Qualifying for cyber security insurance – Part 2: Going down the checklist
88% of companies now consider cybersecurity a business risk. The time may come when the executives of a firm want to draw up their battle plans. They might have heard of a competitor who got affected and lost significant revenue. They might have seen or read a story in the news which raised an alarm, as so many stories around cyber attacks do these days. The time for action is now.
So how can a business get from a house built with straw and clay to a full-blown fortress with solid walls, watch towers and a strong roof? Below are some suggestions our team of consultants compiled to go from here to there.
BUILDING THE FORTRESS: THE ARCHITECTURE, THE BRICKS, MORTAR, THE WATCH TOWER AND THE ROOF.
Before we dive in, let’s step back for a moment. How do data breaches happen? What steps to hackers take before they breach and what weaknesses are they looking for? If we can learn more about this we can use that knowledge to make wise decisions around implementing the right IT infrastructure so we can stay within our budget and make compliance doable for all employees.
- Research: The cyber criminal looks for weaknesses in the company’s security. The comprise of:
- Looking for an unsecured network.
- Looking for unsecured communication channels such as unencrypted emails.
- Looking for outdated software which is missing a software patch.
- Attempting to get access to user accounts through bugs in applications.
- Taking possession of credentials and passwords. The hacker can be aided in this by software that run through millions of the most popular credentials and tries them out on the system (think “12345” or “password).
- Attack: The cyber criminal contacts the network or performs a social attack.
- Network: uses one of the previously mentioned weaknesses to infiltrate the organization.
- Social: attempts to trick or bait employees in an email in giving out their password or opening a malicious attachment.
- Prepare for extraction of data or control of the network: Once inside, The criminal plants a piece of malicious software or malware on the network.
- Exfiltration: Depending upon the type of malware is in place the criminal can track what a user types into a machine or locks the system and demands a ransom from the company so they can regain access to their data. Once the hacker extracts the data or can show proof of having the data, the attack has been completed.
Now that we have gained insight into what cyber criminals are looking for and will do when attacking an organization, we can come up with a list of components a business must implement to build a castle that does not look appealing to pillagers.
- Network security which prevents unauthorized or malicious users from getting inside the network. Network security needs to take place on every single endpoint: PCs, laptops, smartphones and IoT devices.
- Internet security which is designed to monitor incoming internet traffic for malware as well as unwanted traffic. This protection may come in the form of firewalls, anti-malware, and anti-spyware.
- Applications, data, and identities are moving to the cloud. The traditional security stack will not protect this platform. Cloud security can help secure the usage of Software-as-a-Service applications and the public cloud.
- Application security diminishes the likelihood criminals can gain access. It helps prevent is an added layer of security which involves evaluating the code of an app and identifying the vulnerabilities that may exist within the software. This coded into the software itself.
Also: Qualifying for cyber security insurance – Part 1: The Basics
Why Managed Security in the Cloud is a Superior Solution to On-Premise Services and Hardware in 2022
The role of IT staff, CTOs and IT-Directors is changing yet again.
When going down memory lane, some of us may recall the role of an IT staff member in the 80s and 90s – it was a very hands-on position, this team member was an all-rounder and had the skills to mostly manage on-site devices themselves. In the early 2000s even more technical knowledge to manage the network was required and very specific skills were needed. The IT team would start engaging and leveraging their partner carriers and IT manufacturers more and more. In the 2010s, a shift took place where IT executives needed to become advisors to the other c-suite members: IT technology had become something that started to shift away from the local area network to the wide area network, managed by the cloud provider. Fast forward to the here and now, the 2020s: IT technology is now a core business driver and most businesses have various IT projects ongoing all at the same time.
This brings us to cloud based and managed security solutions and why it seems wise right now to make a shift to managed security services.
Increased requirements to provide adequate cybersecurity can not be done by internal staff alone.
- The majority of breaches happen in the weekend and during holidays. Internal IT staff often can not work around the clock. This matters because t
- Organizations with more than 60% of employees working remotely had a higher average data breach cost than those without remote workers (IBM). It’s harder for IT teams to monitor remote workers.
Internal staff benefits from managed and cloud based security services:
- More time to spend on core initiatives that drive revenue rather than worrying about security.
- It’s challenging to keep up with certifications and monitoring when attacks are becoming more and more sophisticated.
- Focus on staff education, communication and design of virtual desktop space to prevent breaches from happening in the first place.
Compliance is becoming more stringent.
- All business in NY state for example need to be in compliance with the SHIELD Act. Businesses in the financial and healthcare industry require compliance to continue to do business. Managed security providers will explain what compliance are met when a new subscriber considers enrolling with their service.
- Fines and penalties for non-compliance are an avoidable expense.
Improving Cyber security posture, the Risk Assessment and the Penetration Test
The Center of Information Security, a not for profit organization “harnessing the power of global IT community to safeguard public and private organizations against cyber threats” has compiled a Control list to serve the public. This list is stringent and therefore compatible with the trusted HIPPA, NIST and ISO 27001 frameworks.
The Control List is part of a whitepaper Thrive Networks Inc. has compiled and can be downloaded here
When working with in tandem with FCX and Thrive the organization will be taken through this Control List as well as a Risk Assessment, so a map can be drawn pointing out strengths and points of improvement for the organization with the goal of qualifying for cyber insurance in mind. FCX does this in conjunction with Thrive to save IT team precious time; the initial conversation of drawing up this map and completing the assessment will only take up to 60 minutes.
In addition, CISA, The Cybersecurity & Infrastructure Agency, has made available the Cyber Essentials Starter Kit for any US based business to use. And FINRA has made available a Small Firm Cybersecurity Checklist as well.
Besides a map and an action plan which can be drawn up as a result, various providers offer penetration testing services. This test is a controlled attack performed by an ethical hacker for the purpose of discovering weaknesses in the system. The ethical hacker works to replicate the work of criminal hackers and provides the organization with a report of their findings.
After the organization has draw up a plan of action, FCX can assist in finding the right IT solutions in order of importance which fit within the budget and on the team’s timeline. We will work in tandem with the cyber security broker to make sure all standards are met and the coverage required can be obtained.
