Cyber insurance is getting harder for companies to find — and it’s likely going to get harder. While cyber insurance is becoming more of a must-have for businesses, the explosion of ransomware and cyberattacks mean it’s also becoming a less enticing business for insurers. (Source: Harvard Business Review)
This quandary is putting today’s business in a tough spot. Cyber insurance is important, but in order to secure a policy, premiums are steep (and climbing) and the requirements to qualify are also growing. To keep premium costs affordable, insurers are requiring a comprehensive list of good hygiene practices around security controls. These include:
- Multifactor authentication (MFA) for remote access and admin/privileged control.
- Endpoint Detection and Response (EDR).
- Secured, encrypted and test backups.
- Privileged Access Management (PAM).
- Email filtering and web security.
- Patch management and vulnerability management.
- Cyber incident response planning and testing.
- Cybersecurity awareness training and phishing testing.
- Hardening techniques including Remote Desktop Protocol (RDP) mitigation.
- Logging and monitoring/network protections.
- End-of-life systems replaced or protected.
- Vendor/digital supply-chain risk management.
While the list above may seem overwhelming, each one is key in maintaining a defense against attack, as well as providing a roadmap to more efficiently address the growing demands to maintain cyber insurance.
What if cyber insurance isn’t an option?
Having cyber insurance is always an important element to include in a company’s security program. However, we are also seeing situations where coverage may not be obtained because:
- Insurers are moving away from providing coverage for certain types of ransomware events and/or adding huge increases in deductibles to provide these types of coverage.
- Customers want to add or obtain coverage for the first time and can’t find an insurer willing to cover them.
When customers are faced with the option of not being able to obtain insurance, then the most important approach is to make investments in their security program.
An effective security program doesn’t always mean more tools.
At OneNeck, we take a different, “non-tool” approach to security first. Instead of starting with point solutions, we align with the Center for Internet Security’s Security Controls as a framework that provides a prioritized set of actions that address security gaps, which then later aligns with tools. In fact, we believe so strongly in the CIS Controls that we use them in our own business as a Managed Services Provider (MSP) that must pass rigorous annual compliance audits.
The CIS Controls allow our clients to understand where they are from a security risk perspective and then build out a step-by-step security plan that aligns to their unique environment.
OneNeck – We’ve got your back.
Whether it’s a service, an infrastructure solution or a cloud solution, we are here to help you decide what the best, most-secure course of action should be.
We proactively work with our customers to understand their current security controls, provide recommendations on how to better leverage the current investments in people, process, and tools. We then provide recommendations for the next investments, that will not only provide better security for their business, but also provide a roadmap to more efficiently and timely address the growing demands to maintain cyber insurance.