Cybersecurity: Insurance Policies

Insurance can play a key role in a company’s protective system, covering the cost of an incident response team and/or consultants, as well as actual business losses incurred during an attack.

“The underwriting will provide prescriptive guidance of what exposures insurance carriers are concerned about,” says Thomas LaMantia, CISSP (certified information systems security professional), based in Glyn Ellen, IL, “and a list of the risks you should address and mitigate.”

Lisa Shasteen, a Tampa, FL-based attorney at Shasteen & Percy, PA, a law firm that specializes in cybersecurity, recommends careful study to determine which areas to insure against.

“Most people run right out and buy insurance, but some won’t help or pay until a client is sued,” she says. “Insurance is highly complex and should come after deciding what risks should be covered.”

LaMantia acknowledges that it’s impossible to limit exposure completely, but if a company’s environment is fortified and segmented, “hackers will move on to an easier target.”

And if hiring a professional for regular checks is beyond budget, businesses should patch their systems at least once a month. “Get a baseline and check it regularly,” he recommends. “Keep good backups—offline and separate.”

Other defensive moves

Every organization, says Greg Gatzke, president of ZAG Technical Services, Inc., a San Jose, CA-based IT consulting firm and managed services provider, should require multifactor authentication or MFA to access email and systems.

“Kids have it on their Gmail accounts, so at least protect your business as well as your kids protect themselves,” he says. “If you don’t require it, you will be hacked.”

A “modern” antivirus solution should also be in place.

“We’ve seen Cisco Amp and Silence work wonders during an attack,” Gatzke shares, adding he finds most “traditional” antivirus solutions worthless.

The next step is to ensure backups are quickly recoverable and the administrator account in Microsoft cannot delete them, Gatzke advises, noting this is best done through snapshots. “You must know how quickly you need the systems back up, should they be infected,” he says.

A good rule of thumb is to get critical enterprise resource planning or ERP systems up in 24 hours. “That seems like a long time, but when you have to perform many security tasks prior to starting the restore, 24 hours will go by quickly,” he notes.

“The cost for other defenses can vary greatly,” Gatzke points out. “They’re scalable depending upon risk aversion. Defenses can be built based on a budget, but the budget will go up for larger enterprises and for more advanced entities.”

Source: Blue Book Services, Inc.