We know everybody has filled out a cyber insurance application at some point. But the question is whether or not your business actually has those cyber security controls in place. The fewer you have these, the higher will your threat levels be.
If a claim happens, insurers will check and if you don’t really have what you say you have, your claim will be denied.
Employee Training for Cyber Security and Phishing Awareness
this is one of the most important things you should have. Not merely for compliance but for the security and reputation of your company. Remember that the biggest threats are ransomware attacks and those attacks are mainly targeting your employees. Hence, your employees must be continuously trained to protect your business.
MFA (Multi-Factor Authentication)
this is one of the top questions asked on most applications. What MFA does is provide more than one form of identification for your company data. It’s like opening a bank account or you’re doing a transaction with the government. Since you have potential access to sensitive information, they require more than one piece of identification. They may require 3 or 4 pieces of information for you to prove who you are. That’s the same thing that MFA does. Even if your username and password are compromised, a hacker still needs all the other additional information for them to access your data – that’s what MFA does for you.
one that identifies workplace hazards and gives you steps on reducing or eliminating those risks. In the past, this has been done annually for most organizations. But this has been modified where insurers expect it more frequently or quarterly.
this is a no-brainer. If you get ransomware, your data is lost, and your system is compromised. What will you do if you don’t have a backup?
There are two reasons why you really need to set up a backup for your business:
(1) Recovery of your data and systems takes time. How long can you afford to wait to get your data systems backed up? Is it an hour? A day? A week? How much money can you afford to lose while waiting to go back to work again? These are the questions you need to ask based on your backup solutions to deliver your requirements. Because we talk to a lot of organizations, and they say they have a backup but they really need to think about what’s important about the backup.
(2) Retention is needed because realizing you’re compromised is not immediate. How far back can you go in your backup if your system is compromised or your data is lost 30 days ago and you’re just realizing it now? Can you actually go back to that data prior to that 30 days and recover, or can you only get back a day or week of your data? About the breaches, they say it takes a company 190 days on average to identify they had a breach. So without proper backup, an insurer can cover the cost of cover, but you can’t recover something you don’t have.
“without proper backup, an insurer can cover the cost of covering, but you can’t recover something you no longer have (which is lost data)”
Email Security and Web Filtering
Remember, emails are the gateway to cyber threats, so these are important cyber security controls to have.
Endpoint Protection (EDR)
a lot of people think that an EDR is an anti-virus, but it’s not. EDRs have features that address wider security threats. The difference is like trying to look at a horse-drawn carriage and a sports car that we have today. It’s no comparison. They’re two different technologies. So, if you are not using EDR and only anti-virus, your threat levels are gonna be a lot higher.
PAM or Privileged Access Management
this is not the same as just logging in to a computer with just a username and password. What PAM does is that it actually addresses who you are, what you’re accessing, when you’re accessing, and where you’re accessing it from. It’s an advanced level of monitoring how your employees are interacting with your company and your company data.
Logging & Monitoring (SIEM or MDR)
this allows you to have a real-time monitoring analysis of events as well as tracking of security data for compliance and auditing purposes.
The most important takeaway for all of these is that security is not about each of these items but putting of all them together to solve a problem.
Predicting cyber threats is like putting a puzzle together. You have to have all the pieces to complete the puzzle. An IT support company may have knowledge of one or two of these controls, but a security-focused company will understand all the pieces and know how they fit together.
I hear too many conversations where “I have IT support” but the question is, “Do they have the knowledge of true security which you really need when you deal with cyber or any other compliance requirement?”
“…security is not about each of these items but by putting of all them together to solve a problem.”
Email security assessment
I mentioned email. Go to this web address, and it will give you a score on the security of your email. You go in, put your email address, and submit it. It’s going to send you an email and you’re gonna reply back to it.
The reason for this is it will score your vulnerability in your outgoing email, and your vulnerability email for your incoming email.
If you get a score of less than 800, reach out to me because we have some work to do. That’s actually our company’s score up there, 850. That is phenomenal for an organization. I don’t expect you to get that but I expect you to get close to that.
Everyone is bombarded by these phishing emails. That’s the most common way threat actors get into a system and is the root cause of an enormous amount of incidents. It’s a smart thing to be looked at.