Is Cyber Insurance worth the paper it’s written?
A lot of companies are looking at Cyber Insurance, however, the article from ‘Zurich Insurance CEO: Cyber Attacks will be ‘Unisurable’ indicates there is a thought that a cyberattack may be become uninsurable, why is that? Hear from Kevin Lyons, 3rd Line Engineer, at Outsource Group talk about how to mitigate against this and limit your attack surface.
Besides potential loss of data there are days of lost or disrupted productivity investigating, restoring and rebuilding the system.
I have worked with some great people in the cybersecurity field and concluded no system can ever be completely protected; all you can do is make your attack surface as small as possible and put up as many defences as possible and hope that the potential attackers move on or a breach is limited. How do you do this?
1. Limit where company data can be accessed – if a user has three devices it is a bigger attack surface than a user having one device.
2. Think seriously about BYOD – are users accessing data with devices that have at least equivalent security to your company devices?
3. Are all systems as up to date as they can be – how do you patch Microsoft products, well generally through Windows update but what about other applications on your systems?
4. Are you running out of date systems because of out of date applications? – a company’s key system maybe does not run on the latest version of Windows so the older version of Windows is sometimes at the heart of their network potentially exposing every other connected system.
5. Do you have proper segregation in place, do external people come in and connect to your corporate Wi-Fi? – there is no feeling what their device has on it and how it could potentially interact with your systems.
6. Do you setup and review security groups for folders and applications? – if a user does not need access to a share file share/application then them having it increases the attack surface.
7. Last but not least are your users aware of the threat out there? – users sometimes think that IT is there to stop them doing something because they don’t like it; the problem is sometimes the user’s ‘solution’ actually creates a bigger security hole as they don’t understand why access is being restricted. Talk to the users and let them know what you are up against.