Minimizing cybersecurity insurance problems is a hot button right now.
Gone are the days when completing cybersecurity insurance questionnaires was relatively simple. You could answer five basic IT questions, and you were approved.
Thanks to the explosion of ransomware, insurance companies have a new approach. They’re asking tougher questions, and they sound like network engineers.
Integris recently encountered a client who couldn’t renew their policy until verifying that Multi-Factor Authentication (MFA) was active for Virtual Private Network (VPN) access and all Microsoft accounts.
VPN settings matter. After all, an unsecured VPN connection triggered the infamous Colonial Pipeline shutdown of 2021.
The following eight product categories are part of the insurance industry’s newly expanded scope of inquiry. We should know. Integris vCISOs help clients complete their applications all the time.
#1 – Advanced Threat Protection (ATP) Minimizes Cybersecurity Problems
You know insurance companies are becoming IT subject matter experts when they ask about Advanced Threat Protection from Microsoft.
While we typically recommend Proofpoint (because it’s more comprehensive), the game has changed when vendor partners mention security tools as if they were Chief Information Security Officer (CISO) insiders.
Learn More: The Cybersecurity Landscape 2021
#2 – Backups Strengthen Cybersecurity
Backups should be frequent, mirrored, geographically diverse, tested, verified, encrypted and cloud-based.
Insurance companies have a keen interest in reducing single points of failure. The cloud can help. Local, network-attached storage is fine as long as it’s integrated with cloud solutions that remove the physical risk.
Encryption takes safety measures a step further. Even if threat actors infiltrate your systems, an impenetrable shell protects your data and IP.
#3 – Endpoint Detection and Response (EDR) Minimizes Cybersecurity Problems
EDR is considered a form of ATP. Some major solution providers include McAfee MVision EDR, CrowdStrike Falcon Insight, VMware Carbon Black Cloud Endpoint, and FireEye Endpoint Security Tool.
In a nutshell, EDR has two main functions: collecting actionable data and insights by casting a wide net across diverse endpoints and remediating the threats in real time.
The solution is novel because it picks up threat noise that is so new and random that it doesn’t get discovered by traditional security tools.
Learn More: EDR Definition & Examples
#4 – Endpoint Protection Platforms (EPP) Hardens Cybersecurity
EPP refers to anti-virus and SPAM blocking solutions for detecting and blocking file-based malware and other malicious activity.
Frequently bundled into many of the EDR offerings mentioned above, most of the same companies and other top-ranked peers appear in The Gartner Group Magic Quadrant:
- Symantec Endpoint Protection
- Kaspersky Endpoint Security
- McAfee Endpoint Security
- Microsoft Defender Antivirus
- Trend Micro Apex One
Although it seems redundant to list this separately, insurance companies give EPP a separate line item.
#5 – Multi-Factor Authentication (MFA) Minimizes Cybersecurity Problems
MFA puts an extra step into the user login experience. Once a user submits their user ID and password, the system prompts them to enter a unique code delivered via text or voice to complete the transaction.
It’s effective because a threat actor would have difficulty intervening in this process. MFA is a powerful safeguard against a variety of cyberattacks.
Learn More: MFA Cyber Protection Deeper Dive
#6 – Patching Fortifies Cybersecurity
Insurance companies demand increased vigilance regarding regularly scheduled and emergency patching.
Patching gaps are the second leading cause of ransomware infiltration. (Social engineering is the number one culprit.)
While your organization may be actively updating software, fixing bugs, addressing vulnerabilities, and implementing system updates, your associates may be less disciplined.
#7 – Password Management Enhances Cybersecurity Readiness
Yellow stickies, Excel spreadsheets, and Outlook contact records are not secure repositories for password storage.
Each medium is easy to compromise. And since over 60% of people use the same password for multiple accounts, the breach of one account can lead to the breach of several dozen or more.
For instance, a cyber crook could infiltrate your network, locate your cybersecurity insurance policy (identify exact coverage amounts), and know how much money to demand BEFORE launching an attack on your company.
LastPass, 1Password, Dashlane, and Keeper are just a few password management solutions your insurance company would love to see mentioned on your application. “Love” may be too strong a word. They want you to have something in place.
#8 – Vulnerability Scanning Minimizes Cybersecurity Problems
How often are you testing, tracking, documenting, and improving the security of your digital estate?
Engaging an independent third party to stress test your fortress is highly recommended. This discipline strengthens your ability to demonstrate proof of due care. You can also get more favorable rates as your scores improve.
What’s Next?
According to Roger Grimes of KnowBe4, the world’s first and largest new-school security awareness training and simulated phishing platform, businesses can expect the following bad news regarding insurance:
- Significantly higher premiums
- Less coverage
- More outs
- Fewer options
- Stronger requirements
Learn More: Stricter Cyber Insurance Coverage Trends
Every company has to find a balance that works for their budget and industry-specific risk.
On one hand, you need to check off several boxes to appease your insurance provider.
On the other hand, even the most advanced (and expensive) security tools don’t prevent users from responding to fairly low-tech social engineering tactics, the primary methods hackers employ to break in.
Human error causes over 95% of data breaches. This trend is one of the main reasons companies like KnowBe4 are so successful in changing user behavior.
You can engage with KnowBe4 directly or pay the same amount for Integris to administer KnowBe4 (or something similar) on your behalf.
Here’s to ensuring your IT system requirements succinctly align with your insurance coverage.
