When it comes to cyber liability insurance, prevention is the key to coverage. Remember that cyber insurance—just like auto or home insurance—is there “if” something happens. We do our best when driving our cars or in our homes to prevent accidents from occurring, so why not have the same approach at work to prevent cyber incidents? In this case, prevention looks a little different than safe driving and smoke detectors.
As a cybersecurity professional, I assembled a list of what I believe are the top 10 things every company should do to potentially reduce their premium for cyber insurance while building resiliency in their systems and improving their overall security posture.
1. Conduct an annual comprehensive risk assessmentThis will help identify your cyber risk, just like you would identify crumbling foundation or fire hazards. But identifying risks doesn't mean much without taking the next step—so be sure your risk assessment is followed by a detailed plan of action.
2. Perform comprehensive external and internal penetration tests at least annually
Penetration testing is required by most compliance standards and frameworks—and for a good reason. The best way to find gaps is to have a professional identify them. Annual testing is really the bare minimum and most organizations should plan to do it more frequently, or consider an ongoing penetration testing strategy like PenLogic™.
3. Use multi-factor (MFA) authentication wherever it is available
This is one of the simplest, yet most effective, actions that any organization can take to protect themselves. If you're not enabling it, you're essentially leaving your doors unlocked.
4. Enforce a strong password/passphrase policy
Much like MFA, password policies are simple to implement and extremely effective. Follow standard policies and be sure to enforce them.
5. Implement a least-privileged access model
It's just like it sounds—people should only have the access they need to do their job. Granting sweeping access to entire companies or departments leaves more room for human error.
6. Ensure all systems are routinely patched
Patches and updates are essential, yet can easily fall by the wayside. Leverage a continuous vulnerability system (like Nodeware) that scans your network for vulnerabilities so you're never exposed.
7. Encrypt data at rest and data in transit
Think about it like locking data in a vault, and using an armored vehicle during transport—keeping data protected no matter where it resides.
8. Require security awareness training
It's still true that with all the security risks out there, your weakest link is still your people. Teaching them the basics, and also building a culture of cybersecurity within your organization, will help to greatly reduce risk.
9. Create and update policies
Policies are critical to being able to set a standard and enforce it. Policies supply the framework for how things should be done but they do not define how to do them. A process or procedure should accompany a policy as it details the “how to.” If you don’t have written policies, it is hard to build a repeatable process and you end up with “This Is How We Do It.” (Apologies to Montel Jordan)
10. Mandate secure remote access or VPN connection
With remote work here to stay, this is more important than ever. Using home networks or public WiFi networks can increase risk and exposure—but ensuring secure remote access can reduce this risk.
When you implement these elements into your organization, you are demonstrating due care and due diligence—which insurance providers like. You are showing the insurer that your company has cybersecurity built into its culture and that people throughout the organization are committed to keeping your company secure.
Some may say that the list is daunting and not achievable for a company their size. To them I say, all of these recommendations are achievable and should scale to your business. There are also many low-cost and open-source solutions available to help overcome some of the financial concerns.
If you are not sure where to start or in which direction to go, our team of knowledgeable and seasoned security professionals are here to help guide you through the challenges of securing your organization from today’s complex cyber threats. Contact IGI Cybersecurity for more information about our suite of cybersecurity services.