By Steve Roberts, account executive at Marsh Commercial  

Cyberattacks continue to dominate news headlines. As they become more prolific, related insurance claims are following. Insurers are therefore taking a more cautious position - tightening underwriting terms and asking more questions about a businesses' cyber operating environment.

The adoption of certain risk controls has now become a minimum requirement of insurers, with businesses' potential insurability on the line.

There are 12 main areas that businesses should focus on. We explore these in their latest guide - Twelve key controls to strengthen your security. As a starting point, we've selected six cyber hygiene controls that may have the most impact on insurability, mitigation, and resilience.

1. Multifactor authentication (MFA)

What is multifactor authentication?


MFA (or two step verification) is a way of strengthening the user login process. It requires the user to provide two or more pieces of evidence (such as a password and a security code) to be authenticated before access is granted. This makes it more difficult for attackers to gain unauthorised access.

Why should this control be adopted?
80% of all cyber incidents are malicious and often start with compromised user credentials.1 You should consider enabling MFA for users accessing critical or sensitive data in all systems, applications, and accounts that are accessible remotely.

For guidance on implementing this control - download the guide. 

2. Email and website filtering

What is email and website filtering?


Email filtering software can scan inbound or outbound email traffic for undesired content. This could be spam emails or more serious phishing emails. The software detects an email (plus any attachments) and automatically filters it out so they don't reach the user. Or they're flagged so the user is aware of potential malicious or unwanted content. Web content filtering meanwhile can block and screen access to websites that users are not supposed to enter.

Why should this control be adopted?
Web and email filtering is seen as a "first line of defence" in defending email or web-browsing-related cyberattacks, even before users - the "second line of defence" - can fall victim to a phishing attack or enter websites with malicious content. At a minimum, you should consider pre-screening emails for potentially malicious attachments and links, and use tools to monitor web content to block access to vulnerable websites.

For guidance on implementing this control - download the guide.

3. Secured, encrypted, and tested backups

What are secured and encrypted backups?


Encrypted backups is an extra security measure used to protect data in the event that it's stolen, misplaced, or compromised. Best practice backups are secured, preferably by isolating them from the network, or by implementing multifactor controlled access and encryption. They're also regularly tested for errors or failures.

Why should this control be adopted?


As businesses increasingly move to cloud-based backup solutions, secured backups can reduce recovery time and enable a return to BAU more quickly. A lack of available backups also increases the likelihood of a victim paying a ransom in order to recover systems and data, as they have no other options.

For guidance on implementing this control - download the guide. 

4. Incident response plans

What is an incident response plan?


Incident response plans document a "predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyberattack against a business's information systems".

They need to be in line with other plans such as:

• An IT disaster recovery plan (DRP) - describes how a business recovers data during and after a crisis or disaster.

• A business continuity plan (BCP)  - sets out how a business ensures that essential business processes are available during and after a crisis or disaster.

Why should this control be adopted?


Incident response plans are an integral part of increasing your cyber resiliency. An up-to-date plan provides efficiency, speed, and quality in response to cyber incidents. These programs are not isolated frameworks - they need to reflect the specific and unique risk profile of your business and require integration within an overall cyber risk management strategy.

For guidance on implementing this control - download the guide. 

5. Cybersecurity awareness training

What is cybersecurity awareness training?


Cybersecurity awareness training is used to educate employees and IT users on cyber risks and threats. It helps them identify and recognise the various attacks, and equips them with the necessary information on how to protect themselves and your business by preventing events in the first place. And, doing the right thing after an attack or attempted breach.

Why should this control be adopted
?

Businesses are operating in a world in which 95 per cent of cybersecurity issues can be traced to human error. As a result, some regulators may require employees to undergo regular security awareness training. Despite advanced IT security, human factors such as workload, stress, lack of skillset, the increased use of the hybrid working model, and basic human nature can all lead to human error. However, this weakest link of security chain can turn into the best layer of defence, when it gets the right focus and attention.

For guidance on implementing this control - download the guide. 

6. Replacement or protection of end-of-life (EOL) systems

What are end-of-life systems?


End-of-life (EOL) or end-of-support (EOS) products are those that reach the end of their lifecycle, preventing users from receiving updates. These products create risk because patches and other forms of security support are no longer offered by the vendor. Once the technology is unsupported, it will be exposed to unfixable vulnerabilities.

The only fully effective way to mitigate this risk is to stop using the obsolete product and replace or upgrade it with a newer solution that continues to provide support. Where this is impossible, EOL/EOS systems will need to be protected by compensating controls, such as restricting access to those systems, ensuring they are not internet facing, and are "air gapped" — that is, physically isolated from other connected systems.

EOL/EOS products and systems are often used by businesses with large legacy estates, particularly where systems are used to control operational technology (OT), which can be difficult and costly to upgrade regularly.

Why should this control be adopted?


Vulnerabilities in EOL/EOS products will remain unpatched and become increasingly exploitable by hackers looking for easy ways to gain access to systems. Known vulnerabilities are openly discussed on forums, and hackers are able to scan easily for EOL systems that continue to be in use.

While open ports and email phishing remain popular attack vectors, known software vulnerabilities are also a common entry point, offering an easy route into systems. Once inside, hackers will try to gain access throughout a network, looking for valuable data to steal and systems to encrypt.

For guidance on implementing this control - download the guide. 

Which cybersecurity controls will you adopt?


In a challenging insurance market, having the necessary cyber controls in place can really help your business's insurability. The right controls will also provide your business with a higher level of security, a better ability to identify threats, and ideally allow you to recover more quickly from an attack.

Download the guide to learn more about all 12 cyber controls. Our UK Risk Hub also has a wealth of expert insights to help you combat data protection concerns and cybercriminal activity. Be sure to visit the National Cyber Security Centre too for additional tools and cyber guidance.

For more help, speak to our local experts in Gloucestershire. Contact tegan.mckernon@marshcommercial.co.uk  or call us on 01905 892 200.

Steve Roberts has been with Marsh Commercial for four years and brings a further five years of prior experience in the industry in roles including sales, marketing and management.

He helps clients in sectors including manufacturing, contractors, professionals and technology and is professionally qualified to Cert II and a BTEC National Diploma in Management. An outdoor enthusiast, Steve enjoys hiking, mountain biking and paddle-boarding.

The information contained herein is based on sources we believe reliable and should be understood to be general risk management and insurance information only. The information is not intended to be taken as advice with respect to any individual situation and cannot be relied upon as such. This article contains third party content and/or links to third party websites. Links to third party websites are provided as a convenience only. Marsh Commercial is not responsible or liable for any third party content or any third party website nor does it imply a recommendation or endorsement of such content, websites or services offered by third parties.