With cyberattacks growing in size and complexity — and underwriters more closely scrutinising their cyber risk exposures — it’s vital that businesses invest in robust cybersecurity controls.
As many of us have seen in recent years, cyberattacks just continue to increase. They’re fueled by these more sophisticated and persistent attackers, particularly ransomware attacks alone have increased by just a staggering 150% year-over-year and it’s become very commonplace for us to read and hear about multimillion-dollar ransom payment demands. Unlike in prior time periods, where maybe certain industries were impacted — for example, healthcare, retail, financial institutions, they were more likely to be targeted — one of the things we’re all seeing now is that no sector is really left untouched. Everyone is at risk.
Main Cyber Controls
So as these attacks continue to evolve and quite frankly grow more costly for all businesses, one of the things we’ve seen in the insurance world is the insurance underwriters are carefully scrutinising cyber insurance applications more so than we’ve ever seen before, and they’re asking more and more questions around an individual business’s operating environment. And you know this is really being driven by the loss history that we’ve seen in the last couple of, we’ll call it 12 to 18 months, but really just the last two years. And the underwriters are hyper focused on this controls environment.
At Marsh, one of the things we’ve done is we’ve tried to find and hone in on the main cyber controls that the underwriters have been focused on, and we’ve landed on 12 key cyber hygiene controls. And we believe that companies should really prioritize these and we’ve even narrowed it further down to the top five.
And those are multi-factor authentication, MFA; endpoint detection and response — EDR; privileged access management — PAM; and then the last two are this concept surrounding backups whether they’re secured, encrypted and tested; and then, finally, email filtering and web security.
1. Multifactor authentication (MFA).
Hackers today have access to technology able to break user passwords, even ones considered strong — especially when users reuse passwords across multiple sites, which occurs frequently. Organisations should bolster their security through MFA, which requires at least two pieces of evidence (factors) to prove the user’s identity. Usually, the two factors are something you know and something you have. For example, a time-sensitive pin code delivered either through an app or via text message is often a second factor on top of the user’s password. Although no cybersecurity tools are perfect, MFA provides a substantial barrier to entry.
2. Endpoint detection and response (EDR).
It’s important for companies to have up-to-date information about the security posture of any devices employees use to receive corporate information, whether it’s a laptop, desktop or mobile device. Widely available software gathers critical information, such as the location of the device, the last time it was updated, current software version, and any attempts to download new software. EDR offers continuous monitoring and more advanced detection and automated response capabilities. The monitoring software will watch for any suspicious or irregular activities. EDR also facilitates rapid incident response across an organization’s environment.
3. Secured, encrypted, and tested backups.
Increased ransomware activity underscores the need for organizations to have a robust backup strategy for their critical data and applications. Backup intervals will depend on how often the data changes, but most organisations run periodic full backups — for example weekly or multiple times per month — and more regular incremental backups daily or every few days. Backups should be encrypted so that they cannot be tampered with. It is a best practice to logically separate backups from the network to ensure they’re not easily accessible to any threat actors. Immutable backups, which lock up previous versions of your backup to prevent it from being altered or deleted, offer a similar layer of security. The IT / IS department should establish a data restoration testing schedule during which backups are restored to ensure that they are working as intended.
4. Privileged access management (PAM).
Users should be required to use higher security login credentials to access administrator or privileged accounts. And, special users — such as IT, network, or database administrators — should only be allowed to carry out specific tasks through their privileged access. Users with privileged or administrator accounts should be required to log out of their privileged accounts to conduct any non-privileged tasks. That means that a system administrator that logged in through his or her privileged account to change security settings should log out after that task is completed and be required to use ‘standard user’ credentials to check email or browse the web, even if these are work-related tasks. Many organisations implement privileged access management solutions to automate privileged credential management and session management.
5. Email filtering and web security.
Email and web browsing platforms are full of pitfalls and need to be controlled to avoid threat actors gaining an initial foothold into your network. Email filtering seeks to identify any messages that include links or attachments. Advanced systems will screen links and attachments to identify any potential malware or other malicious content. Flagged attachments can be opened in a “sandbox” to be thoroughly checked for malware. Organisations should block access to any web pages that are deemed inappropriate and those that may contain malware. These security controls should be active at all times, whether a user is working at the office or remotely, to prevent exposure to websites where bad actors may be seeking to take advantage of unsuspecting web browsing activity.