Your Security Risk Assessment Checklist: 6 Questions to Ask

Reduced risk can mean lower insurance premiums. Ensure your business is fully prepared for your Cyber Security Insurance assessment with our six-point checklist.

Cyber security is similar to home security, and insurance assessors are looking for deadlocks on doors as well as good cyber defences in a company. 

Residents and business leaders who take their security seriously will be able to access lower premiums as a result.

Wondering how to ace those questions from your insurer? In this blog, we’ll cover six of the most common aspects Tecala’s clients are asked about by their insurers. 

The good news is that these questions themselves provide a highly accurate template on how to manage your cyber security risks in general, and gain top marks for any network security risk assessment.

1. Security awareness training
   Insurers will want you to have formal security awareness training in place for all your staff, and for the training to be maintained yearly. This is a key area of risk: the OAIC reported that 35 per cent of notifiable data breaches between January and March 2019 were related to human error, compared to just 4 per cent related to system faults.
   
   There is an incredible amount of value in ensuring your staff are continually aware, vigilant and reminded of cyber security risks. The fact is, having this type of training is a must regardless of the insurance question, because the risks you face will evolve over time.
   
   The cost of a breach relating to human error is likely to far outweigh the relatively low costs of training and breach prevention.

2. Data classification
   Insurers are likely to check that your data has been properly classified in terms of its sensitivity, its audience and the subsequent risks. Unclassified data is more easily breached, so data classification should be part of any ICT network security policy.
   
   Knowing, sorting, classifying and locking away your sensitive data is one of the most cost-effective ways to reduce the risk of unauthorised people accessing sensitive data. Some 40 per cent of cyber incident breaches are reported to be the result of stolen or compromised credentials.

3. Multi-factor authentication
   An insurer will pay attention to whether you’re using Multi-Factor Authentication (MFA) to protect your systems and sensitive data. Passwords can be quite easily compromised, either by wholesale data breaches in other commonly used systems such as LinkedIn; brute force; phishing; or social engineering.
   
   You have almost certainly had one of your passwords stolen already, through no fault of your own. This may be a shock to discover, but a quick visit to Have I Been Pwned will show you where known public breaches have already occurred. There are likely many more which have never been found or surfaced.
   
   Multi-Factor Authentication assumes that your user’s passwords may already be known; however, the attackers will not be able to reach into your system as there has been a preestablished second ‘factor’ of trust put in place, such as a smartphone-based token.
   
   MFA is a great starting point in improving your systemised security.

4. Monitoring
   An insurer will be interested in whether you have tools in place to monitor network and system activity, and how this can be used to identify unusual behaviour. The use of monitoring and alerts is a simple and effective way to make sure that normal behaviour on systems can be ignored, and unusual behaviour can be flagged.
   
   Monitoring is also one of the best ways to make sure your systems are in good health overall and should be an integral part of your ICT network solution.

5. Antivirus
   Everyone has antivirus tools running in 2020, right? Surprisingly, this is not always the case. An insurer will not only be keen to confirm that you have adequate antivirus protection, but you may also be questioned on how often it’s updated. The ability to respond to threats as they are detected as close to real time as possible is crucial.
   
   Having an out-of-date antivirus tool is equivalent to leaving the same combination on a safe which has been cracked. Once a weakness has been found, it can be used until the hole has been plugged.

6. Patching
   Patching is the unsung hero of cyber security. While other flashy tools and security products fit almost every conceivable risk, one of the best ways to protect yourself and prove to an insurer you have your house in order is to regularly patch your systems.

   Systemic regular patching will keep you highly secure due to the fact that billions of dollars and millions of hours are spent looking for ways to breach vulnerabilities in systems.

   One of the best examples was the Meltdown vulnerability in Intel processors, which was disclosed to hardware and software vendors in July 2017 ahead of coordinated release in January 2018. If you are patching your systems consistently and regularly, vulnerabilities can be closed well before they can be exploited.

   By addressing these six core components of cyber security, you can demonstrate a ‘deadlock’ of high-quality protection to your insurer, minimise your risks and exposure, and ideally gain access to far lower premiums as a result.

   The MSP model, delivered by network security service providers, works well to mitigate potential threats and ensure network and security solutions are property managed.

   When it comes to cyber security, a managed network security services approach is the way to go.

   To speak with the team at Tecala about developing your own cyber security strategy and the support to put that strategy in place, get in touch today.