Cyber Hygiene Standards for Business Insurance
In today’s digital age, businesses must protect their survival from unseen and unprotected Cyberattacks. These are becoming increasingly common, with the damage that can be caused to your business increasing the risk of an Extinction Event is significant. One of the best methods of protecting your business is to improve your cyber hygiene standards.
Every business is at significant risk of an attack, but there are ways you can reduce this risk. Implementing tools, policies, and procedures to improve your cyber hygiene can dramatically decrease the risk to your business.
First, you must Identify the risk a cyberattack poses to your business and then create a layered defence programme to protect it. The first layer of your protection should be prevention. You should utilise every tool you available to prevent an attack in the first place. Prevention is always the best way to protect your business in cybersecurity.
owever, cybersecurity is more complicated than just needing to prevent an attack (although it is the best way to mitigate risk).
Not only do you need to prevent an attack, but you also need a second layer of protection: your response strategy. You need to plan for what to do if your business becomes the victim of a cyberattack. Within this plan, you should have insurance lined up to reduce risk to your business after an attack.
If you have cyber insurance, the monetary risk to your business will decrease – potentially saving your business from collapse!
Many insurers are enforcing essential cybersecurity requirements before you can be insured. And if you don’t adhere to them, your layers of protection will start to unravel.
Recommended Cyber Hygiene Standards
Insurance providers are becoming stricter about the cybersecurity protections you need to have in place. You may not be eligible for the second layer of protection if you do not follow the essential prevention methods.
Although there is no official checklist for the practises your business needs, we have created a list of the most recommended standards most insurers want you to have.
The standards recommended here are typical cybersecurity practices that your business should use. Many of the standards below are used within the UK government’s ‘Cyber Essentials’ requirements. Contact us now to learn more about ‘Cyber Essentials’.
To complete your layered defence programme and reduce the risk of a cyber attack, use the following standards as a guide:
Data Backups
One of the most important cyber hygiene standards you can use to protect your business’s sensitive data is to ensure it is backed up regularly. At a minimum, you should be backing up your data weekly.
Additionally, your backups should be stored offsite in a separate location from your office to ensure that your data is safe in the event of a fire or other disaster.
Your data should also be stored offline to protect your business from any malicious activity that could occur if all your backups and information were stored online.
All of your backups should also have:
- Encryptions
- Air-gapping (isolating your computers and preventing them from joining unstable connections – e.g. public wifi)
- Secure platforms (hardware and software which protect your IT infrastructure. Preferably kept offline)
- Tested restoration of the backups
These steps are necessary to ensure your backups are safe from a breach.
Multi-Factor Authentication
Another critical cyber hygiene standard is the use of multi-factor authentication (MFA). MFA requires the use of two or more factors to authenticate a user.
For example, MFA systems require a user’s standard login credentials as well as an extra verification method unique to you, from a mobile phone or other device OR a fingerprint or facial scan. MFA makes it harder for hackers to gain access to your systems.
MFA is required for all remote access, Online admin access, and Remote Desktop Protocol (RDP) connections. In time, all third-party services used as part of your Digital Systems will require you to enable MFA to be compatible.
If you do not have Multi-Factor Authentication in place for all of the above, you will likely find that most insurers will not insure you.
To keep your business protected from the following cybersecurity threats, use Multi-Factor Authentication:
Phishing attacks:
Phishing attacks are when criminals send emails that look like they’re from a legitimate company to get you to click on a link or open an attachment. Once you do, they can install malware on your device or steal sensitive information.
With Multi-factor Authentication, the hacker doesn’t know the extra code on your separate device- preventing unwanted access to your systems.
Credential stuffing:
Credential stuffing is when hackers use lists of stolen usernames and password combinations to log in to accounts automatically.
With MFA, even if a hacker has your login credentials, they won’t be able to get into your account without the extra code on your separate device.
Man in the middle attacks:
Man-in-the-middle attacks happen when hackers insert themselves into a conversation between two people. They can do this to eavesdrop on the conversation or change any messages (for example, change bank details to their own).
With MFA, even if a hacker intercepts your login credentials, they won’t be able to access your account without the extra verification.
Multi-factor authorisation may seem like a pain, but it’s crucial for the survival of your business.
And these are just 3 of the attacks it could save you from!
Email Filtering
One of the most common ways hackers gain access to business systems is through email phishing scams – which is why having an Email Spam Filter service in place is essential.
Email Spam Filters pre-screen mail for malicious software, attachments, and links before presenting them to the End User. An email filter service will help prevent phishing attacks before they reach your inbox.
To put an email spam filter into perspective, 91% of all business cybersecurity breaches result from a phishing attack. If you don’t have an email filtering service, your business is more likely to fall victim to a cybersecurity incident!
Malware Protection (Anti-Virus) / Firewalls (split)
Another necessary cyber hygiene standard is the use of anti-virus and firewall software.
Anti-virus and firewall software are essential for protecting your business from malware and other attacks. They should be installed on all your computers and servers whilst being updated regularly (at least quarterly).
Malware Protection (Anti-Virus) software and firewalls work to keep your business safeguarded against potential data breaches or hacking attempts. With anti-virus software or firewalls, you or your IT team will get a notification. Resulting in less malicious activity being able to take place as you can stop it before it damages your business.
Additionally, Up-to-date software is essential, so be sure to uninstall any old versions and install new ones along with regular updates and patches.
Endpoint Protection
Endpoint detection and response (EDR) is a type of security software that helps identify, contain, and remove malware infections. It’s designed to detect malicious or suspicious activity on a device and then take action to neutralise the threat.
Endpoint detection and response protocols should be in place on all your end devices (for example, laptops and mobile devices), all workstations in the office and servers (both physical and virtual).
Updated Systems
One of the most important cyber hygiene practices you can use to protect your business from a cyberattack is to ensure that all critical patches are implemented within 14 days.
By keeping your systems up-to-date, you can help prevent attacks before they happen.
Additionally, create a process for testing patches before they are deployed to production systems to ensure that patches do not cause unexpected problems.
Training
It’s essential to provide cybersecurity awareness training for all employees every year (at the very least).
This training should cover topics such as security awareness, phishing attacks, and how to spot suspicious activity. By educating your employees on these topics, you can help them become an asset in the fight against cybercrime.
Specifically, training on the following is of the utmost importance:
- Phishing simulations.
- The safe use of portable devices (for example, mobile phones and laptops).
- Learning how to stay safe when online (e.g. browsing the web).
Jera is offering free cybersecurity training for businesses in Scotland for six months. Sign up your team here.
End of Life Systems & Software EOL:
End-of-life systems and software should be used to prevent malware from spreading across your entire company’s devices. If end-of-life software is installed, it will remove the infected laptop from the network before anything can breach your other devices.
Saving your business from a significant cybersecurity breach from which your business cannot bounce back.
Password Management
Include password management software on your endpoints for extra protection.
Incident Response Plan
An incident response plan (IRP) is a set of procedures to be followed during a cybersecurity breach. It should be designed to minimise the damage caused by the breach and to get your systems back up and running as quickly as possible.
Your incident response plan should be tailored to your specific organisation and should be updated and tested regularly.
Privileged Access Management
Ensure that an admin controls all the strategies and technologies you have in place across your IT environment.
An admin should have overall control of ‘access and permissions’ so that nobody else in your organisation can download unwanted software on your networks without permission.
You never know who in your business could be the sole cause of a massive data breach.
Important: make sure the overall control is a trustworthy source, as they will have overarching control of your IT.
Business Continuity Plan
Make sure that your business has a business continuity plan in place which details what to do in the event of:
- Network outages (e.g. potential cybersecurity breach or a natural disaster)
- Communications going offline
- Needing data recovery.
Assess Vulnerabilities in Your Business
Invest in vulnerability assessments to identify and fix any potential weaknesses in your network before attackers can exploit them.
You should use penetration testing, red-teaming and tabletop exercises in your vulnerability assessments.
These assessments should give you a greater understanding of the holes in your cybersecurity and how to prevent anyone from gaining access to your systems.
Conclusion
Protecting your business from cybercrime is essential in today’s digital age.
By adhering to specific standards, you can help ensure that your business qualifies for business insurance so that you are covered in the case of a cybersecurity incident.
Contact Jera
Use Jera to protect your business from the bad guys. Get business insurance to cover your business if the worst happens!
Go to sleep soundly, knowing that your business is protected with Jera.
If you need help getting the following requirements up and running, contact us here at Jera. We can help you achieve the cybersecurity standards you need for cybersecurity insurance.