Cyber Insurance Checklist: 10 Essential Security Controls
The never-ending threat of a cyberattack is leading more and more businesses to take a serious look at cyber security insurance to help them recover some of the financial losses that would result from an attack or incident. While a continuing rise in attacks is making cyber insurance more attractive, so too, is it making it more difficult to obtain. More attacks result in more claims and lead to higher premiums with insurance companies becoming very selective about who and what they are willing to cover. Insurance underwriters will likely require that you have robust security measures and policies in place before they even consider providing your company with a quotation. Here are some of the security controls insurers are likely to require to be in place, before issuing a quotation:
(Note: this post contains links to various pages on our website. Never click on links you do not trust 100%. If you do not trust the links in this post, you can find all the information directly on our website)
1. Multi-Factor Authentication.
At the top of every insurance underwriter’s requirement list is Multifactor Authentication (MFA). Cyberattacks such as ransomware frequently exploit weak or stolen passwords to infiltrate systems. MFA reduces the risk by requiring a combination of verification factors such as a password or PIN along with a security token, mobile app, or biometric identifier. It’s almost impossible to get cyber insurance without MFA. To learn more about MFA read our post “What is MFA and what are the benefits” or download our “Guide to MFA”.
2. Endpoint Detection and Response (EDR).
Endpoint devices such as laptops, tablets and mobile phones are enticing targets because they provide a direct route into corporate networks. Endpoint Detection and Response (EDR) is a newer expansion of traditional endpoint security, with a focus on greater endpoint visibility for the purpose of enabling faster response times. When an endpoint encounters a never-before-seen threat, for instance, EDR allows the new threat to be monitored and, if necessary, categorised as malicious. Internally at IT.ie we utilise Microsoft Defender as the EDR on all our endpoints. Microsoft Defender is now included as part of your Microsoft 365 Business Premium licence. Find out more about Microsoft Defender EDR.
3. Secure Backups.
Threat actors continually adapt to make it more and more difficult for you to recover from an attack. Not only do they target the data across your organisation, but many now also target backup data to prevent recovery. An immutable backup strategy secures backup data by making it unchangeable and preventing it from being deleted. That way, hackers can’t alter your backups in any way. Find out more and download our partner guide on how to recover from a ransomware attack.
4. Network Access Controls.
Network access control, also called network admission control, is a method to bolster the security, visibility, and access management of a proprietary network. It restricts the availability of network resources to endpoint devices and users that comply with a defined security policy. Simply put, it is a method of access-based permissions to keep unauthorised users and devices out of your network.
5. Email Security
Email is the number one threat vector for virtually all the bad things that keep you up at night. What’s worse is that cybercriminals are using email to target the weakest link in an organisation’s cybersecurity chain: humans. AI-powered email security blocks advanced attacks from the first email thanks to machine learning models that perform real-time behavioural analysis of the entire email, including any URLs and attachments. Find out more about Managed Email Security.
6. Patch Management.
Patch management is the process of identifying and deploying software updates, or “patches,” to a variety of endpoints, including computers, mobile devices, and servers. A consistent approach to patching and updating software and operating systems helps limit exposure to ransomware and other exploits. A patch management plan should include a framework for prioritising, testing, and deploying patches. Internally we monitor and control patch management via our Remote Monitoring and Management (RMM) tool and server patching policies.
7. Cybersecurity Awareness Training.
Regular Cyber Awareness Training builds a cybersecurity culture at your organisation and turns your employees into your strongest cyber assets. It promotes general security best practices and an understanding of social engineering and phishing techniques. Users who can spot the tell-tale signs of an attack can pre-emptively thwart many attacks. At IT.ie we provide a complete Human Risk Management solution that incorporates Cyber Awareness Training, Phishing Simulations and scans the dark web for compromised email credentials. You can find further information by visiting our Cyber Security Awareness Training page.
8. Secure Remote Access.
Remote desktop protocol (RPD) enables users to access company resources from a home PC using an Internet connection, but it has known vulnerabilities. Apply encryption, MFA, and other security features to mitigate risk. In addition, block all remote access ports at the firewall or network gateway unless there is a valid business reason for having them open. This can be done via Secure Socket Layer VPN (SSLVPN).
9. Replace End-of-Life Systems.
You should never let your systems surpass their life cycle. Take Microsoft for example, who will announce when support for an operating system is coming to its end-of-life and encourage you to upgrade to a more up-to-date operating system. Hackers commonly target applications and systems that have reached the end of support or end of life because they know security issues are no longer being addressed. Companies with outdated systems and no plan for upgrades are viewed as a higher risk by most insurance underwriters. Internally we utilise our RMM tool and Microsoft Intune compliance policies for the minimum OS.
10. Manage Supply Chain Risk.
Supply chain attacks allow cybercriminals to distribute malware to mass numbers of victims simultaneously. Organisations should evaluate their suppliers’ security practices and incorporate specific security requirements into their contracts. Do you trust that your suppliers are protecting your data just as you are expected to protect the data of your clients? If you aren’t certain then ask them and if you are satisfied with their response, consider switching suppliers. It’s not uncommon for businesses to fall victim to cyberattacks or data breaches via the systems of their suppliers and partners. Here at IT.ie we continually monitor our supply chain risk via our ISMS Risk Register.
For many organisations Cyber Insurance is an absolute necessity while for many others the cost is prohibitive. Ransomware attacks make up about 75% of cyber insurance claims and yet research suggests that only 37% of organisations have ransomware cover as part of their policy. We would never recommend paying a cybercriminal; however, we also understand that for many, they simply have no other choice. What is important to remember, however, is that even if you pay the ransom, there is no guarantee that the criminals will hold up their end of the deal. The best way to protect your organisation and its reputation is to implement a multi-layered approach to cyber security and data protection, to greatly mitigate risk.
The checklist items I have highlighted in this post are steps you should take to protect your organisation, regardless of whether you plan to seek cyber insurance or not.
You have probably read a multitude of articles and posts about the threat of cyber-attacks and ask, are they simply trying to scare me? Make no mistake, all the content you read about cyber-attacks is designed to scare you, and for good reason. A cyber-attack and compromise of your data is the single biggest threat to your organisation right now. If you would like to know more about how to protect your business, get in touch with our team via our website or simply email email@example.com and they’ll be happy to talk to you about any concerns you might have.