Keep your business safe from a cyber‐attack

How do I keep my business safe from cyber attacks?

Insurance underwriters and actuaries study data to understand the characteristics that make something a ‘good risk’. Put simply, insurers like to hedge their bets with the best risks – those which pose little threat to their underwriting profit because they rarely suffer claims and, therefore, allow insurers to keep more of the premiums.

For our traditional classes of insurance such as property or Employers/Public Liability, most of this is very straightforward – you are a less risky business if you have a good alarm system, CCTV, lockable windows and doors, health and safety policies, and all the good stuff that a prudent person might do to protect their business.

All this seems very simple and, to be fair, it is. But we need to translate this same behaviour into the computer-generated world. Given that everything online is intangible, it’s hard to understand how exactly one might put a padlock on systems or synthesize an alarm to alert when criminals try to manipulate employees into sending virtual funds to a distant land. Thankfully, we can take guidance from our experienced insurer friends, who understand what ‘good’ looks like, to become a ‘good risk’ and reduce the chances of threat actors targeting you or your business.

Let’s look at some characteristics that cyber underwriters like to see:

1. Multi-factor authentication – this is an extra confirmation step to ensure a valid and authorised user is entering a network. Outlook provides a free version which is a good place to start.
2. Dual authorisation processes for payments, which can help to detect social engineering attempts.
3. Password hygiene – ensure passwords are complex, with lots of letters, numbers and special characters and enforce regular changes.
4. Ensure your systems are up to date, and patches are applied without delay. Avoid running unsupported legacy software where possible.
5. Regular segregated data back-ups are essential to help reinstate lost data, especially useful when backups are stored offline and separately from the network.
6. Email security which can help to flag threat actors and block spam and other malware from getting onto your systems.
7. Training and awareness for staff – a frequent area of inadequacy in most businesses. Human error contributes to a large proportion of threat events. Think human firewall as well as a computer one.
8. Data encryption which will protect swathes of data in the event of a breach
9. Data & system segregation can help to divide data and systems so that threat actors cannot move linearly and maximise their damage across the whole network.
10. Limit authorisation and privileges which limits user access to elements of the network, preventing major disruption to the business or access to large data hauls.
11. Business continuity planning – have a plan ready for a potential system breach or a cyber event which will help you and your business get back to work quickly.

Implementing these risk controls is good digital practice but, even with the above measures in place, it’s still worth insuring your cyber risk– and if you choose to take up a policy later on, these can be leveraged to translate into lower premiums for a cyber policy.

There are many instances where, even with the best intentions, businesses can become victims and, even with good cyber hygiene, they can be exposed to losses – therefore, insurance is an important element in your risk management programme. Zero-day vulnerabilities are an example of where, even with the best risk management in place, claims can still occur. In any event, it is still worth protecting yourself and making your business a hard target.

In the same vein, our houses could get struck by lightning, but that doesn’t mean we don’t lock our doors at night.

Threat actors have become much more sophisticated, too. Businesses might not necessarily even know someone is sitting in their network waiting for an opportune moment to inflict damage.

We can’t stress the importance of acting now to implement risk controls.