Given the scale of cyber-attacks, we aren’t surprised to be hearing reports of insurers applying a “duty of care” test before agreeing to pay out.
Despite sending chills up your spine, when you consider this, it makes sense as Insurers do the same thing to vehicles, buildings and people. How would your organisation fare in such an evaluation? Are you as covered as you think?
We’re now all used to systems like multi-factor authentication, and multiple complex passwords. Hopefully we all have password vaults in use, and complex passwords that drive us slightly mad. Likewise, hopefully we are all experiencing regular phishing tests and other awareness tools.
Does that mean you can relax? NO!
The risks of cyber-attack are increasing
Cyber-crime is a big business now, and the hackers have become very efficient. While some of the hack attempts are pretty obvious, others are very sophisticated scams.
To avoid being scammed, we have to be at the top of our game every hour of every day. The hacker only has to get lucky once. Unfortunately, busy people, with all sorts of pressure and distraction, will be vulnerable to making a mistake, and that’s when your insurance will be vital.
However, the insurer wants you to minimise their risk and you do that with layers that align to a recognised standard like NIST. (Cybersecurity Framework | NIST)
That talks to a number of steps organisations should do, to reduce their risk. The question for the organisations you work with must be to check that you ARE doing these things.
For example:
- Do you have all the devices that are used to access your systems and data inventorised? In these days of work-from-home, that is increasingly hard to do.
- Do you know all the software tools used within your organisation? What do you need to monitor to know the protections they need are in place?
- When assets, either hardware or software (e.g. web based systems) are retired, how do you know your data has been removed?
- Have you prioritised which ones are most important – most mission critical or have the most sensitive data? What is the appropriate level of response and investment for each of these?
- Who is responsible for cyber-risk and data privacy in your organisation, and if it is multiple people, are the responsibilities clear and are the resources they need available to them?
- How do you manage access credentials to these key information assets so that only the right people have access, and how do you log, verify and audit that? Are access privileges kept to a minimum?
- Who are your key stakeholders and who needs to know if you do come under attack?
- Who are you a stakeholder for? Who do you rely on and how confident are you of the steps they are taking to protect their organisation?
- While you might be under a cyber-attack, for example a denial-of-service attack, how can you continue to serve your customers?
- Are you monitoring the environment for signs of events and hacker activity?
- Do you know how data moves within your organisation? How is it protected in transit from system to system, or at rest in a system, including the web browser used to access it?
- Have you got, and have you tested, your recovery plan
This list could go on, and the NIST framework is comprehensive, breaking each of these steps down. It might seem like a lot of work, and it is, but what happens if you don’t keep up.
For most NZ organisations, this boils down to :
- protecting your tools – knowing what you have and where it is, and what needs to be done to maintain it
- protecting your people, ensuring they are aware of the cyber-risks around them and practice good hygiene, and protecting the credentials they use to access the tools they need
- systems and policies to help govern these items, refreshing the steps and protections as circumstances evolve, and having a plan for when things do happen.
Are you ready? The reality is that your systems have already been under attack, and they will under attack again with more sophisticated approaches. All it takes is one mistake or to overlook one protection and the hackers will get in.
We can help you assess your protections, and ensure they are at the right level for your business.
A Kinetics FlightPlan is the structured process to easily help you find the answers to these questions, and more.
For more information, contact us today.