The Ohio Business Guide to Cyber Insurance Part 2: Maintaining Your Coverage
Cyber insurance has become a go-to strategy for businesses of all sizes that want protection against the pervasive threat of cybersecurity intrusion and data loss. A relatively new concept, cybersecurity insurance has risen dramatically in popularity in just the last few years, with over 71% of midmarket businesses now purchasing some form of insurance.
Cyber insurance is not a solution to all your security problems though, a topic we explored in a previous blogpost, but it once provided a valuable backstop against catastrophe. This valuable form of protection is getting harder to maintain, however, as the insurance industry faces uncertainty.
Driven by the work from home trend, ransomware attacks surged by over 400% in 2021, causing insurers to scale back coverage, raise premiums, and requiring strict new standards to purchase coverage. What should Ohio businesses be doing to keep their cyber insurance policies? Let’s take a deep look.
Secure Network Access on Every Endpoint
An often-overlooked aspect of cybersecurity, Identity and Access Management or “IAM,” is a set of technologies and processes for granting appropriate access to users in your organization. Properly configuring roles and access levels for each type of user mitigates movement inside your network if the network perimeter is breached.
IAM, and its cousin Privileged Access Management (PAM), can restrict high level access to your network resources, and are now areas of particular interest for cyber insurers conducting an audit.
Why? Because although it seems obvious, unsecured privileged (administrator) accounts are still a widespread problem at businesses both big and small, providing skilled hackers with unfettered access to your network and data.
At the bare minimum, businesses should implement multi-factor authentication (MFA) on their most privileged accounts. But organizations that house sensitive customer data or valuable intellectual property should be enforcing MFA on each network endpoint and complement those protections with logging and auditing software, so they have a full accounting of how users are navigating their systems.
Focus on Data Privacy and Compliance
A good rule of thumb applies to purchasing and maintain cyber insurance: the more sensitive data your organization houses, the more a potential insurer will see you as a target of cyberattack. That leads to higher standards and scrutiny during the insurance audit process.
Even businesses that don’t have explicit regulatory compliance requirements like HIPAA or PCI-DSS are now de facto expected to observe data privacy standards, like GDPR and CCPA, each of which have rigorous standards for how personal information is collected and managed in your systems.
Do you have a clear sense of the scope and location of the sensitive data housed in your network? If not, it’s an excellent place to start improving your own protections and demonstrating to insurers that you have a strong foundation for security. They’ll want to see both that you’re prepared to talk data security, including how vendors, supply chain partners, and customers are allowed to access sensitive data, and the schedule of your own internal security audits.
Is All Your Sensitive Data Encrypted?
For businesses that haven’t implemented it yet, data encryption is another important tool in the assuring cyber insurers that sensitive data is safe from prying eyes. By keeping algorithms up to date, properly storing encryption keys, and ensuring that all your cloud vendors are sharing encryption with responsible key management can all help demonstrate cyber maturity to an insurance company.
According to Cybersecurity Insiders, 63% of organizations feel that privileged account access is the number one risk of insider cybersecurity risk.
Implement a Reputable Cybersecurity Framework
Cybersecurity shouldn’t be a guessing game. There are several cybersecurity frameworks available that organizations can use to guide their efforts and ensure their sensitive systems receive the right level of attention and control.
Here at Astute Technology Management, we recommend the Center for Information Security (CIS) framework as a great place to start. Unlike the National Institute for Standards and Technology (NIST) framework, which has complex and open-ended design, the CIS framework is relatively straightforward to understand and makes an excellent guidepost for small and midsized businesses.
While the CIS model is made up of 18 separate controls and 153 safeguards, according to CIS 85% of cybersecurity attacks could be mitigated by just implementing the first group, known as the basic controls:
- Document Network Management Processes
Gaining visibility over all the devices connecting to your network is an ideal place to begin preparing your network for an insurance audit. During this initial phase, you’ll want to create a catalog of all your hardware and software assets, then document related processes, like how you add or remove new systems, patching and updating procedures, systems for removing users, etc.
- Audit Existing Security Controls
Determining the efficacy of existing controls is crucial to making concrete improvements. You can’t improve what you can’t measure, right? Businesses should document how they process and respond to security intelligence, the configurations of their network endpoints and their security software to complete this phase.
- Improve Perimeter Defenses
With a clear sense of your devices and existing controls, you can now start to limit network access and egress, configure firewalls to restrict ports and protocols and logically segment your network to prevent unrestricted lateral movement.
- Monitor and Analyze Security Logs
Regularly analyzing logs helps your organization detect suspicious activity early before hackers can cause damage. It also ensures strong security compliance trails, which can help you avoid fines and convince cyber insurers that your business is taking the appropriate steps.
It’s worth noting that securing administrator and sensitive accounts (privileged accounts) is also part of the basic CIS control. Want to know more? Keep reading the full text of the CIS framework.
20 Years of Cybersecurity Support for Ohio Businesses
Does your business want to lower cyber insurance premiums and ensure continuing coverage? We’ve been helping businesses in Columbus, Cincinnati, and Cleveland maximize the impact of their cybersecurity initiatives for over 20 years and we’d love to help your organization!