The Top 5 Security Controls & Incidents Impacting Cyber Insurance

by

January 20, 2022

Cyber insurance preparedness transcends the benefits of coverage. Everyone needs some degree of insurance coverage. The exact amount depends on your tolerance for risk and the likelihood of potential claims. Cyber insurance is taking the IT world by storm with increased demand for transparency. They want to know where you’ve been and what you have. And there’s no guarantee the policy will cover everything affected by a disaster.
Sounds depressing. That’s why we will analyze five questions from a cyber insurance app to illustrate the bigger picture. A few quick hints: technology is just one part of the equation and having a compliant tech stack improves your marketing appeal.

#1 – In the past three years, did you have a breach that compromised customer, client, or employee confidential or personal information?

This is a “yes” or “no” question, and they want details. According to Ivanti (as of July 2021), “Nearly three-quarters (74%) of respondents said their organizations have fallen victim to a phishing attack in the last year, with 40% confirming they have experienced one in the last month.”
If you can respond “no,” you’re lucky, but current trends suggest luck is not a long-term strategy.
Breaches are launched with phishing attacks, and nearly 50% of us take the bait and click on links that grant access to threat actors. This happens to companies of all sizes, and the lowest common denominator is people and behaviors that render expensive security tools useless.
Source: Top 10 SMB Breach Statistics

#2 – Do you have an information security training plan that includes annual training and orientation of employees, contractors, and third-party vendors?

Some questions are word salads, and this one is no exception. (It’s a word salad bar.) If they mean security awareness training and standard employee onboarding activities, detailed in most current Acceptable Use Policies (AUP), this is an easy “yes.”
AUPs typically spell out all the rules: call to verify the identity of email senders, no webmail or third-party file share sites for company business, do not download unauthorized software, etc.
The marketplace is also overflowing with Software as a Service (SaaS) training solutions from companies like KnowBe4, Infosec IQ, and Proofpoint.
These companies combine cyber security education with ethical phishing, reporting, and ongoing testing to assess progress. And the programs are continuously updated and automatically administered to new employees. Dozens of others are reviewed on TrustRadius.
I would ask your insurance provider for clarity on how this applies to vendors. Do they expect you to pay for software training licenses? Or is the scope of training much narrower for third parties? These concerns make it harder to respond with a blanket “yes.”
It may be easier to work with peer-level vendors who are already doing this on their own.

#3 – Do you implement Multi-factor Authentication (MFA) on all business-critical accounts (e.g., administrator accounts, accounts with access to customer or employee data, etc.)?

If you don’t, this is an easy fix, and it won’t break the bank. It’s 9:24 AM, and I’ve already used MFA to log into our network and two other accounts that are not connected to our organization.
How does MFA work? Once I submit my email address and password, I am prompted by a pop-up to enter a verification code sent to me via text.
And I can’t count the number of times I’ve received a text verification when cyber crooks were trying to log into my private accounts from other parts of the country. All I did was click on the red X to block access. It was empowering but scary to know I was on someone’s radar. Unfortunately, we’re all on someone’s radar.
Learn More: Is MFA Worth the Cost?

#4 – Do your employees have separate accounts for day-to-day business operations (e.g., checking email, etc.) and administrative functions (e.g., apply system updates, etc.)?

The insurance company wants to make sure you’re taking a layered approach to security, so each critical system requires a different set of credentials for access.
What if someone in the IT department clicks on a phishing email and gets infected with malware? The malware is now on the network and ready to infiltrate (and corrupt) every related endpoint in its path.
Ideally, each function (user email and admin email) is segmented and augmented with MFA.
According to Identity Theft Resource Center, “The number of recorded data breaches in 2021 has exceeded the total number of events 2020 by 17%, with 1,291 breaches in 2021 compared to 1,108 breaches in 2020.” And this figure was quoted in October of 2021.
Pardon the cynicism in advance: it’s best to assume they’re going to get in, so it’s advisable to put additional obstacles in their path.

#5 – Does your organization currently use any SolarWinds products?

SolarWinds, an IT management software company, now known as N-central, has been all over the news since the spring of 2020. The company was at the center of a Russian-orchestrated intelligence-gathering hack that compromised 100+ government agencies and private companies.
MSPs use their software to monitor, manage, and secure client IT systems, many of which were affected by the breach. While no attack should be minimized, some perspective is warranted.
As per FireEye, “Despite the compromise of 18,000 SolarWinds customers, the attacks were limited to the networks of 50 companies. And Microsoft experts only identified about 40 customers who were victims.”
Learn More: Companies Affected by SolarWinds Hack

What’s Next?

Insurance companies are understandably concerned about exposure. However, no organization is immune to cyberattacks.
Hundreds of other technology providers and mainstream companies (insurance providers too) have been breached or will be.
Your best defense is a combination of strategic technology, training, documentation that demonstrates due care, and evidence you’ve addressed any root causes of past failures (if relevant) and emerged stronger than ever.
Your MSP can help you tie all of this together with exhibits that make you stand out from companies that aren’t as organized and candid. Lead with security. It’s on everyone’s mind.

 

Jed is a Solution Advisor at Integris who has specialized in MSP solution development, sales, and marketing communications since 2003.

Keep reading

How to Develop a Network Security Policy

How to Develop a Network Security Policy

Developing a network security policy (and its companion network security policies) begins with establishing guidelines for creating, reviewing, revising, and retaining your information security policies and procedures. Since information is accessed and stored on your...

10 Best Practices from the Top Cybersecurity Training Companies

10 Best Practices from the Top Cybersecurity Training Companies

Why would an MSP publish an article sharing ten best practices from the top cybersecurity training companies? Because we partner with most of the computer-based educational providers quoted in this article or help administer their cyber training services for clients....