Cyber insurance risk assessment, what should you pay attention to?
Moving companies’ activities to the Internet, process automation and data storage on the Web is currently the process of most businesses in Poland. Companies operating in this way expect that their data in the network will be most effectively protected not only as a result of device or network failure but above all in connection with the spreading wave of cybercrime. Thinking about protection, they are looking not only for technological solutions. They are also looking for financial support that is necessary to restore the company’s operations after a failure or a cyber attack. Therefore, the cyber insurance market is developing dynamically, offering more and more attractive policies in terms of the scope of protection. Some insurers, in addition to covering the costs associated with a cyberattack, also provide professional assistance, which provides access to specialized resources, such as a law firm, computer forensics, cybersecurity or PR specialist. When choosing a policy, the claims handling procedure is very important; it involves quick reaction and minimizing damages. Loss adjustment is as effective as the risk assessment has been reliably carried out. This is because there are several areas in infrastructure and business management of critical or important importance. And that’s what we’ll focus on in the article below.
Access control mechanisms to systems and data
Regardless of the size of the company, each is based to a greater or lesser extent on available applications or IT systems to which employees have access. Employees acting intentionally, consciously or unconsciously are responsible for over 40% of leakages of confidential data from an organization. Many organizations have developed company policies governing the security, privacy and use of company property, but it is not uncommon that they are not known to staff or properly enforced. A lack of information about procedures that are clearly available and communicated to employees may lead to unintended actions. This can lead to loss, damage, theft or breach of confidentiality. By writing down procedures for controlling access to confidential information and data, we reduce the likelihood of a risk and eliminate its effects. What is also important, the employer should be aware of the systems to which his employees have access, to what extent and what data have been entrusted to them. If an employee leaves the organization, all access to the systems should be blocked on the day the cooperation is terminated. One should remember not only about the termination of the contract but also about the completion of the project or change of position – the employee remains in the organization; however, his access rights change. The lack of such procedures may mean that unauthorized persons have access to systems or data, which poses a very significant threat to the security of information stored in the company.
Data storage and destruction
The basis is the knowledge of what confidential or personal data are stored in the company’s systems or its infrastructure, who has been entrusted to them, who has access to them, how they are protected, how they can be retrieved, how to obtain contact details for companies or natural persons. In the event of a cyber incident, it is important to immediately be aware of what data and to what extent is at risk. We are then able to react immediately to the incident, not only by properly blocking and protecting the existing access to cybercriminals but also by notifying the data subjects about the event. This is especially important in the face of the GDPR of 2018 regarding personal data. In the event of a breach of this data, we are obliged to carry out the notification process.
In connection with the above, the solution is to write an appropriate policy for the processing of personal, confidential and commercial data of the company, both regarding your enterprise and those entrusted to us. This policy, which is often forgotten, should take into account the process of data destruction and disposal. And we’re not just talking about deleting files from systems or recycling their paper versions. We are talking about all resources where data is or has been stored. An example may be, for example, the list of computers where confidential information was stored on disks in old equipment – what happens to this equipment after its end of use; are computer disks cleaned, and destroyed before mechanical destruction?
We have known for a long time how important it is to make and store backups. However, we do not often realize that copies should save as much information as possible – databases, system configurations, domain controllers, and application servers. Some organizations need to back up their employees’ file servers, computers, and mobile devices. The frequency of backing up largely depends on the industry. Sometimes weekly backups are enough, in other situations, once a day is not enough.
The place where copies are stored and the number of copies are of great importance. One backup copy stored in the same location as the original does not protect against possible physical damage, e.g. as a result of fire or against the effects of a cyber attack, e.g. ransomware. The minimum level of security is to use a 3-2-1 strategy. This means that you should have at least three copies of data, of which two copies should be stored on two different types of media, one backup should be stored outside the corporate network and outside the physical location where the data is processed.
Encryption is extremely important when storing backups. Sending backups, e.g. to the cloud, without encrypting it, would mean virtually unlimited access for everyone.
It would be best if you also remembered about testing the quality of backups and periodic tests of restoring infrastructure and systems based on them. This guarantees that in the event of a real failure or cyber event, the copies will certainly work and restore the operation of all systems necessary for everyday work in the shortest possible time.
Security of systems
The basis of system protection has standard, regularly updated security measures such as firewalls, anti-virus software and regularly implemented security patches. When processing confidential data inside the organization, it is also advisable to use IDS IPS system solutions – intrusion detection and prevention systems that increase the security of computer networks through detection (IDS) or detection and blocking (IPS) in real-time.
However, only a reliable risk assessment makes it possible to identify potential threats and plan actions aimed at increasing the safety of the entire infrastructure and planning corrective actions. We are not just talking about protection against external attacks. Practice shows that most security threats come from within the network: they can be attacks or theft of data by disloyal or careless employees, attacks through less protected points, e.g. supplier infrastructure, unsecured remote connections, etc.
When conducting an in-company analysis by your IT department, it is easy to fall into the trap of focusing on network “improvements”, often having no major impact on the security of the organization. Therefore, it is worth considering external audits. Companies specializing in this type of service look at organizations from a completely different perspective, they can capture security gaps that the IT department sometimes does not take into account at all, and which can be quite important. Auditors identify all weaknesses and recommend their improvement. Such audits, carried out regularly and covering the largest possible scope of activities, significantly increase the company’s security. Additionally, if we work on systems supported by producers and regularly implement all the patches published by them, the security of our network increases significantly.
It often happens that the company’s employees, due to their activities, have remote access to the company’s internal systems and programs, on which the entire business is based, and on whose security the functioning of the company depends. If we take into account that this access is via public Internet networks, its bad security may result in a cyberattack, and thus expose the company to financial or image losses. Therefore, remote access to the infrastructure or corporate network protected by only one component, e.g. by a password or certificate, is subject to enormous risk. It is easy to lose the password, and the certificate may also fall into the wrong hands. Two-factor authentication requires the user to verify their identity through an additional independent mechanism. There are many solutions for such protection on the market, e.g. one-time codes sent to applications or in the form of a text message or biometric identification. This solution minimizes the risk and significantly increases the security of using remote resources. A very good solution is to provide employees with connections to the corporate network via VPN (a virtual private network) where the transmitted data is compensated and immediately encrypted, and access to them is very difficult.
Data on portable media
The necessary minimum security of the processed confidential or personal data is their encryption in cases where they can be physically removed from the company’s headquarters using portable devices such as laptops, pen drives, portable drives or other means for processing or storing information. Encryption protects this data in the event of theft or loss of the device. Without the encryption keys, it will not be possible to read the contents of the medium. Here, too, we would like to point out that in the case of returning equipment to the service, where data may fall into the wrong hands, data carriers should also be encrypted or in the case of laptops or computers, the hard drive may be removed.
An independent aspect is the transfer of confidential company and personal data outside the infrastructure, e.g. sending them in e-mails or sending them “to the cloud”. In such a case, appropriate procedures that define the procedure are necessary. Such procedures should be regularly checked and verified for safety and practices. Additionally, it should be ensured that the organization knows when and what data is transferred electronically outside the organization.