A Business Security Framework for the cyber insured

The introduction and subsequent uptake of insurance focusing on "cyber" have shown that the insurance industry is serious about protecting the assets of businesses all over the world.

The level of protection is dependent on the policy, your business requirements and also how much protection you need for your business.

Insurance without looking at increased protection however, will not work. A breach would / could put you in the situation where you are not covered.

If you do not get your business security and protection correct then you will be in a situation where a cyber crime against your business will not be covered under your insurance policy

Here is a basic framework that aligns with most cyber insurance policies.

Technology. 

There are a number of areas where technology investment is paramount.

Router, modem, firewall - get the best you can afford. Definitely get rid of the system supplied by the ISP or the shop bought one from a home retail shop. As a level of protection they will not protect your organisation. Minimal spend should be around $600 for a small business up to more than $20k for a large organisation

End point protection - 2 things about end point protection, they will catch malware and suspect applications because, like us, the hackers are inherently lazy and use old known code. The second is doing a regular scan, this will find infections - zero days - as they become incorporated into the signature files. 

Wifi - access to your wifi allows access to your systems, whether it is set up to have access or not. Once again spend a little and invest in the best you can afford.

Encryption - if you are collecting staff, user, client and financial information then it need to be protected from ease dropping with encryption. Encryption needs to focus on data at rest as well as where and when it is stored.

Patching and updates - operating systems - do it, applications - do it, websites - do it, tablets and phones - do it. Absolutely critical to protecting anything digital

Up to date operating systems and applications - if you are using old versions of MAcOS, windows XP, android - replace them ASAP

Management.  

Policies procedures and processes - policies are very important as they tell your staff where you stand on passwords, internet usage, email usage, education and training. Procedures allow you to specify how things are done so that anyone can walk in and do a task without supervision. Processes will also allow systems inside the organisation to be implemented as a standard

Audit and reporting - it is no use collecting information from the system if no one is going to look at it. You need to implement a standard process that audits the information and reports it to management.

Logging and alerts - all systems have some level of logging. In a small organisation daily checks of individual logs can be done, in larger organisations there is a need for a central location and a system that alerts staff to issues coming from firewalls, intrusion detection or AV.

Password management - in today's world passwords are your passport to the digital world so they have to have 3 components - must be more than 10 characters, must be unique for each location and must be complex, having letters, numbers, capitals and symbols.

Education and training - there is a 300% ROI on education in an organisation. Your staff are the first and last line of defense, when the technology fails an educated user will be the last line of defense

Sustainability

Disaster recovery - when it all goes to custard (and it will) you better have a way back. This is what disaster recovery is all about. It doesn't matter if it is physical (flood, fire), digital (cyryptovirus, failed hard drive) everything that is stored digitally is vulnerable.

Risk management - you need to way up the risks of a issue impacting your organisation. The higher the risk the more you need to mitigate it. If you use the NIST framework to manage your risk and exposure it will benefit the process of risk management

Backups - everything that is important need to have a backup made of it. If it is business critical then the risk of something happening needs to be weighed up against mitigation and cost. Virtual imaging backup software is a huge solution to this problem

Business continuity - what happens if the district where you office is locked down and no one can access the office. What contingencies have you got in place.

Compliance

If you are collecting PII (personal identification information) then you will have a compliance requirement. If you are collecting financial information then PCI DSS compliance requirements come into the situation as well

So insurance is all very well but unless your organisation invests in the additional components of your cyber protection you may find that the crypto virus that has encrypted all of your data is not covered.

If you want to know more get my book or ebook

Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW - Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, Author of the Digital Security Toolbox and the SME Digital Security Framework . He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.