Cybersecurity

INSIGHTS & RESOURCES

Cybersecurity Essentials for Businesses

Defending your company from today’s cyber threats requires modern IT security tools, a security-minded culture, and policies based on a well-defined security posture. Read below to learn about the key components of an IT security strategy, and receive our most current guidance and best practices.

Tip Bookmark this page and check back regularly, new cybersecurity content is always being added.

Threats
Technology
Policies
CULTURE
iNSURANCE
threatscape icon

The Threatscape

What began as individual bad actors attacking businesses for fun has transformed into an organized and highly-profitable cybercrime industry. Cybercriminals are professional; they work out of offices, have structured management, and use specialized tools. Businesses can no longer ignore the very real threat that cybercrime represents.

There are four common types of cyber threats, which are often used together. We refer to these collectively as ‘The Threatscape’ and understanding these attacks is the first step to defend your business from them.

Phishing (Social Engineering)
Phishing attacks, or social engineering, attempt to defraud your people into revealing privileged information in order to benefit the bad actor. This often results in providing credentials or transferring money to the criminal. Phishing attacks can range from poorly-written mass emails to highly researched and targeted attacks on your people.
Vulnerability Exploits
Attackers leverage software flaws or weaknesses in your IT systems. These exploits may not be damaging on their own, but they can be used by the attacker as a stepping stone to further infiltrate your network.
Ransomware/Malware
Ransomware/malware is malicious software that is meant to compromise your private data or give the attacker privileges on your network. If the software is installed successfully, the bad actor can prevent you from accessing the data and systems required for your operations. To regain access, you will be asked to pay a ransom fee, and even if you pay, there is no guarantee you will get your access back.
Credential Theft
Credential theft involves impersonating someone with privileged access to your network (like an employee or IT administrator) by using their credentials to log into your systems. Once logged in, the attacker may install malware or send out phishing emails to their victim’s contacts. Unfortunately, it’s common for people to use their corporate credentials on poorly secured third-party sites. If one of those sites has a data breach, credentials that give access to your environment can be easily found and bought on the dark web.

Learn more about cyber attacks

Security Technology Icon

Technology

Today’s businesses must adopt a layered approach to security comprised of security tools that will protect their network, endpoints (e.g., workstations, laptops, mobile devices), cloud & internet access, and applications. Choosing which technology to get and in what order can be difficult task. To help, we developed these IT Security Levels to help you prioritize your security technology implementations and give your organization tangible goals to work towards. 

Security technology is rarely effective right out-of-the-box. A successful technology implementation, security or otherwise, requires extensive planning, design, testing, and tuning.

Poorly implemented security tools…

5

will not function properly

The tool might not integrate with your current technology, or it could interfere with legitimate business processes.
5

will not effectively control your risk

Your new technology may be easily bypassed or defeated.
5

will damage your team's perception of security

Successful technology adoption requires your team’s buy-in; if the technology interferes with their work and is ineffectual, future security initiatives may have increased resistance.

Dive Into Security Technology

Need help with your cybersecurity?

Learn what we can do to secure your business.

cyber security policies and processes icon

Policies

Security policies are the link between your organization’s security posture and your operations. Your security posture is what guides your preparation and response to future unknown threats and is tied to your business’ overall risk appetite. After establishing a security posture, you must develop policies that translate your posture into tangible actions that can be followed and scaled. There are 3 primary types of security policies – Organizational, System-specific, and Issue-specific.

Organizational Policy
An organizational security policy defines your company’s security program, and is the overarching document from which all other security policies are derived. It should include information on the scope, roles and responsibilities, compliance obligations, exceptions, and security posture.
System-specific Policies
Describes the technical standards and operational guidelines for configuring and maintaining individual systems (e.g., CRM, firewall, payroll, etc.). System-specific policies allow you to address the varying security requirements across your systems. For example, you might want to restrict access to a business-critical system to certain people; or, establish a higher-tier backup & recovery solution.
Issue-specific Policies
A detailed policy that outlines your approach on a specific issue. Examples of issue-specific policies:

  • Remote Access
  • Security Incident Response
  • Change Management
  • Data Retention
  • Clean Desk
  • Information Protection

 

read up on security policies & procedures

Security Culture Icon

Culture

Your people are the foundation of your organization’s IT security strategy. Your security technology, policies, and procedures are only effective if they are fully adopted by your team. Here are 4 key elements of building a security culture:

5

Security Awareness Training

You need to teach your employees proper security practices and how to recognize phishing attacks and other common threats.

5

A Top-down Approach

Your entire leadership team must practice and promote proper security hygiene if you expect your team to take it seriously.

5

Keep Security Top-of-Mind

Security isn’t a standalone initiative that you can re-visit every year, it must always be part of the conversation.

5

Mock Phishing Attack Campaigns

Conduct simulated phishing email attacks; reinforcing security awareness training and raises your teams’ vigilance when interacting with unusual situations.
Building a security culture is not a simple undertaking. However, it is one of the best investments you can make for your business. Your people are your biggest security vulnerability and cybercriminals know that. Bad actors favor phishing attacks because they are relatively easy to execute and they work. Do not let your people remain vulnerable, teach them how to protect the company.

learn how to build a security-minded culture

cyber security policies and processes icon

Cyber Insurance

Your business will never be 100% secure. Security is ultimately reliant on people, and people make mistakes. Effective cybersecurity planning involves outlining your recovery process in the event of a successful attack. Cyber insurance should be the cornerstone of your recovery strategy. A successful cyber attack has the potential to cause massive damage – downtime, loss of business, and legal fees can add up quickly. Cyber insurance converts that huge unknown risk into a predictable premium that can be planned around.

The insurance industry is in the process of catching up to the reality of cyber crime – as a result, cyber policies have undergone some major changes recently. If you’re looking to purchase or renew a cyber policy, here are some things to consider:

Understand Your Coverage - Endorsement vs. Stand-alone

Many people think they have “cyber coverage”, but it turns out they only have a cyber endorsement attached to a broader policy. Endorsements typically don’t provide anywhere near enough coverage and they likely won’t include any crisis management services (i.e., digital forensics, legal resources, PR firms, etc.).

Stand-alone cyber policies will give you the coverage and services you need to completely recover from a successful attack. Do not wait until you need to make a claim to find out that you don’t have enough coverage. Get your policy reviewed by a cyber insurance specialist to verify that you have the right coverage.

Do You Have The Core Security Controls?

Carriers have made certain security elements like Multi-Factor Authentication (MFA), backups stored on a separate network, and security awareness training pre-requisites to receive cyber coverage. This list of core controls will grow as the security expectations on businesses continue to rise. Before you start the application/renewal process, make sure that you have fully implemented the core security controls.

Cyber Questionnaire Best Practices

The cyber questionnaire has become increasingly important as carries start cracking down on their cyber policies. Here is how to do the questionnaire right:

  1. Bring your questionnaire to your IT team 3 months before it is due. It takes time to respond to the questionnaire properly and if you start early, you’ll have time to fix any issues that arise.
  2. When in doubt, provide more detail. If you aren’t 100% sure that you’re answering the question properly, feel free to provide as much context and detail as you can. That way if there is an issue down the road, you explained your situation completely and your policy was approved; ambiguity will likely not work in your favor.
  3. Establish a yearly review process. Changes in the cyber insurance space aren’t slowing down. Meet with a cyber insurance expert to understand what this years’ expectations are so that you can make sure you are properly positioned for renewal.

Need help? Frankly cyber insurance policies are all over the place right now. We strongly recommend that you have your policy reviewed by a firm that specializes in cyber insurance, just to make sure that you have the coverage that you think you do.

More cyber insurance insights

Want more insights like this?

Sign up for our emails to get notified when we have new content and resources to share.