P&C the March 2018 issue

Cybering Up for Your Safety

This 15-step program will help you recover from unsafe practices.
By Jody Westby

An enterprise security program is a complicated mash of hardware, software, networks, configuration settings, and operational policies and procedures. There are numerous best practices and standards, and most have more than a dozen categories and hundreds of requirements encompassing technical, administrative and physical realms.

It is no wonder business leaders often seem uncertain about whether their cyber-security budgets are being spent on projects or technologies that really will make their data and systems more secure. A more simplified view is required.

One way to reduce the complexity is to step back and ask which cyber-security program requirements are critical to reducing risk, which are important to reducing risk, and which are basic requirements in reducing risk.

  • The critical requirements of a security program are those that are essential in maintaining any semblance of a strong security posture and, if not performed, could result in significant harm to data, systems or the organization.
  • The important requirements are essential, but if they are not performed or are partially performed, the harm may be less consequential than that flowing from critical requirements.
  • The basic requirements are security program activities that are best practices but may result in less impact on the organization if they are not performed or are performed poorly.
One way to reduce the complexity is to step back and ask which cyber-security program requirements are critical to reducing risk, which are important to reducing risk, and which are basic requirements in reducing risk.

These are generalizations, of course, but let’s consider some examples. Access controls are critical. If an organization does not have sufficient access control policies and procedures and supporting technologies in place, it will not be able to secure its data or systems, hold users accountable, or maintain accurate records for compliance and forensic purposes.

Equipment inventories are important. Companies should maintain an inventory of equipment provided to employees and check off return of equipment upon employee departure. If they do not, there is a risk that a phone or laptop might not be returned and some company data may be on it. This exposure is limited to internal individuals and may be mitigated by other controls, such as encryption and access policies.

Secured telecommunications cabling is a basic requirement. While it is always a best practice to secure telecommunications cabling against interference or damage, on the whole, most companies have little risk of their cabling being tampered with.

Organizations have limited resources for IT and cyber-security programs, and many executives do not fully understand what an enterprise security program really is or know what is required by best practices and standards. (For more on that, read my previous column “Starving Your IT Budget.”) In the face of an increasingly sophisticated threat environment, executives struggle with understanding which cyber-security activities will matter the most in defending against cyber attacks and protecting company assets.

As a general rule, if companies make sure they meet the critical requirements—and add a few important ones—they will have a strong cyber-security foundation on which to build and a decent chance of detecting, deterring and preventing cyber attacks. In a recent review of the 114 requirements for the ISO 27001 standard for information security, my team tagged 58 requirements as critical, 32 as important and 24 as basic.

From the 58 critical requirements, we identified the top 15 that we believe are essential activities for all cyber-security programs. If you undertake these cyber-security solutions, you’ll put your organization on stronger footing against cyber attacks in 2018.

When reviewing cyber-security budgets and resource allocations, executives should check to see how much of the funding is for activities on this list of resolutions. Management also now has a solid list of critical requirements they can refer to when discussing priorities with IT and security personnel. Agents and brokers also can use this information to better serve their clients and help them make informed decisions on managing cyber risks and improving their organization’s cyber-security posture.

15 Steps to Safer Cyber Security

  1. Assign roles and responsibilities for cyber security, both within the executive ranks and at the operational level.
  2. Maintain up-to-date inventories of applications, data and hardware—an organization has to know what assets it has in order to secure them.
  3. Demand strong access controls; use two-factor authentication for remote access (e.g., password and biometric authentication or fob code).
    1. Do not allow shared user accounts.
    2. Require strong passwords or biometric authentication.
    3. Change all default passwords, even on printers, copiers, scanners and digital cameras.
    4. Limit access to only the data and systems needed for job performance.
    5. Privileged access for system administrator functions should be controlled and monitored. Only system administrators can install software or add hardware.
  4. Install anti-malware software, automatically update it and run scans frequently. Use next-generation firewalls.
  5. Use only equipment and software that is within vendor support (check Microsoft products by referring to this site: bit.ly/2aS8mHe).
  6. Get rid of legacy applications that require out-of-support software or operating systems (no matter how much the business users love them).
  7. Update all software and apply patches within one month of notification—sooner if serious vulnerabilities have been identified.
  8. Allow local admin rights on workstations or laptops only where absolutely necessary.
  9. Use full-disk encryption for laptops and encrypt sensitive data at rest.
  10. Use network segmentation to restrict users and applications to defined areas of the network.
  11. Develop an incident response plan capable of managing all types of incidents and test it involving all stakeholders.
  12. Regularly back up systems and data, store backups offsite, and develop and test recovery plans.
  13. Restrict the use of removable media (thumb drives, CDs, external hard drives).
  14. Develop and implement cyber-security policies and procedures in alignment with best practices and standards.
  15. Perform regular risk assessments of the cyber-security program, including reviews of cyber insurance.

More in P&C

Don't Make Dangerous Decisions
P&C Don't Make Dangerous Decisions
Knowing what to look for when developing your internal cyber-security reporting ...
P&C Swiss Re Identifies Large Nat Cat Insurance Gap
While man-made disasters are largely covered, the gap between natural catastroph...
The Impact of “California’s GDPR” from Cyber Insurance Industry Perspective
P&C The Impact of “California’s GDPR” from Cyber Insurance Industry Perspective
We found two key takeaways to help brokers better prepare for the new year.
Silent No More
P&C Silent No More
Cyber claims made under traditional P&C policies that may be silent on the subje...
Warring Factions
P&C Warring Factions
Citing war and terrorism exclusions for cyber claims could g...
Trade Credit Digital Market
P&C Trade Credit Digital Market
Trade credit insurance is seeing growth via an online market...