The 5 key protections cyber insurers look for when assessing risk

With cyberattacks endlessly on the rise, cyber insurance is an important safeguard for modern business operations. No business is too small to be a target for cybercrime, and with the barriers to entry being lowered through worrying trends like Ransomware-as-a-Service, the risks are greater than ever.

Cyber insurers are always keeping an eye on the potential threats organisations will be exposed to as a top priority. These don’t just make it riskier for your business to operate without strong cybersecurity, they make it more challenging for an insurer to cover your back – leading to higher premiums.

One of the biggest deciding factors here is the type of data that your business possesses – sensitive records and personal identification data carries a much higher risk than anonymised data that’s of little use outside of your business. But no matter what you’re working with, it’s essential to demonstrate that you’re doing the utmost to keep risks under control. Here’s 5 important things that cyber insurers will look for (and that you can implement) to boost your security and keep the cost of insurance down.

Multi-factor authentication

The first, and potentially most simple protection to implement is multi-factor authentication (MFA). It works by needing you to not just enter a password but also perform an action on another device before you can enter a network. This means that even if a bad actor can figure out your password, they still won’t be able to get access to your systems.

This usually works by receiving a code on your phone – either through text, or a dedicated authenticator app. However, more advanced MFA solutions also use biometric measures to verify you are who you say you are. It may sound high-tech, but many of us are already used to unlocking our phones with our thumbprints or our computers with our face.

Most systems you use in your business are likely to support MFA in one form or another, making incorporating it into your wider business IT environment straightforward.

Replace end-of-life systems

While there’s nothing wrong with getting some additional use of your systems after the initial warranty expires, end-of-life dates are much more rigid. After passing the end-of-life for a given piece of equipment, vendors will stop supplying critical security updates, making running them as part of your network a huge liability.

As such, end-of-life systems are a prime target for cybercriminals, as well as being prone to failing on their own. Naturally, this makes them a huge red flag for cyber insurers, as they’re often a sign that a business is not doing enough to secure its environment.

Cybersecurity awareness

No matter how advanced your cybersecurity posture is, every business relies on its people – and those people can be prone to making mistakes. 82% percent of data breaches occur as a result of human error, so, like any potential risk, it’s important to try and mitigate it.

Cybersecurity awareness training and testing is key to achieving this. Credentials like Cyber Essentials and ISO 27001 demonstrate a real internal commitment to keeping your environment safe, and proving your ability through routine phish and penetration testing is a great way to both demonstrate a security commitment to insurers, as well as keep it top-of-mind for your people.

Email filtering

Cybercriminals go to where their targets are most accessible, and often, that means email. While only about 3% of employees will click on a suspicious link, that number can still be devastating in practice.

Once a suspicious link has been clicked on, cybercriminals adopt a wide range of different strategies, from directly installing malware, to setting up a backdoor to infiltrate the system later, to holding on to credentials to launch a more believable phishing campaign targeting higher-level employees later.

With all this in mind, having systems in place to filter out suspicious emails is essential. Mimecast, for example, can block suspicious emails that come into your business from external sources, as well as those that spread within your organisation via compromised email accounts.

Secured, encrypted, and tested backups

If a breach does occur, the biggest costs to your business aren’t just remediating it and letting your customers know – it’s the cost of missed business as you bring everything back online.

Backup data is essential to a quick recovery, which is why cybercriminals have learned to try and target it first, before bringing down your live system – in the case of ransomware attacks, this leaves you with no real alternative but to pay up and hope the criminals keep their word and restore your data.

Because of this, just having backups doesn’t do enough to mitigate risk – you need to ensure those backups are secured and encrypted so that cybercriminals can’t compromise them, and test them regularly to avoid any hiccups if the worst should happen and you lose your live data. Immutable storage is a great method for protecting your data in response to this threat, preventing tampering after the backup has been made to ensure that it’ll always be available.

What's next?

This is far from an exhaustive list of everything insurers look for, but putting these 5 solutions into place is a great way to demonstrate you’re serious about mitigating risks and keeping your business safe. If you need a helping hand with putting any of these into place, or finding new ways to help secure your business, get in touch with us.