Are you ready for cyber insurance requirements?
If you already have cyber insurance or working on taking out insurance for the first time, you'll find that insurance providers are rapidly increasing their requirements on policyholders.
Insurance providers, understandably, want to lower their risks; they expect clients to ensure their IT systems are protected to reduce the risk of an attack (and, of course ,having to pay out on claims).
Over time, those requirements have become more rigorous, and that trend will only continue.
It’s no tall bad news, though – good cyber security isn’t just about the insurance; it also makes your business more resilient and improves customer success.
Improving security for cyber insurance
Every insurance provider will have its requirements, but many aspects are common across most policies.
Protect Access to IT Systems
Most providers require multi-factor authentication (MFA) for at least the administrative accounts used within IT. Some go further and expect MFA access across all users.
IT teams must show insurers that they have MFA systems in place and that they’re being used. They should also show that they have good protection around those accounts. For example, who has access to which systems, how and when are account credentials updated, and are accounts removed as soon as there’s a suspected breach or a member of staff leaves?
Privileged Access Management (PAM) can address these and many other requirements.
Protect vendor access
As well as the protection of administrator accounts, additional levels of protection may be needed for external funds, such as those for IT service providers. Most organisations depend on external partners that need access, for example, to update building management systems, run the company website and much more. But there’s usually less control and visibility into those partners’ IT systems.
Reduce the chance of attack
A typical entry point for attackers is the laptop or workstation staff use in their daily work. Even with the most stringent training and testing (which is also an essential requirement for insurers), there should also be systems in place to handle the situations where humans make mistakes, as they are bound to do.
Removing local admin rights prevents malware from being installed locally, but that has to be done in a way that doesn’t impact staff productivity. That’s where Privileged Endpoint Management (PEM) becomes an important security measure.
Increase the chance of recovery
Even with the best protections in place, there is always a chance that an attack will evade the defences. Insurers will look for additional protection around critical systems, such as backups.
Ransomware attacks try to make a recovery as hard as possible; that’s why they encrypt or destroy backups or damage the hypervisors used to run IT systems like databases, web servers, etc.
PAM protects those critical systems, and the National Cyber Security Centre (NCSC) recommend PAM use specifically for backup systems.
How Privileged Access Security Addresses Insurance Requirements
Prevent misuse of privileged accounts
The most basic requirement is protection of privileged (administrative) access to IT systems. Organisations should consider not just those systems hosted with the IT organisation, but also those across the business such as the sales and marketing automation systems, HR systems, finance systems, potentially even social media accounts. An attack on any of those systems could lead to claims against the cyber insurance policy.
Using automation for all IT processes that depend on administrator access adds another level of protection for critical systems. Privileged Process Automation (PPA) ensures that all corporate and regulatory processes are followed, and users can't do anything they shouldn't. For ex
Show insurance providers that you take steps to prevent the installation of malware as another level of defence beyond staff training. Users have often been given a "local admin" account to install applications without asking the IT help desk. The user is happy because they can make changes without waiting. IT are happy they're not involved in minor tasks and can concentrate on more significant projects.
Unfortunately, it means it's easy to install malware. Osirium's Privileged Endpoint Management (PEM) allows IT to remove those risky local admin rights without increasing the workload for the help desk. If users can only install or run approved applications with elevated privileges, it's much harder for malware to infect the organisation..
Prevent lateral movement
Show insurers that your taking steps to safeguard the systems needed for recovery after an attack as that can greatly reduce their exposure. All access to critical IT systems should always be via Privileged Access Management (PAM), especially cybersecurity tools, databases, servers, network switches, and backups. As well as preventing unauthorised access to those valuable admin credentials, PAM makes it easy to spot suspicious activity on the network.
PAM also encourages good credential practices. Humans are not good at using complex passwords, but password management with PAM removes that risk. Regular rotation of passwords becomes easy. As passwords can be updated in one place, the changes are fast, and there's no need to inform anyone that may access the systems - if you even know who they are.
For more information
If you'd like to know more about how Osirium Privileged Access Security can be used to address cyber insurance requirements, please use the form below, and we'll be in touch.