Cloud Security Policies and Cyber Insurance
We've been surprised that some of the new clients we've been working with, and even some of their IT service providers do not have cyber insurance.
With the level of cybercrime in play, we believe cyber insurance should be thought of as a necessary cost of doing business.
Nobody likes new costs though, so the good news is that many providers of cyber insurance will reduce premiums for organisations that can prove strong security measures are in place.
In fact, for Accountancies and Advisors using the Practice Protect platform, a discount of up to 20% of cyber insurance premiums could apply.
Not such good news is that all policies come with pre-requisites and even organisations that have cyber insurance are sometimes making it easy for insurers to deny or reduce a claim by ignoring basic good practice.
Cloud Security Policies
Insurance pre-requisites and additional good practice for your firm should be captured within policies that outline what is expected and acceptable behaviour to protect your business.
As a minimum, your business should have
✔ Password Policy (now more accurately an Identity Management policy)
✔ Device Policy (covering smartphone data and apps + laptop/desktop)
✔ Connectivity Policy (covering use of wifi, public networks, mobile data)
✔ Data Access Policy (covering protection of data in all circumstances where data is at rest or in transport)
✔ Data Breach Procedure (to handle a potential or actual breach)
✔ Starters and Leavers Policy (to ensure data, devices and systems access are appropriately granted and withdrawn)
Frequently we are asked if these duties should be provided internally or by an external provider (the outsourced IT services company). We are finding that IT services companies themselves are too lax in the way they safeguard customer sign-ins and that this may actually be a point of weakness in your security as their customer. Hence, in our opinion, this is an area that is better to automate than to outsource.
Cyberthreat education and Attack Simulation
Of course, policies are only effective if they are up-to-date and if compliance is high.
To gain high compliance takes education and ongoing assessment of effectiveness as well as a mindset that security is part of everyone's job.
There are managed services that can drip-feed security training to your staff to increase their awareness of common threats like scam/phishing emails, and that keep up with advancements that contradict perceptions of safety such as 2 Factor phishing which is now being made easier with the tools Muraena and NecroBrowser.
Similar services will simulate attacks using the techniques the cybercriminals use to show your level of risk.
If you have a large, volatile or digitally naive workforce, we recommend a mix of attack simulation and continuous education to reduce your risk.
Another emerging trend is proactive monitoring of the dark web for leaked credentials. There are a number of free services for this, and some will keep your email address on file and notify you of new leaks that affect you.
A word of warning though. Make sure you only use a reputable site for these and especially if you are going to use their password generation features to create a strong password.
This list is a good place to find out if you're login has been leaked and is for sale on the dark web.
Contact Cloud Fixers if you'd like to refresh your policies, test your level of risk, or look at cyber insurance to insure against cybercrime.