In an increasingly technology-driven world, organizations—now more than ever—have sensitive company or customer information accessible to the outside world on the Internet or via the cloud. An effective age-old method to mitigate or combat increasing risk is through the use of insurance. Lately, many industry-leading insurance companies have begun to offer cybersecurity insurance riders to a business’s umbrella or general liability policy.
These cybersecurity insurance policies can be invaluable to companies and can help provide indemnification for many cyber events, such as data breaches, ransomware, data recovery and liability issues that may arise from these attacks. However, the purchase of a cybersecurity insurance policy alone with no additional internal control evaluation can provide companies with a false sense of security. Oftentimes, to be eligible for the full benefits of a cybersecurity insurance claim, insurers require that customers have implemented sound information technology controls to support proper cyber due diligence.
Below are ten key areas you’ll want to consider when assessing your company’s ability to respond to due diligence concerns for a cybersecurity insurance claim:
Cyber Due Diligence Area 1: Security Awareness Training
Employees are often an organization’s greatest asset, but they can also be the weakest link during an attempted cyber-attack. An organization’s efforts to build a strong security architecture can easily be thwarted by an employee failing to recognize a social engineering email. During a social engineering attack, employees will fall prey to phishing emails that lure them into clicking on links with malicious intent or providing network credentials to outsiders. Therefore, it is critical that a company’s end users be trained often on security awareness and cybersecurity topics, including social engineering testing. Regular security awareness training for your end users is often one of the best ways to spend resources to help improve an organization’s ability to prevent a cyber-attack.
Cyber Due Diligence Area 2: Remote Access
Does your organization allow employees to work from home intermittently, or perhaps have third-party vendors who provide support functions remotely? Proper controls should be established to define how those individuals can remotely access your network. Virtual Private Network (VPN) tools are the most common method of allowing someone outside your organization to connect to internal resources in near real-time. Remote users should be forced to log in using their network credentials with complex passwords that expire periodically. In addition, multi-factor authentication (MFA) is essential for all remote users. After submitting a valid username and password, MFA challenges a user to input information from a key or token (either physical or digital) as an additional measure of verifying the user’s identity.
Cyber Due Diligence Area 3: Anti-Virus/Anti-Malware
The most basic of technology protections, anti-virus and anti-malware software is still a key defense mechanism in an organization’s security plan. In news headlines, we often become overwhelmed with zero-day attacks, in which no known protections exist. While these kinds of attacks are always a concern, the majority of virus and malware attacks come in the form of known signatures that already exist in protection software. The best anti-virus and anti-malware companies automatically update their products daily with the latest definitions to help protect their customers. When evaluating and implementing these products, companies should ensure that the software in place allows central management of all of the company’s computers and servers and can allow scans to be scheduled and updates to run at designated times.
Cyber Due Diligence Area 4: Patching
In a perfect world, a company’s installed software and applications would never need any updating. However, hackers are constantly on the prowl searching for new vulnerabilities within software. As a result, we must prioritize the vulnerability scanning and patching process. Many vulnerability scanning tools are available, which comb through a network searching for potential vulnerabilities and exploits within software. Unpatched, outdated or unsupported software is the equivalent of leaving the front door of your home open, and it provides an easy entry point into an organization for malicious users.
Cyber Due Diligence Area 5: Monitoring
While a plethora of network security tools are available in the marketplace, we are often led to believe that adding one more tool to your toolbox could be the “silver bullet” of security. While tools can be extremely effective, without proper configuration and monitoring of their output, their effectiveness is greatly minimalized. Using the set of network tools already in place, IT personnel should ensure their output logs are reviewed periodically for suspicious activity or anomalies. These logs can help to constantly improve a tool’s effectiveness by fine-tuning the thresholds of what is considered to be acceptable within your environment. In addition, alerts from network security tools should be configured to notify IT personnel of potential security events.
Cyber Due Diligence Area 6: Acceptable Use of Company Resources
In addition to strong information technology controls, Organizations should ensure employees and vendors are required to periodically acknowledge an understanding of acceptable use of company resources. This most often takes place during the new-hire process, but it can also be acknowledged annually. A typical acceptable use agreement contains guidelines around password management, computer and internet usage, the proper use of email, encryption of sensitive information and social media usage, etc.
Cyber Due Diligence Area 7: Access Control
When granting access to your network and critical applications, Organizations should always employ the least privilege principle. This is the idea that users should only be given the bare minimum rights to a network or application in order to perform their job functions. To enforce proper access control and the principle of least privilege, logical access reviews of the network and applications should be performed at least quarterly to ensure the access granted is appropriate. Logical access reviews also assist with identifying and cleaning up accounts belonging to terminated users that are no longer needed.
Cyber Due Diligence Area 8: Change Management
Along the same lines as patch management, good change management controls help to ensure that all of the changes made to your most critical applications have been reviewed, vetted and approved. While it can vary depending on the levels of software development taking place, changes to an application should be formally requested in a change request form, approved by an appropriate level of management, tested and pushed into production by independent personnel.
Cyber Due Diligence Area 9: Network Topology and Segmentation
As often quoted in the Information Technology industry, “You can’t protect what you don’t know about.” Network topology and the inventorying of IT assets play a critical role in how an organization identifies key systems and the plan to protect them. Network topology and asset inventory can be a daunting task when performed manually. However, there are multiple industry-leading tools available, which combine this functionality for a more automated solution.
Segmentation, while somewhat technical, also is essential to a strong security posture. Proper segmentation of a network allows specific areas to be restricted to a subset of employees. For example, segmenting the Human Resources information from the rest of the company provides an easier way to restrict access to appropriate employees. This also helps to protect your business from inside and outside attempts to gain access to sensitive information.
Cyber Due Diligence Area 10: Periodic Security Assessments
Periodic assessments of an organization’s security posture is one of the most effective methods to determine the readiness to effectively detect and respond to a cyber-attack. Partnering with an independent third-party organization to periodically assess and test your controls helps to identify control gaps and inefficiencies in your IT practices as well. Security assessments should be performed at least annually and will typically include an IT controls assessment against an industry best-practice methodology (NIST, COBIT, etc.), vulnerability scanning of your internal assets and penetration testing to simulate an actual attack.
While the due diligence information required will vary by insurer, these items provide a base for a company to evaluate its own security posture. Have open conversations with your insurance representative periodically to ensure you are covering all necessary areas. Implementation of those controls and a periodic assessment of their effectiveness will help to make sure your organization is covered and able to appropriately respond to cyber-attacks.