Five things to do before you even consider buying cyber insurance

In this guest article from Capsule Cover, they cover five things business owners need to do before they even consider buying cyber insurance for their business.

1. Get the basics right

First up, the obvious stuff – all those things that every company should be doing as a bare minimum. Start by investing in the best antivirus tech. The better your initial defence, the less likely you are to suffer an attack. Sites like TechRadar and G2 regularly update their ‘best of’ lists, which can help you narrow down your options. But it’s worth doing your own research to see which package can easily scale with you.

Next, use multi-factor authentication. This goes one step further than simply using upper-case letters and symbols to strengthen your passwords – it requires another form of verification, like a code that’s sent to your phone. This should be compulsory before remotely accessing your network and signing in to cloud-based services like email accounts.

Finally, update your software regularly. Otherwise known as service patches, these updates essentially ‘patch up’ vulnerabilities. If you don’t do it regularly, your system ends up with more holes than Swiss cheese. Prevent that by either setting up automatic updates or calendar reminders so you can check manually.

2. Educate staff

Cyber-attacks are constantly evolving, and your staff training needs to evolve in line with them. With over 60% of cyber incidents being down to human error, proper education is key to reducing your risk. That’s why you need to factor regular cyber security refresher courses into your yearly plan.

Phishing and scam emails are your first port of call. Focus your training on these first – showing your team current examples and taking them through the government’s checklist as well as recommended next steps. Roll this out to anyone who has access to your network or confidential/personal data.

Then, once they can easily spot these messages, move on to other attack types like drive-by downloads (where operating system updates are key) and denial-of-service attacks (crashing or flooding your servers).

3. Secure or restrict all employee devices

Employees should only be using company equipment. No exceptions, no excuses. Even ‘bring your own device’ policies fall short – you simply can’t control what you don’t own. It’s one of the reasons why 17% of businesses suffered more attacks since their staff started working remotely due to COVID-19.

When each member of staff has a company-supplied and centrally managed device, you control the apps and assets they can access as well as its security software. You also have the power to wipe data in the event of a breach or loss.

Remember, any devices used for work need to be end-to-end encrypted too. This protects data between it being sent and received. If your team’s working from home, or you’re a hybrid organisation, a virtual private network (VPN) is an absolute must.

4. Back everything up

Whether your data is stolen, held hostage, or even deleted, it’ll have a considerably smaller impact if it’s backed up. Then it’s just a case of bringing your data back out of storage.

Of course, this storage should be separate from your live environment – in something called a ‘cold’ or ‘offline’ location. Then, if there’s an issue with one, it shouldn’t affect the other. The more regularly you can do this backup, the better.

It may sound obvious, but it’s so easy to forget to back up your data. Build this into your processes just like your software updates, and test your backups frequently to make sure they’re recoverable.

5. Create an incident response plan

A good incident response plan outlines the steps involved in identifying the attack’s source, containing it, and then recovering from it, to reduce its impact. It’s usually created by incident response managers as well as security analysts and threat researchers. You can also outsource it to groups like PwC. From there, it gets buy-in from all your relevant departments as well as those at the top.

Incident response plans typically have six stages:

  1. Prepare – Ensure all staff are properly trained, and aware of their roles and responsibilities in the event of an attack
  2. Identify – Determine if you’ve suffered a breach and its extent, as well as when it was discovered and by who
  3. Contain – Stop the spread of the attack, disconnect affected devices or servers, and block the attacker with firewalls or intrusion prevention systems
  4. Respond – Start the assessment and analysis process, find the root cause, remove all malware from your systems, and inform stakeholders if needed
  5. Recover – Get all systems running as usual, recover backups, continue to monitor for further weaknesses or breaches, and document the breach for future analysis
  6. Review – Bring in your incident response team to discuss what worked well and what didn’t, as well as what changes need to be made to your security or training

You should test your incident response plan with pretend breaches and review it at least annually. Think of it like a fire drill. As a scale-up, you might want to do this a little more regularly, carrying out tests whenever your circumstances change – like when you’ve just landed a big contract, set up a new server, or doubled your headcount.

Find the cover capable of pushing you forward

So, you’ve got your list. You’re unstoppable now, right? Not quite.

You’re never going to be 100% protected against a cyber-attack. Cybercriminals are constantly working on new ways to get to your data, so you’ll always be exposed to some risk. And that’s where insurance comes in.

While insurance can’t prevent the attacks themselves, it can minimise the effects on you and your customers should the worst happen. The most valuable aspect is a ‘breach response’ service which will support you during a cyber event and help reduce the impact on you and your customers as well as the cost to insurers.