your ability to deflect potential attacks.

READ MORE: OpenTable Top 100 Restaurants in America includes 3 from Arizona

LOCAL NEWS: Want more stories like this? Get our free newsletter here

Instead of relying solely on cybersecurity insurance, implementing these five core controls will provide your organization with more comprehensive protection from cybercrime:

Multifactor Authentication (MFA)

MFA creates an additional layer of trust beyond passwords, requiring users to verify their identity through a secondary method such as having a verification code sent to their phone. 

John W. Graham is a Principal in REDW Advisors & CPAs Cybersecurity Consulting Practice.

Administrative Account Review

Administrative accounts represent your organization’s “keys to the kingdom.” Regular reviews ensure that only necessary personnel have elevated privileges. Failure to minimize admin accounts and/or eliminate shared accounts can lead to accountability issues during security incidents. Ensuring all activities are logged and traceable to a single user aids investigations and deters potential compromises.

Software Access Audits

Controlling what software can be installed on your network prevents unauthorized applications that might introduce vulnerabilities. Remove local access privileges from standard users and implement controls to detect unapproved software installations through regular inventory assessments. Make sure all devices hitting your network are subject to these controls.

Security Awareness Training

The human element remains an organization’s weakest link with as many as 74% of Chief Information Security Officer’s (CISOs) identifying it as the most significant vulnerability. As demonstrated in the infamous MGM cyber breach in 2023, one successful social engineering attack on a help desk can halt global operations for a large organization and cause tens of millions of dollars in losses. Comprehensive, ongoing team training helps staff recognize and securely respond to threats.

Documented Security Policies

Well-documented and enforced security policies establish clear expectations and procedures. These policies cover everything from incident response to password requirements and should be regularly reviewed and updated. Clearly written policies and checklists take the emotional sting out of addressing cybersecurity incidents and allow swift progression and remediation to take place.

Organizations that implement and test these controls see significant benefits. A 2020 IBM/Ponemon Institute study reported that companies with tested incident response plans saved an average of $2.03 million during breaches compared to those without such preparations.

Key Takeaways:

  • Cyber insurance alone isn’t sufficient protection against modern threats
  • The five core controls work together to create multiple layers of security
  • Implementing these controls can save millions in potential breach costs
  • Regular testing and updating of security controls are essential

Author: John W. Graham is a Principal in REDW Advisors & CPAs Cybersecurity Consulting Practice, providing strategic leadership and guidance to help organizations strengthen their resilience against today’s rapidly evolving cyber threats. He leads comprehensive cybersecurity risk assessments, IT governance reviews, and compliance evaluations using top industry frameworks, including NIST, ISO 27000, FedRamp, CMMC, HIPAA, PCI DSS, and SOC2. Graham also empowers leadership teams to build resilience, make informed decisions, and foster cultures of cybersecurity excellence by providing incident response planning and crisis management. www.redw.com