As cyber-attacks become more sophisticated and frequent, businesses are turning to cyber insurance policies as a means of protection. Increasingly, CISO’s and Board of Directors are eager to take advantage of “risk transference” as part of a holistic cyber risk management strategy. However, the cost of such policies can often be a significant concern for organizations. Indeed, many organisations are now finding that, without proof that the controls detailed here are implemented, they are completely unable to procure a cyber insurance policy.
Here are our top ten tips for getting your IT operations to a level of maturity, whereby cyber insurance can be secured at a cost that is not prohibitive:
Tip 10: Patch Your Systems Regularly
It may seem like “old news” but it's still not easy to get this right. The regular patching of systems and software (that means servers, mobile devices, printers, network devices and other peripherals) is critical for reducing the risk of cyber-attacks. By applying patches, you can reduce the likelihood of vulnerabilities being exploited by attackers. Regular patching demonstrates to your cybersecurity insurance provider that you are getting the basics right. Failure to do this will not send a good message to an insurance specialist.
Tip 9: Implement Multi-Factor Authentication (MFA)
MFA is a proven method of reducing the risk of cyber-attacks. By implementing MFA, you can reduce the likelihood of successful attacks that rely on stolen passwords. This simple yet effective control can help lower your cybersecurity insurance cost, as it demonstrates your business's commitment to identity security, arguably, the most important aspect of a cyber security strategy.
Tip 8: Use Encryption Wherever You Can
Encryption is a critical control for protecting sensitive data, both at rest and in transit. By encrypting data, you can reduce the impact of data breaches and demonstrate your commitment to data protection. For example, losing encrypted personal data is exempt (according to legal scholars) from GDPR regulation. Implementing this control can lead to lower cybersecurity insurance premiums, as it lowers the potential cost of legal liability.
Tip 7: Implement Privileged Access Management (PAM) Practices
PAM is a critical control for reducing the risk of cyber-attacks that target privileged accounts - the keys to the kingdom. By implementing modern PAM practices, you can ensure that only authorized individuals have access to privileged accounts and activities. PAM includes processes and technologies for managing privileged identities, access, and activities, such as password vaults, session management, and least privilege. Recent successful high-profile cyber-attacks have occurred through a lack of maturity in this area and insurance companies are now asking questions about this best practice.
Tip 6: Create Redundant and Reliable Backups
Another baseline - backups. Creating redundant backups of critical systems and data is a proven method of reducing the impact of cyber-attacks, especially ransomware. By creating multiple backups, you can ensure that you always have access to critical data, even if one backup is compromised. This control can demonstrate to your cybersecurity insurance provider that you are taking a proactive approach to security, which can lead to lower premiums. Ensure that your backups and encrypted, stored “offline” and regularly tested (a backup is only as good as your ability to restore it – and insurers know it).
Tip 5: Conduct Regular Access Review Campaigns
Regular access reviews are an essential control for ensuring that access is granted only to those who need it. By conducting regular access reviews, you can identify and remove unnecessary access and ensure that users have only the access they need to perform their job. A good Identity Governance and Administration (IGA) solution can help to automate and govern this practice and generates the paper trail so you can show your work.
Tip 4: Protect your Active Directory
Implementing security controls to protect your Active Directory is critical to reducing the cost of cybersecurity insurance. Active Directory is a central authentication and authorization service used by most organizations, and it is a prime target for cyber-attacks. By implementing access controls like delegation, Just-In-Time access, credential rotation, password vaulting and MFA, Active Directory can turn from a security liability to a genuine fortress for your organization.
Tip 3: Use Risk-Based Authentication
Risk-based authentication is a powerful tool for reducing the risk of cyber-attacks that target authentication systems. By using risk-based authentication, you can ensure that users are required to provide additional authentication factors when their behavior or activity is deemed risky. This allows for (mostly) frictionless access for most of your workforce (and customers), while creating a strong protection against widespread attack vectors, like credential stuffing attacks.
Tip 2: Conduct Regular Penetration Testing
Regular penetration testing is an essential control for identifying and addressing potential security weaknesses. By conducting regular penetration testing, you can identify vulnerabilities before attackers can exploit them. Regular penetration testing demonstrates to your cybersecurity insurance provider that you are taking a comprehensive and systematic approach to security.
Tip 1: Establish an Incident Response Plan
Establishing an incident response plan is crucial for reducing the impact of cyber-attacks. By creating a plan that outlines your response to various types of attacks, you can limit the damage of an attack and demonstrate your commitment to security. Remember, incident response means more than just technical activity. Corporate communications (PR) and executive roles and responsibilities are areas that are often overlooked here.
Find out more about protecting Active Directory with Just-In-Time Privilege, and see why a Unified Identity Platform is the right choice to a demonstrably secure organization.
See us discuss this list with more details here: