May 15, 2017
Take control of your Cyber risk
With the recent cyber attack on the NHS bringing cyber security to the forefront of people’s minds, now is the perfect time to review where you stand in terms of cyber security. You should be considering not only what you can do to protect your business from suffering an attack, but also to provide the specialist support you need should the worst happen.
Cyber insurance is more crucial than ever as attacks and data breaches increase in both frequency and sophistication. Having the right cover in place will support and protect your business if it is the subject of an attack by a malicious hacker, or experiences a data breach. It not only provides comprehensive cover, but will provide you with a trusted partner to support your business in the event of a cyber attack.
Do need cyber cover?
- Is your business reliant on computer systems?
- Do you have a website?
- Do you hold sensitive customer data, such as names, addresses or banking information?
- Do you have a payment card industry (PCI) merchant services agreement?
If you answered ‘yes’ to any of the questions above, then you need cyber cover.
Businesses are now more reliant on technology than ever before. It’s difficult to think of a sector that isn’t reliant on technology and wouldn’t be affected by a cyber attack.
You may hold personal information on clients or customers, including names, addresses and bank details. Your business systems and data may be held on office servers or in the cloud, or you may be an online business reliant on your website to do business. Given its focus on innovation and an increasing reliance on technology, the manufacturing industry is particularly vulnerable to cyber risks too. Damage or unauthorised access to any of these could lead to loss of business, legal or regulatory costs and reputational damage.
How does cyber insurance protect your business?
Insurance is one of the only ways to ensure your business is covered should the worst happen, cyber is no different to any other aspect of your business.
Unlike other areas of your business, you may not have the specialist knowledge and expertise required should you experience a cyber attack. In addition to financial compensation, you will also receive professional support from a team of experts – from specialist technical support to legal advice, PR and even identity theft assistance for your customers that may be affected.
As cyber risks are constantly evolving, security audits can help identify weaknesses in your computer system and response plans can be put in place so you are prepared should you suffer a data breach. You can never let down your guard in protecting your systems and training your people to recognise the threat, as part of your cyber cover you will have access to the resources you need.
Take action now!
Lloyd’s of London predicted a rise in demand for cyber insurance in 2017 as the threat of cyber breaches is expected to double. The insurance market responded and a range of insurance products have been developed to meet the increasing demand for cover, so not only is there a product available to suit your specific business needs, but it’s also far more cost effective than ever before.
To protect your business, just contact Mark Minton and our team will be happy to provide a quotation for your specific requirements.
10 steps to cyber security
The National Cyber Security Centre, set up by the Government to lead in our efforts to combat cyber threats, provide the following guidance on how organisations can protect themselves in cyberspace, including the 10 steps to cyber security detailed below.
Risk Management Regime
Embed an appropriate risk management regime across the organisation. This should be supported by an empowered governance structure, which is actively supported by the board and senior managers. Clearly communicate your approach to risk management with the development of applicable policies and practices. These should aim to ensure that all employees, contractors and suppliers are aware of the approach, how decisions are made, and any applicable risk boundaries.
Having an approach to identify baseline technology builds and processes for ensuring configuration management can greatly improve the security of systems. You should develop a strategy to remove or disable unnecessary functionality from systems, and to quickly fix known vulnerabilities, usually via patching. Failure to do so is likely to result in increased risk of compromise of systems and information.
The connections from your networks to the Internet, and other partner networks, expose your systems and technologies to attack. By creating and implementing some simple policies and appropriate architectural and technical responses, you can reduce the chances of these attacks succeeding (or causing harm to your organisation). Your organisation’s networks almost certainly span many sites and the use of mobile or remote working, and cloud services, makes defining a fixed network boundary difficult. Rather than focusing purely on physical connections, think about where your data is stored and processed, and where an attacker would have the opportunity to interfere with it.
Managing user privileges
If users are provided with unnecessary system privileges or data access rights, then the impact of misuse or compromise of that users account will be more severe than it need be. All users should be provided with a reasonable (but minimal) level of system privileges and rights needed for their role. The granting of highly elevated system privileges should be carefully controlled and managed. This principle is sometimes referred to as ‘least privilege’.
User education and awareness
Users have a critical role to play in their organisation’s security and so it’s important that security rules and the technology provided enable users to do their job as well as help keep the organisation secure. This can be supported by a systematic delivery of awareness programmes and training that deliver security expertise as well as helping to establish a security-conscious culture.
All organisations will experience security incidents at some point. Investment in establishing effective incident management policies and processes will help to improve resilience, support business continuity, improve customer and stakeholder confidence and potentially reduce any impact. You should identify recognised sources (internal or external) of specialist incident management expertise.
Malicious software, or malware is an umbrella term to cover any code or content that could have a malicious, undesirable impact on systems. Any exchange of information carries with it a degree of risk that malware might be exchanged, which could seriously impact your systems and services. The risk may be reduced by developing and implementing appropriate anti-malware policies as part of an overall ‘defence in depth’ approach.
System monitoring provides a capability that aims to detect actual or attempted attacks on systems and business services. Good monitoring is essential in order to effectively respond to attacks. In addition, monitoring allows you to ensure that systems are being used appropriately in accordance with organisational policies. Monitoring is often a key capability needed to comply with legal or regulatory requirements.
Removable media controls
Removable media provide a common route for the introduction of malware and the accidental or deliberate export of sensitive data. You should be clear about the business need to use removable media and apply appropriate security controls to its use.
Home and mobile working
Mobile working and remote system access offers great benefits, but exposes new risks that need to be managed. You should establish risk based policies and procedures that support mobile working or remote access to systems that are applicable to users, as well as service providers. Train users on the secure use of their mobile devices in the environments they are likely to be working in.
You can find further information and keep up to date by visiting their website at www.ncsc.gov.uk