It feels like a never-ending loop: cyberattacks become more sophisticated, so cyber security pivots to beat them. Rinse. Repeat. According to Statista, roughly 73% of the world’s companies paid out a ransom for data recovery due to a ransomware attack, which is wild considering the year isn’t even over. With cyber threats continuing to adapt, businesses also have to. While the adage is “the best defense is a good offense,” today we’re going to focus on a fairly achievable defense, albeit a proactive one: cyber insurance.
To be clear, while cyber insurance is excellent, defending a company from financial or reputation loss, it only supports existing cyber security and is not a security measure itself.
What is Cyber Security Insurance?
In the unfortunate event of a cyberattack, cyber security insurance will protect a company when general liability insurance cannot (as they don’t all involve cyber threat coverage). These unique policies will cover costs for risks like data breaches, loss of income from business interruptions, legal liability from privacy breaches, notifying affected parties, and other results. Some companies also provide third-party protection if a cyberattack opens you to lawsuits from business partners or customers.
How to Prepare
If you start looking into cyber insurance companies and policies, some may include, or even require, a risk assessment to make sure you’re properly protected. It’s a nice perk to have a detailed assessment, but also runs the risk of seeing you declined coverage if your organization’s security isn’t actually up to par. To help you prepare, here are some typical cyber security insurance requirements that a provider might expect, so you know what to prepare if you want to go this route:
You know what multi-factor authentication (MFA) is. We’ve all been annoyed by having to grab a code texted or emailed to us and plug it into our website so we can access the backend for updates or something. Annoying as they are, they’re a brilliant necessity for keeping unwanted fingers off of your business’s most sensitive data. Most cyber insurance companies ask for MFA in three critical areas:
- Your SaaS or Hosted Services
Since modern businesses are heavily reliant on these platforms, like email services or SharePoint online, you need to make sure that only authorized personnel can access them.
- Remote Access (VPN)
Remote work has more sensitive information going home, so VPNs are becoming fundamental to safe business operations, and MFA means only the right people can get in from their home office, coffee shop, back patio, or wherever they’re working.
- Internal Admin or Privileged Access
While it was convenient not having MFA every time an admin needed to access internal servers, it’s no longer safe, and those privileges now demand tighter security.
Covering these critical areas with MFA is simple, and at worst requires some growing pains involving a few calls between IT and the less tech-savvy, while at best, preventing billions of dollars’ worth of data theft.
Security Awareness Training
Some insurance companies out there only recommend training, but others are starting to demand it. The end-user, who is anyone accessing their emails or the internet from a workstation, can become your first line of defense against cyber threats. Education from industry leaders like KnowBe4 finds ways to make the learning experience engaging, with practical application of the skills through gaming and regular testing that hones your team’s ability to assess potential cyberattacks and, most importantly, report them. While the best programs require investment, we generally find them worth it, whether you need it for insurance purposes or not.
“Next-Gen” isn’t tacked on here like some buzzworthy, tech-selling adjective. This next phase in the security evolution is also becoming a necessary cyber security insurance requirement to qualify for coverage from most providers. Without going too deeply into next-gen antivirus (NGAV), it takes a more proactive approach to defend your systems. Traditional antivirus waits for the cyberattack to happen, references it against a list of known threats, and then reports it if it knows what the threat is. Whereas NGAV is always looking for odd behaviors, files, and the like and reporting back so IT can find a potential problem before it becomes a dumpster fire your company needs to put out. With plenty of pricing options available, whether adopting from legacy antivirus or new providers alike, you can hunt around to see what suits your company’s size and needs.
Most cyber insurance providers want assurance that you have a secure, offsite backup to protect your most sensitive files for recovery and redundancy purposes. Whether through a cloud server upload or physically transporting disk drives or tape, keeping a version of your files inaccessible to the primary system can immunize your data to cyber attacks. In the event of an attack, the offsite data can help speed up your recovery process, possibly saving you thousands (upon thousands) of dollars from liability and downtime as you get back on track. Offsite backups can get expensive, but there are plenty of price points to choose from, depending on how you want to approach backing up your information. Big and small businesses can benefit from investing in this last line of defense.
Being proactive to prevent attacks instead of reacting seems like an obvious approach to cyber security. Unfortunately, many companies forget or are still unaware that cyber insurance can play a factor in their preparedness. Thankfully, the above four measures are fairly easy to implement and there are a wide range of price points available. Prioritizing those steps can help limit cyber risks while qualifying your business for most insurance policies, should you decide you want one. Plus, if you get insurance, if & when you have to submit a claim, you’ll be more likely to be approved and get help faster, once they audit you and find all your bases covered. (Note: the cyber security insurance requirements have to continue to be met in order for the policies to continue to be valid). If you’re not sure where to start with setting up in any of those four areas, get in touch with us. Our team of cyber security experts knows what’s at risk and how to prioritize defending your business in the digital age.