Every day we see stories in the newspaper about cyber-attacks. Years agio they seemed a bit remote, but lately they’ve been getting closer to home.
Many businesses are responding by taking on cyber-insurance. But is it worth it?
When you sign up, you are asked to fill in a form, much like any other form of insurance. We’ve seen these forms get increasingly more demanding and complex. It makes sense that many of our clients ask us to help them compete them, and we do so as a service.
Unfortunately, unless you complete these application forms accurately, you may find your insurance company doesn’t pay out on any eveNtual claim.
Even worse, unless you meet these insurer requirements, they may decline to offer you cover, or do so at a much higher premium. After all, they are looking to minimise their risk, and just as they don’t want to insure houses that subject to flooding, or young drivers in expensive cars or any other obvious risks, they won’t want to cover you unless you are taking reasonable precautions.
Our first conclusion then is that cyber-insurance doesn’t make sense unless you are prepared to take reasonable steps to protect your organisation first, and to keep those steps in place.
So what are the reasonable steps required?
Here lies the challenge. What is “reasonable” keeps changing and becoming more intense, and more costly.
It used to be that patching systems and keeping them up to date, good daily backups, and up-to-date antivirus was enough.
But that is no longer the case.
It is now well understood that most hacks either occur through unpatched systems, so that remains important. However people breaching a user’s credentials is increasingly common. THis might be through poor behaviours,simple passwords, common passwords and the like, or it might be through trickery (‘social engineering‘)
How can we stop credential-theft?
Firstly, two-factor, or multi-factor authentication (MFA) is the number one defence. So your insurance company will be looking to make sure this is rolled out for all users, on all devices, in your business. But it is not infalliable so we need additional layers.
Password complexity means the need for password vaults. It is impossible to have unique and unguessable passwords for every site you use without them. You can assume your email address and at least one or two of your passwords will be leaked into the darkweb somewhere. Even worse when your data is exposd through a cyber-event on someone else’s site and your private data might be in the hands of bad actors. That’s why dark-web monitoring can help.
Education is another vital step. The insurer will probably want to see regualr awareness training, and phishing testing in place.
What about straightout system breaches?
It is easy to click on a link that takes you to an infected website. Once there, malware loads on your device, and spreads through any network that you are attached to.
An insurer will be looking for a range of tools to defend against this.These include:
- EDR (Endpoint detection and response) is the new standard, in place of old anti-virus tools. More proactive, using AI and machine learning, EDR works to detect abnormal activity and shut it down.
- Web browser protection are tools that check websites before you connect to them, looking against a database of known ‘bad’ sites and looking for signs of danger.
- Deepscan of incoming emails makes sure they only have links that are ‘safe’ to click on, and the attachments are fully tested before being passed on to you.
These are just a few of the requirements your insurer will be looking for. But they will want a little more than that.
They will want to know they were not only in place, but they have been maintained and kept current. You will need to be able to demonstrate a process of keeping these protections active.
The easiest way to do that is to have a regular reporting process that demonstrates cyber-compliance.
Make sure your IT team or partner can show this to you.
We’re confident our latest KARE reports are industry-leading to prove compliance,and our new KARE Foundation and KARE Securty Plus packages offer best-in-clase cyber protetion so you can be confident of your cyber-insurance protection.