The list of cybersecurity controls that insurance providers either require or recommend is constantly evolving due to the ever-changing cyberthreat landscape. Small businesses that do not regularly evaluate their cybersecurity posture and implement modern controls could be face higher insurance premiums or be denied for coverage. So what are the most commonly required or recommend controls that underwriters look for when reviewing a small business?
Multi-Factor Authentication –
Passwords have been the main type of authentication to access accounts and systems for years. But we know passwords are far from impervious to attack. Multi-Factor Authentication (MFA) or Two Factor Authentication is an extra layer of security that uses a combination of 2 or more pieces of information to verify identity. These are usually a mixture of something you know, like a pin number or a password. Something you have, like an app on your phone or key card for an office door. Or something you are, like your fingerprint. MFA should be viewed as the new bare minimum approach to securing your business accounts. Enabling MFA is a simple process and Microsoft states that MFA can prevent 99.9% of Business Email Compromise attacks.
Endpoint Detection & Response –
An Endpoint Detection & Response (EDR) solution can be considered “modern antivirus’ and it works a lot like a security guard. EDR software continuously watches your computers and servers for signs of potential threats. Threats like phishing attempts, ransomware, and denial of service attacks. The bonus of EDR is that this “virtual security guard” will observe and stop these types of attacks automatically. Before they can spread from one device to the rest of your network. EDR will learn how your employees use their devices and will notice out of the ordinary behavior. If a user, file, or program begins to act suspiciously, EDR will detect and prevent any changes.
Employee Training –
In today’s small business world, employee email accounts are full of hazards that could lead to a cybersecurity incident. That is why it is essential that employees are trained to protect data and spot threats. But training can be difficult to coordinate and ineffective if it only occurs once or twice a year. One of the best ways to ensure that your employees can protect your organization is with ongoing cybersecurity awareness training. This approach to security education helps your business create a cybersecurity culture and develop employee accountability. Security awareness training will give your staff the tools to navigate the digital world, recognize threats, and respond to them properly. All on an automated schedule that you can control and adjust as needed.
A Security Operations Center (SOC) and a Security Incident & Event Management (SIEM) system are strategies that work jointly to monitor networks and identify potential data breaches. A SOC combines expert security personnel, technology, and processes to monitor networks and endpoints around the clock. The goal of the SOC is to proactively detect and remediate cyber threats to mitigate risk & damage. A SIEM system is used by members of the SOC as a central hub to visualize the data and alerts that point to suspicious network activity or potential cyber threats.
Business Continuity & Disaster Recovery –
BCDR, or Business Continuity & Disaster Recovery, is a system that ensures a company’s ability to continue daily operations if impacted by an unexpected incident or disaster that takes down core business systems. Think of it as an advanced backup solution. We often see businesses implement either business continuity OR disaster recovery, but not always both. Unless the two are combined, you do not have an intelligent backup solution and could be facing significant downtime in the wake of a cyberattack, hardware failure, or disaster like fire or flood.
Software Patching –
Patching is the practice of filling the holes found in information systems after they have been released to the public. A common example of patching would be Microsoft’s regular Windows updates. These updates are used to eliminate bugs and fix vulnerabilities found in current operating systems, software, firewalls, and more. Businesses should consider implementing a patch management schedule to automate the patching process and ensure that all devices are always up-to-date.
It is important to remember each insurance provider is different and this is not a complete list of security controls that providers look for during a review. Industry specific providers may also review controls such as user & file access, remote access procedures, technology segmentation, password management, email security, spam filtering, legacy technology, and end of life software. If your small business is looking to improve its cybersecurity posture or lower cyber insurance premiums, reach out to us today!