Cyber Risk Mitigation Measures

Request A Quote Now!

We can provide same day cyber insurance quotes. Complete your details below. Or, Call us on 01384 442 165 (Mon-Fri, 9am-5pm) or E: cyber@insurance2day.co.uk

Cyber Insurance

The cyber risk landscape is ever changing. Scams are becoming increasingly sophisticated and cyber criminals cast their nets wide.

Therefore, while cyber and data breach insurance can be invaluable, proactive risk management is essential. Insurers are increasingly stipulating the risk mitigation measures they require for insurance cover to be operational.

Home insurers don’t allow homes to be left with windows and doors unlocked and open. In the same manner, cyber insurers require adequate cyber security and protection.

By implementing adequate Cyber Risk Mitigation Measures, you can reduce the risk of falling victim to cyber crime. However, in the event that your systems are breached, the financial cost and overall disruption to your business can be significantly reduced.

Below are some examples of the measures that insurers require to be in place to mitigate risk.

Back-Ups

We all know we need to back-up data critical to our business. However, it’s important that we don’t just assume that because we are paying for back-ups, that our data will be there if we need to restore it! Back-ups can fail and/or data can be rendered useless, thus limiting our ability to restore in the event of a cyber attack.

It is therefore essential:
1. To test back-ups, to ensure data is recoverable
2. To back up data to a cold, or offline location. This ensures that it would be unaffected by any issues with your live environment. For instance, in the event of a cyber attack, back-ups can be compromised and data corrupted.

Check List:
– Who backs up your data?
– How frequently?
– What measures are in place to stop the corruption of your back-ups?
– Do you periodically test your back ups to ensure recoverability in the event of a cyber attack?
Visit: https://www.ncsc.gov.uk/blog-post/offline-backups-in-an-online-world for advice on offline backups in an online world.

Multi-Factor Authentication (MFA)

Most of us may have heard of multi-factor authentication (MFA), but do we know when or how we should be using it?

As a starting point, MFA should be in place for:
1. Anyone accessing cloud email accounts
2. Anyone accessing your network remotely

Why Do We Need MFA If All Users Have Strong Passwords?

Unfortunately, passwords no longer provide enough security. Services available via the cloud (e.g. Microsoft 365, Google Workspace, etc) are particularly high risk.

We all know we should use strong unique passwords, however we all face the same challenge of trying to remember them! Therefore, as users are free to choose their own passwords, they may create passwords which can be easily guessed.

What’s more, they may use the same password for more than one application. We have all seen instances of third party organisations such as Twitter being attacked. Where user name and/or passwords are compromised. Furthermore, these may then be sold on the dark web, for literally pennies. Before anyone is aware of any issues, log in details may be sold for criminal use, increasing the risk of our systems being compromised.

Multi-factor authentication is simple and important. Whilst it doesn’t eliminate usernames or passwords, it adds a layer of protection to the sign-in process. It makes stealing your organisation’s information much harder for the average criminal.

Check List:

– When accessing cloud email accounts and/or your network, do your users provide additional identity verification (MFA)? Such as scanning a fingerprint or entering a code received by phone or mobile app?

– If you don’t already have MFA in place, you can enable it on most cloud/internet based services. There are also third-party suppliers that offer MFA utility through the use of SMS codes, unique codes and even hardware tokens.

Visit: https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services, for advice on implementing multi-factor authentication (or two-factor authentication) to protect against password guessing and theft on online services.

Virtual Private Networks

It’s starting to get more technical now, VPNs! What are they and why do we need them?

VPNs are Virtual Private Networks. They are encrypted network connections. A VPN establishes a private network connection through a public network, like the Internet. VPNs allow remote users secure access to services. They add a very important layer of protection.

If employees access company emails and/or systems using Wi-Fi networks that aren’t in your control (e.g. in coffee shops, hotels, or their homes), they instantly become low-hanging fruit for cyber criminals. Allowing access to your private company network without a VPN, significantly increases the risk of attack on your private network.

Cyber attackers regularly ‘port scan’ the internet for visible remote-access services, such as Microsoft’s RDP (Remote Desktop Protocol). Any open RDP services will be constantly probed for weaknesses. A VPN enables you to hide your remote-access services and affords a good level of protection against such attacks.

Check List:

– Do you only allow remote access into your environment with a VPN?
– If you don’t currently have a VPN, you may just need to enable on your own networking infrastructure (e.g. routers). There are also many third-party providers that offer VPN services.

Visit: https://www.ncsc.gov.uk/collection/end-user-device-security/eud-overview/vpns, for advice on choosing, deploying and configuring VPN technologies.

Cyber Security Training

‘Social engineering’ (the duping of humans) is by far the most prevalent cause of cyber breaches. Therefore, cyber security training is fundamental. Not only is this essential to comply with GDPR regulations, it is essential protection for your business. Your employees present the greatest cyber security risk of all. Employees are constantly at risk of exposure to electronic communications with third-parties that may leave them open to attack. Whilst technical security measures, such as email gateways and EDR software, may afford some level of protection, these don’t negate the need for risk awareness training.

Cyber Risk Awareness = Reduced Risk Of Attack.

Check List:

– Do you regularly (at least annually) provide cyber security awareness training? This is including anti-phishing, to all individuals who have access to your organisation’s network or confidential/personal data?
– If you don’t, act now! The NCSC (National Cyber Security Centre) offers free cyber security training for staff. Additionally, it has an anti-phishing module within it. There are also many third-party providers that offer a range of cyber security training services.

Visit: https://www.ncsc.gov.uk/blog-post/ncsc-cyber-security-training-for-staff-now-available, the NCSC’s free e-learning package ‘Top Tips For Staff’ can be completed online.

Software

Most operating systems make updating/patching very straight-forward. For other software providers, their website or other channels will provide up-to-date critical patches and releases. Software providers typically announce when their software becomes unsupported/EOL (end of life). Therefore, it is imperative that we act on these communications to enable systems to be remediated.

Check List:

– Do you implement critical patches and update systems as soon as practicable?
– Do you only use supported software and not any EOL (end of life) software?
If you don’t, ensure you have routine security procedures in place, to receive and install software updates (patches) in a timely manner. Some patches add new features to the software and/or fix issues such as instability or vulnerabilities that can be leveraged by cyber attackers. We are constantly discovering and correcting vulnerabilities. Which is why using unsupported or end of life software puts you a significantly greater risk.

Visit: https://www.ncsc.gov.uk/blog-post/time-krack-security-patches-out-again, to understand why patching is a fact of life in the digital age.

Scanning Incoming Emails

Email remains the top form of electronic communication for most companies. It is therefore not surprising that emails are the prime target for attackers. Email gateways quarantine or block potentially malicious emails. They reduce the number of malicious messages. In addition, can help protect staff from email threats like spam, viruses and phishing attacks.

Check List:

– Do you scan incoming emails for malicious attachments and/or links?
If you don’t, you can enable basic filtering and quarantining on most email platforms. There are also specialist mail gateway providers who may offer more robust solutions.

Visit: https://www.ncsc.gov.uk/guidance/phishing, to learn more about how to defend your organisation from email phishing attacks.

Anti Virus Software

Anti Virus software products attempt to detect, quarantine and/or block malware from running on devices. Anti-virus, anti-malware and endpoint detection and response (EDR) tools aim to proactively remove malicious software which tools like firewalls cannot do.

Check List:

– Do you protect all of your devices with anti-virus, anti-malware, and/or endpoint protection software?
If you don’t, use the following link to the National Cyber Security Centre’s (NCSC) website to learn about some of the many tools available.

Visit: https://www.ncsc.gov.uk/collection/mobile-device-guidance/antivirus-and-other-security-software, for advice on the selection, configuration and use of antivirus and other security software on smartphones, tablets, laptops and desktop PCs.

Please Complete Our Form Below to Request a Call Back to Discuss Your Cyber Risks:

Request A Call Back

Call Us On 01384 442 165 (Monday – Friday 9am – 5pm) Or Visit Our Offices

We will gladly discuss and review your requirements, to help protect your financial interests and secure favourable insurance terms. If you have any more questions regarding Cyber Risk Mitigation Measures please don’t hesitate to ask.