As we are all too familiar with, data breaches and cybercrimes are on the rise and causing major headaches and financial loss for businesses of all sizes. Cybercriminals want us to believe that large corporations are the only businesses getting hacked, however, small to medium-sized businesses (SMBs) are just as susceptible to cybercrime. In fact, 43% of cyber attacks target small businesses, according to Verizon’s 2020 Data Breach Investigations Report.
Data breaches can cause incredible damage to your organization’s computer systems, reputation, and the safety of your customer and employee data. That’s why companies are beginning to rely on cyber insurance to protect themselves from the financial losses associated with cybercrimes. Cyber insurance can be a great tool cover your organization’s liability for a data breach, but there are a few requirements your business must meet to obtain cyber insurance coverage.
Let’s review the top 6 requirements for SMBs to obtain cyber insurance coverage.
Because cybercrimes are on the rise, cyber insurance premiums are also skyrocketing. Most cyber breaches contain a human element which is why having a cybersecurity awareness training program is crucial to obtaining cyber insurance. The more awareness that is created regarding cybersecurity, the more likely we can reduce breaches.
Cybersecurity training starts with baseline training, which every employee that has access to technology will need to undergo. Baseline training covers essential cybersecurity information that employees need to know to stay safe and keep your company safe. New employees should receive baseline training as a required component of the onboarding process. Existing employees should receive additional training at least every six months. Continued training is critical as technology and tactics used by hackers are constantly evolving.
Additionally, you should establish a Cybersecurity Workforce (CWF) program. This program identifies jobs and roles within your company that require more training from a cybersecurity standpoint. Employees who work with regulated data or privacy concerns will need a higher level of testing. Key roles with technology and access to personal private information, like finance, executives and managers, HR/payroll, system administrators, and software developers, need to be included in the CWF program.
Employee roles and the training required for them need to be reviewed and adjusted annually. When doing your annual review of roles, there might be new roles, or you could get rid of roles that are no longer being used. If an employee’s role needs to be adjusted, they will need to be assigned any additional training that is necessary.
Analyzing your team, defining CWF roles and training can be daunting. Guide Star can help you work through standing up and managing your CWF program.
Antivirus is one piece of the puzzle when it comes to protecting your systems but is a necessary one. Your antivirus needs to be modern, so avoid outdated technology and free antivirus tools.
The type of antivirus you need must have automatic virus definition updates enabled and must be pushed to every computer you manage by your IT team.
Additionally, your IT team needs to have tools that allow you to know if your corporate devices are receiving and installing AV definition updates. This has become a bigger challenge with the explosion of remote work globally in response to the pandemic. Guide Star has an integrated approach to AV management and monitoring that can give your IT team an easy button when it comes to managing AV.
3. Having a Managed Firewall
Much like antivirus, not all firewalls are created equal. Your firewall acts as your network’s primary line of defense from external forces, so if you are using end-of-life hardware or old versions of software, you are putting your systems at risk.
A firewall blocks a lot of bad traffic every day, so having a modern firewall with the capability to update automatically is necessary. Your IT team may need to test the new updates to ensure they are up to your standards, but once they have approved an update, the process for rolling out the change should be automated.
All network technology, including your firewall, also needs to undergo a regular patching routine. Additionally, it is critical your IT team has a strategy for proper network segmentation. Network segmentation means having controls in place where access to your network is layered. If someone were to breach your firewall, they would only be in one portion of your network instead of the whole thing.
4. Multifactor Authentication
Cyber insurance firms will always expect you to have Multi-Factor Authentication (MFA). Having MFA in place is one of the best practices to protect business emails and networks. Essentially, it’s another layer of protection that can block a majority of attacks originating from compromised credentials.
According to Microsoft, MFA is available to all customers with a commercial service subscription, but only 18% have it turned on. Microsoft goes on to say that they saw a significant jump in MFA usage during the pandemic which significantly decreased compromises.
5. Email Management and Filtering
Email is the most commonly used entry point for hackers. Your IT team needs to implement technical controls to identify phishing emails and emails with malicious attachments or links, then prevent them from being delivered to your users. Many of the main cloud email provider technologies have these capabilities. Your IT team will want to make sure that you have purchased and enabled this functionality.
White and black labeling is a manual process that works in tandem with an automatic email filter. If an email is flagged as suspicious but isn’t, your IT team can white label a specific email address or domain so that the email (and future emails like it) will make it past the filter. On the other side, if someone is receiving spam or harmful emails that are making it past your filters, your IT team can assign a black label, so the emails don’t get through.
6. Backup and Recovery
Backups are an essential part of any cybersecurity program and can save an organization thousands of dollars which is why insurance firms require a backup and disaster recovery plan. Backups are used to prevent data loss in case of an event, like a natural disaster or a hacker accessing your systems.
Your backups need to be automated and scheduled because manual backups have a higher chance of failure, due to human error or forgetfulness.
Storing your backups in an offsite location, preferably in a different zip code, gives your company another layer of security. If your home office was to be destroyed by a natural disaster, like a tornado or hurricane, your backups will still be safe in a different location.
Never store your backups on the same physical storage device as your systems themselves. If the device were to be compromised, you lose your systems and your backups. Various cloud options are a great, low-cost alternative for storing and managing backups.
If you need help migrating to a cloud backup solution, Guide Star can help.
Implement These Requirements Today
Cybercrimes aren’t going away any time soon which is why insurance carriers are enforcing these basic safety standards. These requirements are being enforced because a lot of companies have viewed cyber insurance as a way to get around improving their cybersecurity program. In reality, a weak cybersecurity program causes more damage for you and your company and can harm your reputation and the safety of your employees and customers.
Taking the necessary steps to secure your systems can help prevent attacks and lower your insurance premiums. Guide Star has the resources to help you implement the above standards to obtain cyber insurance. Contact us today to get started!