With the threats that businesses face today, you may be considering cyber and ransomware insurance. Many insurance companies are even starting to include questions related to cyber and ransomware for typical errors and omissions (E&O) insurance policies.
Some questions about cyber and ransomware on insurance applications may include systems and processes that are unfamiliar or that your organization does not have in place. Remember, these forms are typically created for many different business types, so you may not need an answer for every line item.
Use this Data Evolution guide to help you answer questions on your insurance application or establish any necessary systems and processes depending on your business size and type.
Threats through email are the biggest attack vector to modern organizations of any size and industry. Some example threats include email attachments, malicious links, and phishing emails. Many people send sensitive information through email as well, so an email account being compromised is a serious issue.
Your insurance application will most likely include questions focused on this system. Be prepared to provide information about the following:
- Do you screen emails for potentially malicious attachments and links?
- Are suspicious emails quarantined?
- Are you using Multi-Factor Authentication (MFA)?
If you have any questions about these items or need help setting up email security, let your Data Evolution experts know.
End-user security training
Did you know social engineering attacks are one of the most significant threats to your data security? Social engineering attacks, such as email phishing, target individuals to trick or manipulate them into providing confidential information or money for fraudulent purposes.
These types of attacks are most successful if the targeted person is too busy to look for signs of fraud or unaware of potential threats. End-user training aims to counter social engineering attacks by teaching people how to recognize and avoid scams.
Your ransomware insurance form may ask if you are training your end users to improve security awareness and reduce threat vectors. Learn more about how to smoothly incorporate end-user security training in your organization.
While social engineering is a significant threat to your data security, every business should also ensure they have the proper protection on their end-user systems, servers, and networks.
- Implement a modern-day endpoint protection product for your devices, servers, and local and cloud networks.
- Encrypt the hard drives of systems that hold data, including employee hard drives if you allow them to store data on their systems.
- Apply critical patches to your computer systems as needed.
- Ensure your update system is turned on and working properly.
- Use a password manager or single sign-on (SSO) solution to allow for very strong, randomized passwords that can be accessed by your users with a single password.
It can help to lean on a managed services provider (MSP) such as Data Evolution to monitor and manage your systems security. This precaution will help ensure your security measures are in place and functioning correctly.
Are you backing up critical data? Here are some questions you may need to answer as part of your ransomware insurance application:
- How often do you back up critical data?
- Where does the backup data reside?
- Is the backup data protected, whether encrypted in a cloud system or on a secure backup device such as a hard drive or tape?
- Have you performed a test restore? Even testing a small chunk of data will suffice.
Besides being a potential ransomware insurance topic, backups make good business sense. Your organization is most likely dealing with a lot of important data. Losing this information would be costly, both in terms of data recovery and critical delays in your work.
If you have a local network in place at your office, you may need to answer questions about intrusion detection systems, external vulnerability scanning, and penetration testing. Many small businesses do not have these items in place, but they are necessary if you have internal servers or any external-facing systems – including systems that connect to the Internet.
Policies and procedures
Most organizations have established policies and procedures in the form of a company handbook. Here are some specific questions you may face on your ransomware insurance form:
- Do you have written policies and procedures regarding computer security, information security, and computer use?
- Do you have a business continuity plan or disaster recovery plan?
- If you are using any cloud-based systems or applications, do you have an action plan in case any issues arise with the provider or your office?
It can be daunting to develop policies, procedures, and action plans. However, it is good practice to outline the basics in a written document and ensure the right people know how to act on them. Learn more about how your Data Evolution team can help with this.
Most importantly, do not worry if you are missing some programs and other items from your ransomware insurance form. Having the basics in place should satisfy your application requirements. It may benefit you to consider adding security measures that the form asks about to help better secure your business.
If you need any help understanding the questions on your ransomware insurance form or understanding how some of these systems and policies can help your business, ask your trusted IT partner. Data Evolution has experience with these forms and can guide you through whatever you need. We are always here to help.