As Swedish businesses struggle to get cyber insurance cover, Simon Højmark, cyber specialist from QBE Nordics, leading provider of cyber cover in Sweden, gives his top tips on how businesses can improve their security profile.
October is Cyber Security Awareness month, an opportune moment for Swedish businesses to take stock of their cyber security and plug any gaps that might let criminals in. There are five key areas to focus on:
General IT Security
- Are you sure all your systems are always kept up to date with necessary security updates? This doesn’t mean simply relying on your anti-virus being up to date, it’s important to understand the process for managing software vulnerabilities and updates, even if an external IT provider delivers the service.
- Do you have multifactor authentication (MFA) in place on all remote connections and admin accounts? This requires the user to have two pieces of information to access the system, so that if one is compromised (e.g. the password is guessed), a second step is required (e.g. a code sent to a mobile phone or email address, biometric recognition) before access is provided.
- Do you ensure your businesses or employees are not using unsupported systems, and where these are unavoidable, are you sure they are isolated from the internet and the rest of your network?
- Do you know the difference between vulnerability scanning and pen testing and how often do you do either? Simply put, vulnerability testing scans and evaluates your IT systems for weaknesses, whereas pen testing will be a simulated cyber attack against those weakness to see just how bad the situation might be.
- Your employees can be your weakest link when it comes to cyber security and it is so important to have an education programme in place that remind employees about the risks, how to sport suspicious activity and what to do, and crucially not do.
- Sporadic phishing simulations are also recommended to highlight areas of your workforce you mind need to spend more time educating about the risks.
Business continuity should be a key focus for all companies, with clearly laid out processes and priorities to help protect your data, your reputation, your revenue and ultimately your recovery. Some key questions to consider are:
- Do you carry out regular offline backups of critical data?
- Do you segregate your IT (your business’s front-end technology) from your OT (back-end technology, such as machinery) by using for example firewalls or air gapping?)
- Do you isolate different locations?
- Do you have a business continuity and/or disaster recovery plan in case of a network outage? Have you practiced the application of these plans?
- How careful are you with the data you hold? Is sensitive data adequately secured with appropriate encryption? Are you only holding the data you need and disposing of non-essential data properly? Do you limit the number of employees with access to sensitive data?
- Is your business required to be PCI-DSS compliant? Businesses that hold, use, or transmit cardholder data must hold this accreditation.
Cyber insurance underwriters will take the above factors into consideration when deciding whether to offer coverage and at what premium but even if your company is not currently looking for cyber cover, taking these security precautions just makes business sense.