Whilst cybercrime is one of the most talked about subjects in business and the media it is still one of the most misunderstood. With remote and hybrid working seemingly here to stay, making sure your company is cyber secure should be a top priority.
A common misconception about cyber-attacks is that they only happen to large corporates. Unfortunately, the reality is SMEs are more likely to be targeted by hackers with upwards of 10,000 hacking attempts daily*.
Many insurers are now looking for companies to have certain simple measures in place to help reduce their risk of falling victim to cybercrimes:
Multifactor Authentication or TwoFactor Authentication is where the user is prompted for an additional form of identification as part of the sign-in process.
Trusted devices are considered one form of authentication (as they are not easily duplicated) and a 2nd method is as simple as a password/PIN or biometric. MFA and 2FA are essentially the same thing – although MFA allows additional layers of authentication if required.
Find out more about the importance of 2FA here.
A basic method to minimise ransomware attacks is to back up systems and data regularly. However, it is not much use if they are on the same system, so they need to be separate and isolated from the network. Preferably, the back-ups should also be protected with encryption.
It is even better if organisations can demonstrate that there has also been a test for full restoration and recovery (of systems and data) within the previous year.
Even before Covid-19, many organisations allowed employees to access their network remotely. That trend has clearly risen sharply (along with the exposures) and looks set to remain, which is a concern for insurers.
Basic controls would include MFA/2FA for remote access as well as restricting access to sensitive data. A VPN (Virtual Private Network) is also a highly recommended method of protection against publicly exposed remote access services.
If third-party organisations have access to your IT networks, make sure you thoroughly understand what level of privilege they have and take time to review any third-party security practices. Remove any third-party access that’s no longer required.
Other top tips
- Antivirus software – Bolster your defences by ensuring antivirus software is installed correctly and active on all systems.
- Device security – check the security defences of all other devices such as laptops and mobile phones. Consider the National Cyber Security Centre’s device security guidance.
Email is one of the main vulnerabilities of any organization. Again, simple solutions can offer additional protection. Utilising SPF (Sender Policy Framework) on inbound emails ensures the validity of the sender has been verified. Pre-scanning emails for malicious attachments is another basic tool.
Incorporating MFA/2FA on email systems ensures the organization has increased protection against BEC (Business Email Compromise), which is a dominant feature of many successful access attempts.
Staff can often be the biggest vulnerability for a business when it comes to cyber-attacks. In a busy (and more remote) workforce mistakes can easily happen, but the implications can be devastating.
A fully implemented training program for all employees (including identifying phishing scams) is ideal. But even basic training such as free modules from the National Cyber Security Centre can be useful and easy to implement.
According to Symantec, one in every 3,722 emails in the UK is a phishing attempt. Therefore, it’s vital to ensure you have a process in place to deal with any reported phishing emails.
Further, ensure that your staff are made aware of any heightened cyber-risk. Getting buy-in from employees is crucial to help facilitate the adherence to the cyber-security strategy. Also, make sure everyone knows how to report suspected security breaches quickly.
The questions you need to ask about your cyber insurance
Don’t leave your business open to attack. Use our cyber essentials check list to help get you on the right track to building a culture of security in your business. If you’ve answered ‘no’ or ‘don’t know’ to some of the questions below we recommend you review your current situation and put protection strategies in place.
How often are you reviewing your cyber insurance?
- 1 year
- 2 years
- 3 years
- Over 3 years
- Don’t have any
Are you confident you’re covered for:
- Phishing attacks
- System damage
- Regulatory fines
- Privacy liability
Would you know what to do if your company suffered a cyber-attack?
Are you cyber essentials certified?
- Don’t know
Does your current policy include support during and after a cyber security incident?
- Don’t know
What cyber security measures do you have set up in your organisation?
MFA/2FA Back-ups Remote access Email protection Staff training
*Source: Federation for Small Businesses (FSB) CFC 5 reasons hackers target SMEs