Cyber security hygiene for Small Businesses: Insurer readiness  

How do I demonstrate effective cybersecurity to insurers and what are the minimum requirements? 

Clients are often asked by their insurers to demonstrate how they are meeting standards to ensure they have preventative measures in place and can respond swiftly in the face of an attack. Let us walk you through the Cyber Insurance Industry’s minimum requirements, from Zero-trust to EDR to MFA all the way to simple patch management. 

What is a Zero-trust model?  

Zero-trust is based on the principal ‘never trust, always verify’. It is a security approach that assumes no activity is immune from a potential breach: all aspects of the network should be subject to thorough security checks on an ongoing basis. It requires users to be authenticated and authorised continuously in order to gain access to data and applications. Many insurers are requiring evidence of this method as part of the policy application process.  

How do I protect my devices? 

The two key ways to protect your devices are Endpoint Detection and Response (EDR) software and Multi-Factor Authentication (MFA). These are minimum requirements for many cyber insurers. 

Endpoint Detection and Response (EDR) cyber security software should be applied to all devices which sit on the end of the network. For example desktops, laptops, tablets, mobile phones and servers. These devices are known as endpoints. Endpoint Detection and Response (EDR) software continually monitors for and detects threats then responds in order to defend the endpoint devices. Those applying for cyber insurance are now being required to implement EDR technology in their incident response plan because it gives a better view of all devices on the network and can contend with wider more comprehensive attacks across multiple devices. 

Multi-Factor Authentication (MFA) is increasingly popular as a security measure and cyber insurers will be looking out for businesses who use this. In order for remote users to access business systems, you need to apply a multi-lock approach. Users should authenticate themselves using a combination of two or more authentication measures. For example, one known quantity – a password or pin, along with one thing you have or are – a one-time code or fingerprint. MFA is essential for ensuring the credentials of the end-user have not been subject to compromise, and in turn securing and protecting the network.   

What Backup Procedures do I need in place to qualify?   

A good backup can massively reduce the impact of a ransomware attack on businesses, both financially and the disruption time. Due to this realisation, cyber insurance providers are rapidly requiring certain backup standards as a minimum requirement from businesses they insure. 

Minimum requirements for protection of cloud backups include: Multi-factor authentication (MFA), keeping the backup separate from other parts of the network (segmentation), converting some information or data into code (encryption), and searching to detect malicious software (malware scanning). Some insurances insist on a minimum requirement to protect other data. This includes placing data in a highly secure environment where users are unable to change or delete data (immutable), holding data in a known location to the organisation (using audits to catalogue this), or offline.  

It is imperative that backups are set apart from other business operations in order to protect against attacks.  

How do I monitor accounts for breaches? 

Identity and Access Management (IAM) is used for restricted network access or ad-hoc privileges; it tracks and controls user activity through sets of rules and policies. The depth of this is of course dependent on which technology businesses use. For instance, it can incorporate features such as determining access rights, monitoring failed and successful login attempts, or granting ad-hoc privileges to users as required. IAM is used to minimise the risk of a potential attack. 

Privileged Access Management (PAM) is used to protect the most critical systems and data, to maintain an overall view and control. The risks to privileged accounts can be minimised through use of PAM. Amongst other functions, it closely guards access to crucial data, and audits activity on key accounts in the case of an incident. A subcategory of IAM, PAM is a key minimum requirement not just for cyber insurers but more importantly to comply with privacy and data protection laws. 

What about Patch Management? 

It may be last on our list, but don’t underestimate the need for good patch management in the eyes of cyber insurance companies. Ensure your patch management will match up when under review, ask yourself: How often do you install patch updates? How regularly do you map out an inventory of your operating systems? Within your organisation, have you listed all security controls (for example antivirus, EDR software, firewalls etc) , prioritised the assets and classified the risks? These are only some of the questions used to consider a business’ susceptibility to cyber attacks.  

In Summary 

It used to be that cyber insurance policies were straightforward* to obtain however, with cyber attacks evolving, becoming increasingly sophisticated and more frequent, the minimum requirements demanded by insurers in order to even qualify for a policy are following suit.  

Here at Bean IT, we are committed to helping your business achieve the necessary security measures to comply with Cyber Insurer’s requirements. Get in touch today to see how we can help.