Cyber Risk Management: Back to Basics

Depending on the complexity and size of a business, appropriately protecting against cyber risk requires a combination of risk management solutions including assessment, oversight, controls, state of the art technologies, and ultimately risk transfer through insurance.

At Chaucer, when reviewing a potential client’s risk profile, our underwriting approach first considers governance carefully. A review of basic controls and procedures can give a good indication of a company’s attitude and approach to risk, specifically their understanding of contemporary cyber risk.

There are many underwriting factors to be considered but understanding the fundamental nature and operations of the client’s business is key.

The larger and more complex the client, the more aspects will be considered, such as agility – the ability for the core business function to continue in case of loss of systems – and operational resilience - cash flow reliance, location connectivity, personnel deployment and strategic planning.

Before instigating complex solutions and looking at insurance options however, there are just a few essential processes and technologies businesses must implement to protect themselves at a basic level.

1. Staff training

Awareness is first line of defence for all companies as a large number of malicious attacks are successful due to people.

• Malware attacks frequently infiltrate a company’s systems most via phishing due to human error e.g. staff clicking on links or attachment that originate from email accounts that mimic genuine websites, known friends or colleagues, or companies.
• Spear phishing and whaling attacks targeting high profile individuals are on the rise. Training needs to go all the way to the top and not solely focus on customer-facing staff or data focussed teams. In addition, companies should consider providing enhanced training to key people of influence, such as the C-Suite or Administrators, who have the potential to enable greater damage to the business.
• The more widespread the technology footprint a company has the greater the potential damage, so threat actors are more likely to target larger organisations to chase greater financial gain for their efforts. Heavy and high-profile industries such as infrastructure, transportation and defence contractors are highly vulnerable targets.

Untrained staff present a security vulnerability if they are not aware of the most basic rules e.g.

• Checking email addresses on incoming emails to ensure they are accurate and not close to but misrepresentative of a true third party’s contact details.
• Checking email addresses on outgoing emails to reduce the risk of privacy breach.
• Keeping passwords complex and ensuring they are regularly changed
• avoiding clicking on links or opening attachments in emails from unknown sources.
• Understanding how Multi-Factor-Authentication tools are used, and how to identify when they are being misused e.g. when they receive multiple unwanted prompts for access.

2. Authentication and secure connections

Multi-factor authentication software is a critical line of defence for all staff using computers as, in the event of credential theft, it provides an insurmountable hurdle to overcome to entry and can flag attacks as they happen.

• Utilising confirmation apps can ensure credentials are kept secure and only authorised users have access to confidential information across the business.
• Ensuring network availability is tightly controlled e.g. reducing the number of Wi-Fi connections available in company buildings, how far from the premises they can be accessed, enforcing passwords etc, can help reduce the number of people with access to networks.
• Many attacks piggy-back off vulnerabilities in Remote Desktop Protocols (RDPs). If a company allows others to take control of screens, this needs to be restricted to certain secure users and to users within your network, as external connections are vulnerable.

3. Native toolsets

The security toolsets used across a company’s networks and data islands need to effectively secure and limit access to resources, whether they are held in the cloud or on a laptop. Without consideration of the vulnerability of each device, resource, and user, the entire network becomes vulnerable to attack.

• Endpoint Detection Response (EDR) solutions are a minimum requirement for Chaucer to consider a client’s risk. These need to be configured appropriately and monitored constantly to quick address threats as they rise.
• Cloud security solutions such as a Cloud Access Security Broker (CASB) acts as a security checkpoint between cloud service users and providers. It enforces security policies, provides visibility into cloud application usage. We look very favourably on organisations has a well configured, combined Secure Access Service Edge (SASE) framework.

4. Governance and Oversight of Security

Oversight for cyber security and vulnerability management needs to come from the very top – Boards need to be invested in how company financial and data assets are protected from cyber threat, and remain aware of the threats on the horizon.

• Executive monitoring and feedback are required to ensure regular adaptation to evolving threats and avoid complacency.
• Security Operations Centres (SOC) are needed at larger companies; specialist teams designed to manage the daily flow of alerts, updates and patches required to keep threats at bay.
• Smaller companies might be well served using an outsourced Managed Security Service Provider (MSSP), but the MSSP vendor will need to cope with the size and complexity of the company.
• War gaming and Board-level tabletop exercises should be carried out every 12 months to ensure training, protocols and products remain suitable for company needs.