When it comes to cyber cover, we know that one size doesn't fit all. That's why we look at risks, businesses and their security objectively, considering what is necessary and what is overkill.
While we've made our application form as simple as possible, with most questions needing a simple "yes" or "no", we know many customers still find the process onerous. That's why we want to explain why we ask the questions we do on a cyber insurance application form, and why they're so important – to business owners and us.
Our underwriting approach is risk based. The more information you can give us about how you mitigate particular cyber risk, the better we can make informed decisions about your cyber maturity.
Not everything you read about here will be appropriate for all businesses. What might be a worst case scenario for one business may have little to no impact for another. Many customers will have total reliance on their IT/security provider, but with any service that is outsourced, the risk is still owned by the business.
We've broken elements of cyber security down into sections covering infrastructure, software and systems, emails and data, passwords and access, and last but by no means least, people. In reality, there's lots of overlap, but we hope you find this a useful overview.
Use this contents list to quickly navigate to the section that interests you.
Emails and data
Passwords and access
An asset register lists an organisation's assets, including endpoints, servers, software packages and sensitive data.
Endpoints are the physical devices – laptops, desktops, mobile phones – that connect to and exchange information with an IT network. They are the principal doorway to a business's IT infrastructure, making them particularly vulnerable.
It's important that businesses have an asset register in place and up to date so that they can tell who and what is on their network. Without this, it's very difficult to manage those assets and keep them updated and regularly patched.
A mature asset register will also have a level of criticality applied to it. This means that in the event of a breach, the business can prioritise the restoration of assets according to their critical roles in operations.
Cloud-based infrastructure is accessed via the internet – think of services such as Google G-Suite and Microsoft 365. They allow businesses to use computing resources without having to manage the day to day admin of managing the physical hardware, such as replacing servers after a few years. In short, it means people can log in and work from anywhere.
These well-known cloud service providers, due to their scale, often have better resilience against traditional environmental threats, but there is still a need to protect these environments from the ever changing threat landscape.
Segmenting a network helps to control the spread of a ransomware attack from spreading outside the initial infection point to the rest of the network. It limits the damage that can be done and gives confidence to a business that a segment is untouched and can remain operational in the event of an attack somewhere else.
A threat actor knows businesses rely on backups and will try to target them. How they're stored and how frequently companies test how quickly they can be used to restore data is another vital security practice. In an attack, businesses need to check that their backups are not infected before restoring the environment. Each business should consider the frequency of backup appropriate to them. Less infrequent, and you will be missing a lot of data. Too frequent, and you may have backed up a virus or malware. The frequency of the backups should be linked to the criticality of the system.
Backups are an important prize to a threat actor; they can be the difference between paying a ransom or not. The monitoring and detection tools and security protocols involving MFA and encryption are all critical.
Patching cadence is probably the most important security process. Many of the ransomware incidents in 2021 and 2022 were because of unpatched environments and software.
Threat actors are swift in targeting a known vulnerability, so businesses need to be as fast in their patching process, including emergency patching. This is especially the case for zero days that are being actively exploited.
If a laptop is lost or stolen, encryption stops a bad actor simply removing the hard drive and plugging it in elsewhere to access the data. Somebody would need the encryption key to decrypt the data.
Encrypting data is one of the easiest things to do, but also easy to get wrong. When unencrypted data is sent to a third party, it's easy for anyone sitting on that network internally and potentially externally to take a look. Personal, sensitive, confidential information should always be encrypted to stop that from being possible.
Removable devices such as USB storage devices or hard drives allow the user to download data and remove it in a matter of minutes. They can also be used to introduce viruses onto devices. Removing the ability to use these devices reduces the risk and ensures that data is shared using channels that can be tracked and audited. While it's not always possible to completely block these devices for some businesses, using a removable device that requires a PIN code is an alternative.
There are various ways businesses can test security robustness. Red teaming and penetration testing involves employing an external company with the challenge of breaking into systems and can include physical office space - offering an independent view of security. Testing is only effective if the findings of a test are assessed and implemented.
Anti-virus software sits on laptops and servers (and increasingly phones) to look for viruses or pieces of malware that might be on the machine.
The latest generation of this protection technology is EDR (Endpoint Detection and Response), this not only looks for signatures but also looks for activity associated with malware. UBA (User Behaviour Analytics) also makes up part of this, looking for suspicious activity.
It's also looking for a 'signature'; specific code, a set of activities or user behaviour that's unusual or malicious. The software will flag and block suspicious activity.
Insurers are looking for this protection to be on a high proportion of endpoints.
This monitoring system and process is designed to identify and alert a business to unusual behaviour on its network and block that activity. It's an early-warning system to ensure that if someone did get into the network, they would be spotted and their access isolated.
For example, if someone is trying to log into their laptop and gets the password wrong 20 times, an alert would be sent to the monitoring team, such as a Security Operations Centre (SOC). Regular reviews of alerts and logs by analysts combined with automated tools can help stop an attack in its tracks.
Email filtering tools are looking for malicious content and spam. These tools check the domain the email is coming from. If they identify a suspicious email, the tool will block it from reaching its recipient until it's been verified. They also look for known 'signatures' including malware, attachments, specific file types and links.
This is a framework that makes sure emails are sent securely. It reduces the opportunity for a bad actor to send an email that looks like it comes from your organisation.
In 2021, the largest entry point for a bad actor was through exploiting software weaknesses. Now that has shifted, and phishing tends to be the point of entry. Having a sender policy framework in an email environment reduces that risk.
A data classification system is a method of categorising business information. Categories such as top secret, confidential, internal and public help to prioritise the level of security needed for each group. It's very difficult to protect data across an entire organisation if it's not subject to data classification.
In the event of a ransom attack, a business will be able to identify if the data held is confidential or publicly available and may not be inclined to pay a ransom for publicly available data.
DLP software works in conjunction with a data classification system and controls the way endpoints can treat data according to the classification labels applied to it. For example, something classified as top secret will be blocked if someone tries to send it to a Hotmail account. Controls can apply to removable media, emails and sharing through sites such as Dropbox.
Threat actors can use computer programs to run every combination of passwords to gain access (this is known as brute-force attack) , so a strong password that's made up of phrases and numbers is the most secure. But even a strong password can be broken – better protection comes from the combination of both a strong password and MFA.
Now a more widely known term, MFA uses multiple authentication types before access is allowed. This is based on something you know, something you are, and something you have.
Using the same username and password for multiple accounts puts employees at risk of something called credential stuffing. This is where details for one account is leaked online, and a threat actor tries those same credentials in multiple places to see where they can get in.
With MFA in place, even if the user name and password are available, the bad actor would need something else, such as access to a text message or notification on a mobile phone with a one-time-use code.
Applying MFA beyond the standard user accounts is critical in business. For example, access to industrial control systems, accounts with admin access or critical data, and employees accessing the network remotely or using personal devices.
Importantly, the passwords on admin accounts for certain servers need to be exceptionally complex to the point where people can't remember them, write them down or even type them manually. That's where Privileged access management tools (PAM – see below) can be used to control access.
PAM tools are used to provide an additional level of security to accounts that have high amounts of access and privilege. Think of a PAM tool like a bank vault, with various safe’s within it. Depending on what level of access you need dictates what safes/accounts you can get access too.
People in these positions are the most valuable targets for threat actors. Therefore, the use of MFA and unique login credentials for admin users, to whole accounts or specific systems can give an added layer of security to those most vulnerable.
Regular review of the activity on these accounts and who has access to them, could stop an incident before it escalates. Most threat actors will gain access via a basic user account and then move laterally across the network until they can get their hands on an account that can do some damage.
Technology and software do a phenomenal job at keeping IT systems safe, for the most part. But, the end users – real people – have a role to play too. It is also true that through accident or malice, the actions of employees within an organisation can pose a significant threat.
The nature of cyber threats evolves and changes all the time. If something does get through, it's important that employees recognise it and know what to do – and what not to do. Equally, it's critical to maintain oversight of individuals within an organisation that have high levels of access as part of their role.
Training people using real-life scenarios means they will be better equipped to react quickly and effectively in the event of an attack. Tabletop exercises are engaging and offer a first-hand perspective on the activity and decisions that will need to be made. Bad actors can now pretend to be the boss and demand data or money to be transferred somewhere. We're even seeing cases of Zoom calls using deep fakes to recreate a person's voice or face.
Brit cyber policy holders have complimentary access to Datasafe; a risk management training solution covering phishing simulations, specific training and even one-to-one time with an experienced CISO to bolster a business' IT Security resources and provide them with an external, independent view of their arrangements.
This principle is about making sure employees only have the access they need to do their job. Most staff don't need admin, HR and Finance system access. Another consideration is when users move roles, and whether they are they building up access that they don’t need.
This is quite advanced protection that looks for any user behaviour that's out of the ordinary or suspicious – it could be an insider threat or a threat actor inside your network. For example, if a user went on to a shared drive and deleted everything or tried to access applications they have no reason to use as part of their work, a behavioural analytics tool would flag that and enable the business to monitor the activity of that person, or block it entirely.