By Reid Wellock of FifthWall Solutions and Dustin Bolander of Clear Guidance Partners – updated May 4, 2022
In this blog, we outline a basic cybersecurity toolset that is most needed for a business to obtain a cyber policy with a reasonable premium (cost). The opinions in this blog are not intended to guarantee a cyber policy for your business but rather better prepare you for one as baselines for eligibility are increasing.
As cyber-attacks grow to new heights, the need for cyber insurance is growing more urgently for almost every business in every industry. It is no longer a question if your company will get breached, but when. With this growing demand, business owners must ramp quickly to develop a risk management plan that effectively mitigates cybercrime and other risks. This plan also details how to respond to a breach and will most likely include their cyber policy.
Insurance Carriers Demand More
Insurance companies are starting more specific underwriting to quantify an organization’s risk. While risk varies by the size of an organization, the market, and its geography, insurance companies need to see that their Insureds implement proper risk management practices. Frequently, Managed Service Providers (Outsourced IT Providers) are becoming more involved in the application process as cyber-attacks surge.
How Do You Manage Cyber Risk?
- Do you have the right cyber risk reduction technologies in your organization?
- Do you have a dedicated team that has defined your cyber risk policies and procedures?
- Do you have a breach response plan?
If this seems like a lot to tackle right out of the gate, let’s look at five IT best practices that will need to be addressed to increase your chance of obtaining an adequate insurance policy with the best rates.
1. Do You Have Multi-Factor Authentication Everywhere?
Multi-factor Authentication (MFA) is an authentication method that requires a user to provide two or more verification steps to gain access to a resource such as an application, online account, or a VPN. Rather than just asking for a username and password, MFA requires one or more additional verification steps, which decreases the likelihood of a successful cyber attack. These other verifications can often be an app, key fob. usb device, or text message, especially when logging in from outside the office. This is most relevant to systems that contain PII, or Personally Identifiable Information.
Simply put, MFA is a baseline requirement for today’s cyber carriers, and any business that does not implement MFA on all applications will be declined across the board, save for a couple markets if the business happens to be in a low-risk category.
How can MFA be implemented?
Surprisingly, several software applications that a typical business uses more than likely has MFA configurations and tutorials on how to set up MFA. Many commonly used enterprise applications like CRMs have their own MFA configurations that you can locate within their settings.
For just a few to start, click here for instructions for Google Suite’s MFA, referred to as 2-step verification. Be sure to require 2-step verification when setting up.
To activate MFA for Microsoft 365, click here to learn how.
Additionally, For any other applications that don’t have MFA features, use a third-party MFA service like Duo, Google Authenticator, or Microsoft Authenticator.
2. Do You Have Segregated Backups?
Segregated Backups are exactly how they sound. They are a data backup that is separate from where the information is stored initially. In a world where ransomware is around every corner, backups are only as good as where they are stored. If backups are not separate, a ransomware event could very likely encrypt those backups, making them useless. Hackers have started to hunt for and destroy backups as part of their standard plan. Separated backups are often cloud-based, but different servers are also utilized.
3. Do You Have Endpoint Detection and Response (EDR)?
Like NGAV, EDR is an integrated security solution that combines real-time continuous monitoring and collection of data with rules-based automated response and analysis capabilities. In other words, it’s software that is on a constant lookout for suspicious behavior and, if found, provides notice and remediation. An endpoint is your computer; therefore, endpoint detection looks at every computer, and if it detects anything unusual, it rings the alarm.
4. Do You Have Next Generation Anti-Virus (NGAV)?
Traditional Anti-Virus is looking for viruses that are in a known directory and cataloged. This works only if the directory is constantly updated, but the hackers are always one step ahead. Next-Generation Antivirus (NGAV) goes one step further. It uses a combination of artificial intelligence, behavioral detection, machine learning algorithms so known and unknown threats can be anticipated and immediately prevented.
5. Do You Have Cybersecurity Training for Your Employees?
Cybersecurity Training is not a nice-to-have company policy anymore. Cybersecurity Training is often required for all users on your network to learn how to spot phishing emails.
As published on NerdOnsite.com — training helps employees to look out for scams like these:
Here are a few things the IT department should train your employees to be on the look-out for:
- The Email Address Behind the Display Name in the Email
- Suspicious Links Behind the hyperlink text (Do not click — you can discover the URL by hovering)
- Spelling or Grammar Mistakes
- Odd Salutations
- Request for Sensitive Information
Which Industries Pose the Greatest Challenges Without Cyber Best Practices?
The top industries that are most targeted vulnerable to cyber-attacks are:
- Payment Processors
- Schools & Colleges
- Healthcare institutions
- Small businesses
- Law Firms
Law firms historically disregard cybersecurity. According to a cybersecurity survey in the ABA Techreport 2020, only 43% of respondents use file encryption, 39% use email encryption, and 26% use whole/full disk encryption. Clear Guidance Partners works with a diverse set of firms ranging in size with a variety of practice areas helping firms with the right solution to meet the challenges of today’s cybercriminals head-on.
“It’s time to get back to the basics of managing cyber risk” said Diane Templin, Manager of Insurance Operations at Fifthwall Solutions. “When we are working with insurance agents on behalf of their client — whether a local school district, a law firm, or a manufacturer — the disparity of requirements versus what they have to date always requires getting a Managed Service Provider on board.”
MFA is required and is a significant stumbling block for schools because of the increase in remote learning during COVID-19. A dedicated MSP or MSSP team can help any internal team get over this obstacle.
Municipalities typically have budgetary issues, and the budget is tax-payer-driven. Often, the rates are too great for the carriers working with a fixed or limited budget. One recommendation from FifthWall Solutions is that all municipalities budget annually to have a contract with a local third-party cybersecurity provider. The cybersecurity provider is an outside resource looking at their IT systems and protecting them 24 x 7.
The Bottom Line to Obtaining Cyber Coverage
Improve cybersecurity posture for your organization before a breach negatively impacts you! No matter the industry or size of the company, risk management solutions should be budgeted for and at the top of your list of action items with your management team.
Cybersecurity is of paramount importance.
Expect the unexpected.
We don’t know what the next six months look like, let alone next week.
FifthWall Solutions is quoting and binding business for SMBs and larger companies. With broad market access and extensive product knowledge, FifthWall has access to more than 25 markets and offers limits up to $100 million in coverage for certain risks, allowing agents to identify the right policies today and at renewal quickly. We work with security focused MSPs and MSSPs to help them help their clients to have the best risk management tools in place.
It’s time to get back to the basics of managing cyber risk” said Diane Templin, Manager of Insurance Operations at FifthWall Solutions.