Cyber insurance cover is essential for businesses, but not all firms can access the policies they want. We highlight five key areas in which businesses can improve their security profile to access appropriate cyber coverage and build resilience.
Everyone understands what a fire or a flood looks like, and the impact it could have on business operations – but not everybody understands what a cyber event looks like, or what follows.
As part of our ongoing dialogue with customers, we focus on ‘being ready’, and part of this includes sharing appropriate information on failed attacks, which protections worked, the vulnerabilities which have allowed cyber breaches to happen, and ways to improve security.
A greater level of sharing information both ways helps insurers better understand their customer’s business, so we can assess and advise on risk in the most effective way.
It’s crucial for businesses to take stock of their cyber security, not only to address any gaps that might let criminals in, but also to meet the criteria required to access full levels of insurance.
There are five key areas businesses can focus on:
General IT Security
Are you sure all your systems are always kept up to date with necessary security updates?
This doesn’t mean simply relying on your anti-virus being up to date. It’s important to understand the process for managing software vulnerabilities and updates, even if an external IT provider delivers the service.
Do you have multifactor authentication (MFA) in place on all remote connections and admin accounts?
This requires the user to have two pieces of information to access the system, so that if one is compromised (e.g., the password is guessed), a second step is required (e.g., a code sent to a mobile phone or email address, biometric recognition) before access is provided.
Do you ensure your businesses or employees are not using unsupported systems, and where these are unavoidable, are you sure they are isolated from the internet and the rest of your network?
As new versions of software and programs are released manufacturers stop providing security updates for their older versions creating unsupported systems. These are obviously therefore easy targets for hackers and so extra care must be taken if you plan to still use them.
Do you know the difference between vulnerability scanning and pen testing and how often do you do either?
Simply put, vulnerability testing is designed to scan and evaluate your IT systems for weaknesses. Pen testing is a simulated cyber-attack against those weakness, designed to show how serious the situation could become.
Employees
Your employees can be your weakest link when it comes to cyber security and it is important to have an education programme in place to remind employees about the risks, how to spot suspicious activity and what to do (and not do).
Sporadic phishing simulations are also recommended to highlight areas of your workforce you might need to spend more time educating about the risks.
Business Continuity
Business continuity should be a key focus for all companies, with clearly laid out processes and priorities to help protect your data, reputation, revenue – and if needed, your recovery.
Key questions to consider include:
- Do you carry out regular offline backups of critical data?
- Do you segregate IT (information technology) from OT (operational technology, such as machinery) by using for example firewalls or air gapping?
- Do you isolate different locations?
- Do you have a business continuity and/or disaster recovery plan in case of a network outage? Have you practiced the application of these plans?
Personal Data
It’s a myth that small and medium-sized businesses are less at risk. In fact, there’s a trend towards targeting those with less robust measures in place and using them to gain access to larger companies.
Encrypting data isn’t enough to prevent fraud or misuse. Cyber-security encompasses more than just hacking and phishing, and data protection covers everything from email marketing to hanging on to files longer than is necessary.
Business should assess their data protection measures in the following areas:
- How careful are you with the data you hold?
- Is sensitive data adequately secured with appropriate encryption?
- Are you only holding the data you need and disposing of non-essential data properly?
- Do you limit the number of employees with access to sensitive data?
Regulation
Is your business required to be PCI-DSS compliant?
Businesses that hold, use, or transmit cardholder data must hold this accreditation.
Are you aware of the privacy and security regulations your business is required to adhere to?
The UK Data Protection Act is not the only regulation most businesses need to adhere to in the event of a cyber incident. There are many specific industry regulations that also govern the security of data and IT systems.
Cyber insurance underwriters will take these five focus areas into consideration when deciding whether to offer coverage and at what premium.
But even if your company is not currently looking for cyber cover, taking these security precautions seriously makes business sense, no matter the industry, or size of company.