top of page
Search

Get the Coverage You Need: 12 Critical Security Controls to Impress Cyber Insurers

  • Writer: Melissa Thornton
    Melissa Thornton
  • Mar 7, 2023
  • 10 min read



As the number of cyber incidents continue to rise, insurance companies have identified a correlation between lack of specific security controls in place the number of cyber incidents. The insurance industry has evolved its understanding of the technical measures necessary for businesses to improve their cyber resilience. With an increase in cyber insurance claims, underwriters are becoming more prudent in their approach to granting coverage. They are becoming more stringent in their underwriting terms, examining cyber insurance applications more closely and asking more detailed questions about a company's cybersecurity measures and controls.


This blog will provide a practical guide to the top 12 critical security controls that all small and medium-sized businesses (SMBs) and startups should implement immediately to improve their cyber security posture and increase their chances of securing insurance coverage.


This blog will uncover the top 12 critical security controls vital for SMBs and startups to implement today. By following these recommendations, SMBs and startups can improve their cybersecurity posture and increase their chances of securing more comprehensive insurance coverage at a much better rate.


#1 MFA for remote access, privileged accounts, and administrative access


Most cyber incidents result from compromised user credentials, and MFA is a critical part of a strong identity access management (IAM) strategy, preventing unauthorized access. Multifactor authentication, or MFA, is a valuable tool for ensuring secure access to computer resources. MFA requires a user to provide two or more pieces of evidence for authentication from the following categories:

  • "Something you know" (such as a password/PIN).

  • "Something you have" (for example, a cryptographic identification device or token).

  • "Something you are" (for example, a biometric).

To effectively implement MFA, we recommend the following:


  • Require MFA for all remote logins to a corporate network through secure methods such as virtual private networks (VPNs) and remote desktop protocols (RDPs).

  • All administrative and privileged account access, regardless of location, requires MFA and encrypted channels.

  • Implement MFA for access to critical or sensitive data and systems, regardless of the user's location.

  • Establish complex, long passwords with 14 characters or more and include a mix of uppercase and lowercase letters, numbers, and symbols.


An essential first step to adequately securing a business is identifying all systems, applications, and assets, including critical and sensitive data and high-privileged and administrative users. Companies should also consider implementing risk-based authentication, which adjusts the level of security based on the potential risk of compromise.


In addition, businesses should incorporate VPNs and remote solutions with MFA and consider using corporate devices, such as laptops and mobile phones, as additional authentication factors. It's important to be aware of local regulations regarding data protection, privacy, and biometrics data and to deploy authentication factors on all devices to prevent a compromise from affecting them all. Finally, companies should train employees on the importance of additional security layers and the value of MFA to reduce resistance and ensure a smooth implementation process.


#2 use email and web content filtering


Email filtering is a crucial control for enhancing the cybersecurity posture of SMBs and startups. Email filtering programs should be configured to scan inbound and outbound email traffic for unwanted content, including spam emails and phishing attacks. Detected emails can be filtered automatically or flagged for the user's attention. Additionally, an administrator can test a suspicious email attachment in a secure sandbox environment before releasing it to the user.


Web content filtering can be implemented using hardware or software-based solutions and regulates access to websites that could contain malicious content or violate compliance regulations. DNS content filtering works by adhering to a blocklist of websites configured by the administrator at the network or endpoint device level. These websites are categorized by domain name or IP address, and a DNS resolver can refuse to satisfy queries requested by the user attempting to access an unapproved website.


Adopting email and web filtering controls is essential because malicious links and files are the primary means of inserting malware into a business's environment and stealing user passwords. Filtering provides a first line of defense against email and web-related cyberattacks. It helps prevent phishing attacks, a common initial attack vector leading to severe cyber incidents, especially ransomware attacks.


Implementing email and web filtering technologies is important for improving a business's cybersecurity posture and meeting the stringent cyber resiliency requirements imposed by insurance underwriters for granting coverage.


We recommend companies consider the following measures:

  • Scan and filter incoming emails for malicious attachments and links.

  • Disable default running macro-enabled files, which can often contain malicious code.

  • Evaluate suspicious email attachments in a secure sandbox environment before delivery to users to determine if they contain malware.

  • Monitor web content and block access to malicious websites or content, reducing the risk of exposure to cyber threats.


#3 Secure, encrypt, and test backups


Having secure, available, and accurate backups are crucial for ensuring business resilience. To ensure the integrity of backups, isolating them from the network and implementing controlled access and encryption with multifactor authentication is recommended. Regular testing is also essential to enhance the availability and accuracy of data. The importance of adopting this control has become increasingly apparent as attackers target cloud-based backup solutions, seeking administrator credentials to gain access and delete or encrypt data. Without available backups, companies are more likely to pay a ransom to recover their systems and data, as they have no alternative.


It is important to regularly review critical systems and assets and ensure that backup procedures are adequate and tested. A solid disaster recovery, business continuity, and incident response plans are crucial to accurately document the process of recovering systems from backups.

Focusing on the systems, processes, data, and assets considered the "crown jewels" is a good starting point for reviewing backup procedures. This exercise includes identifying the most critical business components that, if lost, would significantly impact operations.


#4 Implement Privileged access management (PAM)


Humans are often the weakest link in cybersecurity, making companies more susceptible to attacks. PAM operates on the principle of "least privilege," meaning that users only receive the minimum level of access required to perform their job functions.

The features and capabilities of PAM solutions can vary between different vendors. However, they generally include the following components:

  • Secure storage of privileged account login credentials in a repository

  • A dedicated authentication process for accessing privileged accounts

  • Record-keeping of who accesses what accounts and what actions were taken

  • Monitoring for suspicious or malicious behavior

  • Limiting access to a select group of approved users who can bypass specific security controls, such as shutdowns, app or driver loading, network configuration, and provisioning


#5 Install Endpoint Detection and Response (EDR)


EDR provides real-time monitoring and protection for endpoints, such as laptops, desktops, mobile phones, servers, and IoT devices, often the entry points for cyber attacks. EDR continuously monitors endpoints and collects device data, responding based on predefined rules. This data is then analyzed to detect persistent threats and zero-day vulnerabilities, allowing for early detection and response to security threats. In the event of a security breach, the data collected by EDR can be reviewed to determine the extent of the compromise, the root cause, and the necessary steps to mitigate the threat. Without EDR in place, a business may struggle to recover from a security breach, such as a ransomware attack. The company would lack visibility into the extent of the event and would be unable to detect any payloads that may still be operating in the background. This lack of visibility could lead to a longer recovery time and a more in-depth recovery effort, which is why EDR is an essential component of a comprehensive security solution. It's important to select an EDR solution that is both effective and efficient in its operation.


Key features to look for in a solution include:

  • Comprehensive endpoint visibility

  • Ability to collect and analyze large amounts of endpoint telemetry

  • Behavioral analysis to detect indicators of attack

  • Integration with threat intelligence

  • Real-time response capabilities

  • Minimal false positive alerts and the ability to automatically correlate an entire security stack to uncover the toxic combinations that represent your highest risks

  • Cloud-based deployment and seamless integration with existing systems


#6 Patch and Vulnerability Management

Vulnerability and patch management are crucial components of a comprehensive cybersecurity strategy. Vulnerability management identifies potential security weaknesses in software and hardware devices, while patch management involves deploying and installing software updates to address these vulnerabilities. Not all vulnerabilities have a related patch, so a proper vulnerability management process should consider alternative remediation methods, such as changes in software configuration and employee training, to mitigate the risk of exploitation. Without proper management, vulnerabilities in software and hardware devices can be exploited, leading to security breaches. Neglecting to address vulnerabilities through patch management leaves a business susceptible to exploitation and can result in costly response efforts. Regularly patching systems and staying up-to-date on newly discovered vulnerabilities is essential to reducing the risk of intrusion.


#7 Develop Incident Response Plans

An incident response plan outlines the steps to be taken in case of an unintentional incident or malicious cyber attack, ensuring that a business is prepared to handle the situation effectively. This plan must align with related companywide strategies, such as disaster recovery and business continuity plans to ensure a seamless and comprehensive response in a crisis. Regular testing of incident response procedures is essential to ensure that everyone is familiar with the plan and ready to act in case of an attack. This plan should be tailored to the business's specific and unique risk profile and integrated into the overall cyber risk management strategy. In a cyber attack, detecting the incident as soon as possible and responding promptly and professionally is crucial. A well-prepared incident response team and an up-to-date incident response plan can provide efficiency, speed, and quality in response to a cyber attack.


#8 Cybersecurity awareness training and continuous education


Investing in technology and securing processes is important, but ignoring the human aspect can lead to significant cybersecurity issues. In fact, 95% of cybersecurity problems can be traced back to human error. However, with the proper focus and attention, employees can be transformed into the best line of defense. By investing in employee education and ongoing training, businesses can help employees better understand cyber threats and how to avoid them. By making employees a central part of the cybersecurity program, companies can build a secure culture, comply with regulations, and effectively protect themselves from the impacts of a potential attack.


Insurance companies and regulators are also concerned about the human element of cybersecurity. Regulations such as PCI-DSS, NIST, HIPAA, and GDPR require regular security awareness training for employees.


Phishing tests are an important aspect of security awareness training, as they simulate attacks by sending realistic phishing emails to employees to measure their awareness. This method can evaluate the effectiveness of security awareness training and identifies behaviors that need improvement.


#9 Use mitigation and other hardening techniques

Hardening refers to enhancing the security of various components within a company's IT infrastructure to reduce the risk of cyber attacks. This includes servers, applications, operating systems, databases, security, and network devices. By using hardened security configurations, companies can minimize the attack surface by disabling unused or insecure services, mitigating vulnerabilities, and improving weak configurations that malicious actors could exploit. To achieve this, companies typically create a secure baseline configuration or "Gold Image" for their systems and services. A process is used to deploy these configurations, and they are reviewed periodically to identify any misconfigurations or configuration drifts. The Center for Internet Security (CIS) provides important guidance on creating security baselines and hardening environments.


Insurance companies are particularly concerned about weak or commonly attacked protocols or services exposed to the internet, such as RDP, SMB, SSH, FTP, and database ports. Companies should close all unnecessary ports or implement compensating controls to mitigate associated risks.


#10 Logging and monitoring

To stay ahead in today's ever-evolving threat landscape, companies must have the proper security measures in place and the ability to detect and respond to any suspicious activities that may signal an ongoing attack. This requires a well-structured logging system across the company's systems and applications, equipped with the necessary tools to gather, interpret and raise alarms in the event of an issue. Additionally, it requires a team of skilled professionals who can quickly analyze the situation and take appropriate action in the event of a cyber incident.

Here are some tips to achieve this:

  • Establish a comprehensive audit log and monitoring system covering critical platforms such as firewalls, intrusion prevention and detection systems, active directory, antivirus and antimalware, endpoint security technologies, data loss prevention, applications, Microsoft 365, and others deemed important by the business.

  • Implement a security incident and event management system (SIEM) and integrate the various platforms into this system. The logs should be accessible for at least three months and backed up for at least one year. Be sure to review any regulatory, compliance, or contractual obligations the business must adhere to.

  • Analyze logs and define a set of use cases or common patterns to be monitored and reacted to in the event of detection. This information should also be used in conjunction with threat intelligence.

  • Develop a process for regularly reviewing the activities of administrators and high-privilege users on critical systems.

  • Assemble and train a team of experts in security event monitoring and incident response. Define specific processes or playbooks for the team to follow in case of a detected incident.

  • Continuously monitor key performance indicators for improvement opportunities.


It's important to note that setting up effective logging and monitoring capabilities can be a significant investment of resources. It requires ongoing reviews to ensure the processes can detect suspicious activity in real-world scenarios.


#11 Replace or add additional protection for end-of-life (EOL) systems


The end of the lifecycle for technology products and systems, known as End-of-Life (EOL) or End-of-Support (EOS), can pose a significant risk to companies. When these products reach the end of their lifecycle, they are no longer eligible for updates or security support from the vendor, leaving them vulnerable to unfixable vulnerabilities. To mitigate this risk, replacing or upgrading these outdated systems with newer solutions that provide ongoing support is best. However, this may not be possible in some cases when businesses have large legacy systems controlling operational technology. In these cases, compensating controls must be implemented to protect these unsupported systems, such as limiting access, ensuring they are not accessible from the internet, and physically isolating them from other connected systems.


#12 Evaluate Third-Party Risks (TPRM)

Third-party relationships often play a key role in driving growth and innovation. However, third parties can also introduce various risks to a business. We recommend developing a third-party risk management program to monitor and control these risks to ensure they are within acceptable levels for the company.


To effectively manage third-party risks, we recommend the following:


Assess Risks: Identify and analyze the unique risks posed by each third party, including process, compliance, and contractual risks.

Manage Risks: Create a risk profile for all vendors and implement processes and protocols to manage the potential risks.

Implement Controls: Establish controls for third parties to follow, starting with the contract and extending into their day-to-day activities. Adopt continuous monitoring to ensure all controls are properly followed.

Complete Due Diligence: Thoroughly screen potential third parties and complete necessary due diligence based on their risk score.

Analyze Supply Chain: Ensure the entire supply chain, including fourth parties, is compliant with the company's risk management strategy.

Cultivate a Culture of Compliance: Start with senior management and create a culture that values compliance among third parties.

Invest in Risk Management: Adequately staff and train the risk management team and invest in the right software solutions to proactively manage risk.

Monitor the Risk Management Program: Continuously evaluate the effectiveness of the risk management program and report back to stakeholders.

Integrate Risk Processes: Centralize risk processes and data to avoid gaps in oversight and provide transparent information to all stakeholders.

Utilize Software: Leverage software to manage all third parties efficiently, track risk, prioritize remediation, and provide real-time insights.


We Can Help


At Cybersecurity Advisory Group, we believe in the power of preparation and the peace of mind it brings. That's why we work closely with our clients to fortify their cybersecurity defenses and build a robust foundation for cyber resilience. Visit our website to learn more about our services and how we can help your business address and mitigate cybersecurity risks. Additionally, you can schedule a consultation to discuss your specific needs and learn how we can help you manage your risks.




 
 
bottom of page