Insurers now expect businesses – even small businesses, to have a cyber security plan or at least a designated person responsible for cyber security within a business. Cyber insurers now want to see a range of security measures in place, and for those measures to be in proportion to the size of the business.
We have noticed however that most insurers now have a minimum number of measures they expect to be in place – the new minimum standard.
So what are they? We talk you through the five measures to have in place.
1. Back ups
Your business is reliant on its information and data. A cyber loss or attack would be catastrophic for most small businesses if the data were to be destroyed or completely irrecoverable. As such, data back ups are deemed essential by most cyber insurance.
Insurers what to know:
- How you backup: the process in detail and types of backups
- The technology used
- The frequency of backups
- The storage method used (online or offline)
- How often you test the backups and how you protect your backups
2. Employee Awareness Training
This is absolutely crucial. Your biggest vulnerability is the people involved in your business, cyber criminals take advantage of that. Employees must be aware of how cyber criminals penetrate systems.
Training programmes are intended to increase employees’ security awareness. We must all be informed about topics such as;
- How identify potential phishing emails
- What to click what not to click
- Downloading programmes and files and what not to download
- Vulnerable programmes and applications
Most cyber claims are resultant of an employee making a simple and easy mistake. Education is critical.
3. Multi-factor authentication (MFA)
You might have used MFA for personal banking; where bank keypads are used to prevent access to bank accounts without an authentication number.
The same is expected of small businesses. MFA should be in place to access all systems where possible, or at the very least in place to access emails – which for most businesses are a lifeline.
MFA involves the user authenticating themselves through two different means when remotely logging into a computer system or email account. Usually your password and a passcode generated by a physical token device, software or sent as a text message.
There really is no excuse for not having this in place on emails as minimum. Most of us use the big providers for emails, such as Microsoft or Google. They have this technology, it’s just a case of activating it. Microsoft has put together additional resources on MFA – read more here.
4. Endpoint Protection Software & Anti Virus
All insurers now expect some form of protection for the individual devices (endpoints) being used. Endpoint Protection Software should be installed on individual computers, which uses behavioural and signature based analysis to identify and stop malware infections.
There is a huge amount of competition between antivirus and endpoint providers. Do your research or seek advice, and don’t skimp! A good quality provider will provide good value for your business.
If you have a server and shared infrastructure, then you must have a good quality firewall. A firewall is a simple hardware solution used to control and monitor network traffic.