Every month we write a new blog post that discusses the security threats your business faces and recommends the steps you can take to protect your business against these threats. In addition to these threats to data security and business continuity, we’ve also talked about how cybersecurity insurance policies are getting more expensive, and how underwriters are raising their security and auditing requirements for policyholders. This is one area where we know from direct experience.
Just like you, we have to renew our cybersecurity insurance policy every year. We have to fill out the expanded questionnaires and we see the rising prices for an insurance policy we cannot afford not to have. We even have to submit to security audits. Yes, the auditors get audited too.
We know from firsthand experience what you’re going through. We know the effort required to gather the information requested in the insurance application questionnaires. We know what it’s like to have “outsiders” snooping around your network looking for vulnerabilities. Our pain is your gain. We incorporate our learnings from being audited ourselves into our procedures for auditing your company. Our goal is to not only help you increase your security and pass your audits, but also to make that process as easy as possible and to help you lower your insurance rates.
The first step to a smooth cybersecurity insurance policy renewal is knowing your risks. Here’s a recap of some key threats to your business:
- Phishing Attacks
Many attacks are still launched via phishing email. One employee clicking on a link in a phishing email can launch a ransomware attack that shuts down an entire company. We see the largest attacks in the press, yet 82% of ransomware attacks target small businesses. Why? Large attacks may garner large payouts, but they also attract the attention of law enforcement. Remember the Colonial Pipeline ransomware attack that disrupted gasoline supplies on the east coast? After paying 70 Bitcoin in ransom, the FBI was able to track down and seize 64 Bitcoin. Most criminals prefer to fly under the radar. Attacking 100 small businesses is easier and less risky than going for one big score. There is no single silver bullet to address this risk. It requires configuring your email software to look for a suspected phishing email. It requires training your employees to scrutinize the details of emails before clicking on links inside. It requires up-to-date endpoint detection and response (EDR) technology to detect suspicious behaviors and take steps to isolate the infected PC from the rest of the network.
- Insecure Passwords
Sadly, passwords are still with us even though they have long outlived their usefulness. In fact, passwords are now a major security risk rather than a protection. With the rise of remote work, password insecurity is a significant entry point for malware. In fact, RDP, the protocol that allows employees to remotely connect to a desktop inside the office, is a major gateway for criminals to launch attacks because once they steal a password, they have easy access to the corporate network. If your business still uses passwords, enforcing strong password requirements is an immediate first step. Password managers should be used to help employees remain productive even while using many unique, strong passwords. The best approach is to migrate away from passwords to multi-factor authentication (MFA). As with other areas, there are no silver bullets. MFA implementations can vary in their effectiveness, and each requires proper configuration to thwart attackers. In response to poorly configured MFA implementations, criminals have developed MFA Prompt Bombing attacks, which are similar to phishing attacks. The attackers pretend to be a trusted service requesting an MFA authentication. When the user responds to the request, the attackers use that authentication to compromise the system. Simply having any MFA infrastructure isn’t enough: you need a quality MFA solution that is properly configured against MFA prompt bombing, combined with user training and endpoint detection and response capabilities.
- Poor IT Hygiene
Everyone knows that PCs and servers need regular updating. Vendors are constantly finding and closing security vulnerabilities and for most of us, this is now an automated process. But what about all the other devices on your network? Printers, routers, cameras, access points, and many other devices all have network access. Do you have a process to regularly update the firmware of those devices? The Log4J security vulnerability that we discussed in a previous blog was magnified by the extent of its impact: hundreds of millions of devices incorporated this open-source library into their firmware. Without an up-to-date inventory of devices on your network and their firmware versions, you really can’t be in control of your cybersecurity risks. Network segmentation is another critical part of good hygiene. A few years ago, criminals broke into the network of a major retailer and stole customer payment information. The subsequent investigation determined that stolen network credentials for a company providing the heating, air conditioning, and ventilation services were used to access the network. Which begs the question: why would an HVAC contractor’s network credentials be allowed to access payment systems? With proper network segmentation, stolen credentials limit the exposure and allow IT to minimize the damage.
- Not Planning for Disaster
Despite best efforts, occasionally disaster strikes. Just like the safest driver can sometimes be hit from behind at a stop light, sooner or later your business will suffer a similar fate. Insurance companies know that companies that have a disaster recovery plan (and know how to use it) can resume operations more quickly than companies that don’t. The less disruption, the less the insurance company has to pay – which is why it’s in your best interest to have an up-to-date disaster recovery plan. Not only can it save your business when disaster strikes, but it can also save you money when it’s time to renew your insurance policy. Whether it’s a cyberattack or a water leak, being able to demonstrate you already have a plan to respond to business disruptions and quickly return to operation is an essential part of any IT operation.
- First Steps
Improving security is a process, so the most important thing you can do is decide to take the first step. If you’d like to learn more about which security procedures insurance companies expect your business to be implemented for them to insure your business, you can watch our August 2022 webinar 6 THINGS YOU NEED TO KNOW ABOUT COMMON INSURANCE UNDERWRITER REQUIREMENTS. In it, we discuss the risks of failing to pass your cybersecurity insurance policy review, what insurance underwriters are looking for, and how these changes will impact your business.
If you’ve already decided to up your cybersecurity game is something you cannot put off any longer, schedule a security risk assessment to learn what your biggest risks are and the steps you can take to address them. The sooner you start the process, the further along you’ll be when you inevitably face your next insurance policy renewal and its accompanying security audit.