Cyber security is a fast-moving target, and therefore, I regularly recommend and implement new and improved security protocols to my client’s IT and network infrastructure. Most clients agree to the new and improved security protocols to protect their IT, company information, and client data, but some hold off or delay the recommended security measures. Those that choose to hold off will typically state that they feel the new security procedures and protocols will be inconvenient to them and their staff. I gently remind them that there is nothing about cyber security or any security for that matter that is convenient. Security is supposed to make an individual take extra steps and procedures.
When my client’s Cyber Insurance renewals are due, they receive a renewal application with a lot of IT questions. They email the renewal form to me and my technical staff to answer the questions and fill out the IT portion of the form. Many of the forms I have received this year have more in-depth questions regarding IT security protocols. Additionally, I have had instances this year where a client has not implemented certain security measures and after answering that they do not have the security measure in place, the insurance company has come back to the client demanding the implementation of the security protocol, along with confirmation of its implementation, before renewing the client’s Cyber Insurance policy. I have not seen anything like this in past years.
The following are some of the additional security questions I have answered this year on client’s Cyber Insurance renewal forms. This is just a sampling of the new questions on different insurance carrier forms. I have outlined what security protocols must be in place to satisfy the insurance renewal.
Q: Do you have firewalls and anti-virus software in force across your network, including all devices, laptops, servers, and is the software updated on at least a monthly basis?
This requires a “business class” firewall with security services enabled on the firewall, like a SonicWall TZ270 or 470. Additionally, Windows Firewall must be enabled on all PC’s and laptops and the anti-virus software must be up to date.
Q: Do you use Next Generation endpoint malware detection software such as Carbon Black, AMP, Sophos, Falcon, Sentinel EDR, or Defender?
“Next generation anti-virus” software is an advanced anti-virus application and has artificial intelligence (AI) built into the software. The software costs a minimal amount more than the typical anti-virus (AV) software, but quarantines, remediates, and mitigates potential malware with precision. I recommend SentinelOne Endpoint Detection and Response (EDR). This software replaces your anti-virus software and is installed on Servers, PC’s, and Laptops. This includes Apple Mac’s. They are subject to malware, as well!
Q: Do you use multi-factor authentication (MFA) including one randomly generated data point for all user access to the company systems and networks (including remote access)?
This question is asking if you use multi-factor authentication within your network and remote access. Many firms have implemented MFA for remote access, using something like Duo Authentication software, but most are not using it internally to log into the network.
Q: Are Advanced Threat Protection (ATP) settings enabled for all Office 365 email users (if you use Office 365)?
Microsoft 365 Advanced Threat Protection (ATP), which has been rebranded as Windows Defender, must be enabled for each mailbox in Microsoft 365. This enhanced security feature within Microsoft 365 identifies bad links and attachments within emails. It also looks for compromising emails and fake Microsoft emails asking for credentials. This also enables multi-factor authentication (MFA) on the Microsoft 365 account. Additionally, there is an add-on feature in Microsoft 365 called Azure Premium P1 that enhances security. This enables GeoIP filtering, geographical filtering of IP addresses.
Q: Do you conduct phishing email training on at least a quarterly basis and provide additional training for users that fail this training?
You could accomplish this with annual cyber security training. Another way is to implement a product like KnowB4, that sends out simulated phishing campaigns to your staff and registers who has opened the bad emails and clicked on anything within the emails. KnowB4 also has cyber security videos with testing and tracks who has completed the training and if they passed the tests.
Q: Have you undergone an information security assessment or evaluation and if so, attach the report and remediation steps?
A Security Vulnerability Assessment should be performed on your network annually. The assessment creates a report that outlines low, medium, high, and critical security issues on your network and with your IT. It is then recommended to remediate all the issues, especially the critical and high-risk items immediately. This assessment is not a penetration test, although one could be included as a separate item in addition to your security vulnerability assessment. My firm conducts Security Vulnerability Assessments annually for our clients.
These questions are a sampling of some of the new questions on client’s Cyber Insurance renewal forms. When a client does not have some of these features enabled, some insurance carriers have demanded that the firm implement the security features before renewing the policy. Of the items listed above, multi-factor authentication for remote access to the network and multi-factor authentication with Microsoft 365 have been the most demanded when a firm does not have the feature already implemented. Additionally, another feature is email encryption for emails for any privacy information.
I know this may not be a glamorous topic, but it is very important to review your cyber security protocols and procedures at least annually. Renewing your insurance forces, you to do that. By the way, even as I sit writing this article, I received an email from a client asking to have a Cyber Insurance Renewal Form to be answered!