Whilst cyber insurance can provide financial protection for your business, simply purchasing a policy isn’t enough to ensure that you are cyber secure. Over the past 12 months, there have been significant changes in the cyber insurance marketplace. Insurers are increasingly focusing on cyber risk mitigation measures. The unprecedented level of remote working triggered by the Covid-19 pandemic, has highlighted some significant weaknesses.
When looking at other types of insurance, the risks can be far clearer. In high crime areas, we tend to know what steps need to be taken to protect our property. Primarily, we can lock and secure buildings by a combination of security measures. The levels of security in place is usually proportionate to the nature and value of risk. We have an awareness of the crime, arson and flood risks associated with certain areas. We tend to instinctively know where we would be comfortable parking our car, or walking alone at night. Where risks are clear for us to see and evaluate, we tend to be instinctively proactive in managing and mitigating our risk exposures.
Human intelligence and comprehension is the best defense against phishing attacks
The cyber landscape is very different. For each of us that has a computer and/mobile device, we have no way of knowing when or how we might be the subject of a cyber attack. Cyber criminals tend not to be seen or heard. They lurk in dark, unregulated places on the internet. Of even greater concern, we may not even be aware that we have been attacked. At times, many weeks or months can pass before a breach is identified.
With a building, we know we can reduce our risk of attack by having good security measures in place. It’s usually soon apparent if unauthorised access has been gained. With our computer systems, it so much more complicated. We are far more susceptible to human error. Email phishing campaigns are increasingly sophisticated. They are designed to lure us into clicking before we think rationally.
Covid-19 related phishing campaigns have resulted in an exponential increase in attacks on SMEs. No longer are cyber risks predominately targeted attacks on large corporations. SMEs have never been more at risk from random attacks, with cyber criminals casting their nets very wide. The outsourcing of IT has led many companies to have a false sense of security. Ironically, it is the outsourced service providers who are more likely to be subject to a targeted cyber attack. Such attacks can have a significant financial impact on the SMEs they support.
In response to the trends of 2020 and early 2021, the cyber insurance marketplace is tightening up on the procedures they require to be in place as a condition of providing cyber and data breach insurance cover. Below are some examples of the measures that insurers are increasingly requiring to be in place, so as to mitigate risk.
We all know we need to back-up data critical to our business. However, it’s important that we don’t just assume that because we are paying for back-ups, that our data will be there if we need to restore it! Back-ups can fail and/or data can be rendered useless, thus limiting our ability to restore in the event of a cyber attack.
It is therefore essential:
1. To test back-ups, to ensure data is recoverable
2. To back up data to a cold, or offline, location to ensure that it would be unaffected by an issue with your live environment. As in the event of a cyber attack, back-ups can be compromised and data corrupted.
– Who backs up your data?
– How frequently?
– What measures are in place to stop the corruption of your back-ups?
– Do you periodically test your back ups to ensure recoverability in the event of a cyber attack?
Visit: https://www.ncsc.gov.uk/blog-post/offline-backups-in-an-online-world for advice on offline backups in an online world.
2. Multi-Factor Authentication (MFA)
Most of us may have heard of multi-factor authentication (MFA), but do we know when or how we should be using it?
As a starting point, MFA should be in place for:
1. Anyone accessing cloud email accounts
2. Anyone accessing your network remotely
Why do we need MFA if all users have strong passwords?
Unfortunately, passwords no longer provide enough security. Services available via the cloud (e.g. Microsoft 365, Google Workspace, etc) are particularly high risk. We all know we should use strong unique passwords, however we all face the same challenge of trying to remember them! Where users are free to choose their own passwords, they may create passwords which can be easily guessed. What’s more, they may use the same password for more than one application. We have all seen instances of third party organisations such as Twitter being attacked. Where user name and/or passwords are compromised, these may then be sold on the dark web, for literally pennies. Before anyone is aware of any issues, log in details may be sold for criminal use, increasing the risk of our systems being compromised.
Multi-factor authentication is simple and important. Whilst it doesn’t eliminate usernames or passwords, it adds a layer of protection to the sign-in process. It makes stealing your organisation’s information much harder for the average criminal.
– When accessing cloud email accounts and/or your network, do your users provide additional identity verification (MFA), such as scanning a fingerprint or entering a code received by phone or mobile app?
– If you don’t already have MFA in place, you can enable it on most cloud/internet based services. There are also third-party suppliers that offer MFA utility through the use of SMS codes, unique codes and even hardware tokens.
Visit: https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services, for advice on implementing multi-factor authentication (or two-factor authentication) to protect against password guessing and theft on online services.
3. Virtual Private Networks
It’s starting to get more technical now, VPNs! What are they and why do we need them?
VPNs are Virtual Private Networks. They are encrypted network connections. A VPN establishes a private network connection through a public network, like the Internet. VPNs allow remote users secure access to services. They add a very important layer of protection.
If employees access company emails and/or systems using Wi-Fi networks that aren’t in your control (e.g. in coffee shops, hotels, or their homes), they instantly become low-hanging fruit for cyber criminals. Allowing access to your private company network without a VPN, significantly increases the risk of attack on your private network.
Cyber attackers regularly ‘port scan’ the internet for visible remote-access services, such as Microsoft’s RDP (Remote Desktop Protocol). Any open RDP services will be constantly probed for weaknesses. A VPN enables you to hide your remote-access services and affords a good level of protection against such attacks.
– Do you only allow remote access into your environment with a VPN?
– If you don’t currently have a VPN, you may just need to enable on your own networking infrastructure (e.g. routers). There are also many third-party providers that offer VPN services.
Visit: https://www.ncsc.gov.uk/collection/end-user-device-security/eud-overview/vpns, for advice on choosing, deploying and configuring VPN technologies.
4. Cyber Security Training
Since ‘social engineering’ (the duping of humans) is by far the most prevalent cause of cyber breaches, cyber security training is fundamental. Not only is this essential to comply with GDPR regulations, it is essential protection for your business. Your employees present the greatest cyber security risk of all. Employees are constantly at risk of exposure to electronic communications with third-parties that may leave them open to attack. Whilst technical security measures, such as email gateways and EDR software, may afford some level of protection, these don’t negate the need for risk awareness training. Cyber risk awareness = reduced risk of attack.
– Do you regularly (at least annually) provide cyber security awareness training, including anti-phishing, to all individuals who have access to your organisation’s network or confidential/personal data?
– If you don’t, act now! The NCSC (National Cyber Security Centre) offers free cyber security training for staff, which has an anti-phishing module within it. There are also many third-party providers that offer a range of cyber security training services.
Visit: https://www.ncsc.gov.uk/blog-post/ncsc-cyber-security-training-for-staff-now-available, the NCSC’s free e-learning package ‘Top Tips For Staff’ can be completed online.
Most operating systems make updating/patching very straight-forward. For other software providers, their website or other channels will provide up-to-date critical patches and releases. Software providers typically announce when their software becomes unsupported/EOL (end of life) and it is imperative that we act on these communications to enable systems to be remediated.
– Do you implement critical patches and update systems as soon as practicable?
– Do you only use supported software and not any EOL (end of life) software?
If you don’t, ensure you have routine security procedures in place to receive and install software updates (patches) in a timely manner. Some patches add new features to the software and/or fix issues such as instability or vulnerabilities that can be leveraged by cyber attackers. We ae constantly discovering and correcting vulnerabilities. Which is why using unsupported or end of life software puts you a significantly greater risk.
Visit: https://www.ncsc.gov.uk/blog-post/time-krack-security-patches-out-again, to understand why patching is a fact of life in the digital age.
6. Scanning Incoming Emails
Email remains the top form of electronic communication for most companies. It is therefore not surprising that emails are the prime target for attackers. Email gateways quarantine or block potentially malicious emails. They reduce the number of malicious messages and can help protect staff from email threats like spam, viruses and phishing attacks.
– Do you scan incoming emails for malicious attachments and/or links?
If you don’t, you can enable basic filtering and quarantining on most email platforms. There are also specialist mail gateway providers who may offer more robust solutions.
Visit: https://www.ncsc.gov.uk/guidance/phishing, to learn more about how to defend your organisation from email phishing attacks.
7. Anti Virus Software
Anti Virus software products attempt to detect, quarantine and/or block malware from running on devices. Anti-virus, anti-malware and endpoint detection and response (EDR) tools aim to proactively remove malicious software which tools like firewalls cannot do.
– Do you protect all of your devices with anti-virus, anti-malware, and/or endpoint protection software?
If you don’t, use the following link to the National Cyber Security Centre’s (NCSC) website to learn about some of the many tools available.
Visit: https://www.ncsc.gov.uk/collection/mobile-device-guidance/antivirus-and-other-security-software, for advice on the selection, configuration and use of antivirus and other security software on smartphones, tablets, laptops and desktop PCs.
If you would like to protect your business and have experts on hand to assist in the event of a cyber attack:
Contact Us Today For A FREE Cyber Insurance Quote
If you’re not sure what your requirements are, we will gladly discuss with you to ensure that your financial interests are best protected. Please Call us on 01384 442 165 (Mon-Fri, 9am-5pm), or Email: firstname.lastname@example.org. We can provide same day quotes for most cyber insurance risks.