Posts

What is Pen Testing and Why You Should Care

/in

Penetration TestingCyber threats are evolving at an alarming rate, posing significant risks to your business. Penetration testing, commonly referred to as “pen testing,” is becoming a vital, proactive tool for assessing your risks.

Pen testing simulates a cyber attack on a computer system aimed at identifying vulnerabilities and testing the security of IT systems. Pen testing goes beyond electronic systems; it encompasses the entire IT ecosystem, including human elements and physical security. 

As cyber threats diversify, pen testing has become an important cybersecurity practice and an emerging requirement for cyber insurance.

Types of Pen Testing

Pen testing falls into various categories, each targeting different aspects of your business’s IT infrastructure:

  • External Testing:
    Evaluates vulnerabilities in the systems that are visible from the outside, such as web applications, servers, and network devices. It simulates attacks attempting to breach your network from the Internet.
  • Internal Testing:
    Examines what could happen if an attacker gains access to the internal network. It highlights potential damage and data exposure risks from within your organization.
  • Targeted Testing:
    A collaborative effort between your IT team and the testers, providing real-time insights into the attacker’s perspective and your response.
  • Blind Testing:
    Testers receive limited information about the target, mirroring the knowledge an actual attacker might have. This helps assess your organization’s security posture from an outsider’s perspective.
  • Double-Blind Testing:
    An advanced form of blind testing where neither the testers nor the IT staff are aware of the test. It evaluates the effectiveness of the security monitoring and incident response processes.

Benefits of Pen Testing for Businesses

Investing in pen testing offers businesses several compelling advantages:

  • Identifying Vulnerabilities:
    Pen tests expose weaknesses in systems, applications, and networks, allowing you to address them before they are exploited.
  • Prioritizing Risks:
    Not all vulnerabilities carry the same weight. Pen tests help you prioritize risks based on their potential impact and likelihood, guiding you on where to focus your efforts and resources.
  • Enhancing Security Measures:
    Insights from pen tests can guide the implementation of stronger security controls, such as multi-factor authentication, data encryption, and improved access management.
  • Boosting Cyber Insurance Prospects:
    Many insurers require regular pen testing as part of their coverage criteria. Demonstrating proactive security measures can lead to better terms and premiums.
  • Regulatory Compliance:
    For industries with stringent regulatory requirements, pen testing can help you assess compliance with standards like HIPAA, PCI-DSS, and GDPR. It can also help you benchmark against cybersecurity frameworks, such as CIS, NIST, and CMMC.

Getting Started

The best way to get started with pen testing is to perform a basic, preliminary scan of your environment. Referred to as a “Level 1” test, this snapshot provides a baseline assessment. From this assessment, you can determine what, if any, mitigation efforts are needed to improve your security, meet compliance requirements, and/or secure cyber insurance.

Your Next Step

Cumulus Global offers a free Level 1 Pen Test to qualifying organizations. Click Here to Request your test and to access related resources.

About the Author

Bill Seybolt bio pictureBill is a Senior Cloud Advisor responsible for helping small and midsize organizations with cloud forward solutions that meet their business needs, priorities, and budgets. Bill works with executives, leaders, and team members to understand workflows, identify strategic goals and tactical requirements, and design solutions and implementation phases. Having helped over 200 organizations successfully adopt cloud solutions, his expertise and working style ensure a comfortable experience effective change management.

Preparing for Your Cyber Insurance Renewal

/in

5 Cybersecurity Standards

As you approach your annual cyber insurance renewal, you can take specific steps to ensure you have appropriate coverage and reasonable premiums.

The cyber insurance market has matured greatly over the past two years and continues to evolve rapidly. Insurers have become significantly more savvy regarding risks, protections, recovery costs, and potential liabilities. As a result, carriers are more precise in their underwriting practices.

Reviewing your cybersecurity risks and protections is a wise investment of time and resources. In a recent blog post, for example, we outlined 5 minimum cybersecurity standards that – if in place – can significantly reduce your premiums.

Here is a roadmap:

Review Your Original Application and Security Declarations

When you first applied for cyber insurance, you completed an application and, in most cases, a security survey/questionnaire. If you have not formally asked to complete a new questionnaire, take the initiative to review and update your answers.

As a part of the review, document any changes in your cybersecurity protections. Make note if you added new protections or updated procedures.

If you’ve removed or replaced any cybersecurity tools, specify which ones and the reasons for the change. It’s important to track modifications as your needs and environment evolve.

Reassess your Cybersecurity Protections

Policy renewal is a great time to step back and reassess your cybersecurity. Compare your protections to industry, regulatory, and compliance standards relevant to your business.

Our eBook, Cyber Security Requirements for Cyber Insurance, outlines basic, preferred, and best-practice protections to consider before getting or renewing your policy.

As part of your analysis, consider completing new assessments, such as Penetration Testing and Security Audits of your Microsoft 365 or Google Workspace tenant. These evaluations can offer valuable insights, helping to inform decisions and set priorities for future cybersecurity improvements.

Deploy Additional Protections

Based on your review and assessments, determine if you should modify your cybersecurity protections. As you consider changes, prioritize your choices and efforts. hYou can make low-effort changes, as well as changes that address higher-level, critical risks.

You do not need to address every risk and gap. Instead, focus on demonstrating improvements and prioritizing the most likely and impactful risks for your business.

Put Your Policy Out to Bid

Finally, put your policy out to bid. Avoid simply adding coverage or riders to your general liability business coverage.

Cyber insurance is a specialized coverage, and the industry has become more adept at evaluating risks and potential liabilities.  Partner with a broker who specializes in Cyber Insurance to market your coverage to multiple, specialty carriers. This will help you find the best balance between coverage and price.

Your Next Steps

If you are ready to move forward, here are four steps you can take today:

  1. Schedule time with one of our Cloud Advisors.
  2. Ask your Cloud Advisor about discounted and free Security Assessments.
  3. Evaluate options and deploy additional protections, if needed and appropriate.
  4. Shop your policy for the best plan and price with our partner, DataStream.

As always, our Cloud Advisors are ready to help. Contact us or schedule time for a quick online consultation.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

5 Cybersecurity Standards for Small and Midsize Businesses

/in

5 Cybersecurity StandardsAs small and midsize business leaders, we understand the need to comply with regulatory and industry requirements. We also want and need our IT services to support our business priorities and fit within our budget. So how much cybersecurity is enough? Our cyber insurance partner, Datastream, analyzed policies and coverages for nearly 8 million businesses across dozens of industries globally. The most common cyber attacks exploit weak credentials, human behavior, and out-of-date software to gain access to your systems and data. From there, they can not only launch ransomware attacks, they can initiate business email compromise and other costly and damaging attacks. The result: Datastream identified a bare minimum set of 5 cybersecurity standards

The 5 Minimum Cybersecurity Standards

To address the most common and costly forms of cyber attacks, implement these 5 cybersecurity standards.

1 Multi-Factor Authentication (MFA)

MFA requires a secondary physical authentication when logging in. Whether by text, authenticator app, one-time passwords, or magic links, MFA can prevent attackers from using compromised credentials. According to studies by Microsoft, more than 90% of cyber attacks can be blocked if MFA is in place.

While the minimum standard is coverage for email access and remote network connections, we recommend using MFA for access to any and all critical systems, applications, and data.

2 Encryption

Do you encrypt all sensitive information at rest, including backups?

Most of our systems and applications encrypt data in transit (in motion). Encrypting data at rest, regardless of where it resides, prevents your data from being easily accessed and used in a cyber attack. Encryption should be in place on workstations and personal computers, not just on servers and in cloud-based services.

Just as important, backups should be encrypted. Unencrypted backups provide cyber attackers with easy access to data. Backups should also be stored off-site or in the cloud using immutable storage. This strategy prevents corruption of backup sets in the event of a ransomware attack. 

3 Data Recovery

In the last 6 months, has your company tested its ability to recover all business-critical data and systems within 10 days or less, from offline or cloud backups that are no more than a week old? 

Backing up data and systems is easy. Recovery is hard. Knowing that you can reliably restore your data and systems demonstrates your level of protection and how well you have reduced risks. Documenting this will impact your cyber insurance premiums.

While the 10-day recovery window is a minimum expectation, it may not be sufficient for your business. We recommend analyzing your business needs and setting goals to return to operations in a way that minimizes the impact of any disruption.

4 Automated Hardening Policies

Do you implement automated hardening policies?

Hardening systems is the process of limiting the attack surface of your systems, applications, and data. Hardening tactics include:

  • Removing unused applications and accounts
  • Disabling unnecessary services, ports, protocols, and features
  • Limiting administrative permissions and access
  • Logging appropriate activities, errors, and warnings

The process of configuring and managing hardened systems is easiest to manage with a remote monitoring and management (RMM) system in place.

5 Patches and Updates

Do you apply critical patches and updates to key IT systems and applications within two months?

Updates and patches to operating systems are familiar and comfortable. We regularly receive and apply updates to our smartphones, laptops, and desktops, most often as part of a default, automated process. We may not, however, be as diligent with our business systems and applications.

Updates and patches to databases, applications, and other software often require validation and may require changes to settings and integrations. Regularly reviewing updates and patches, and having a process in place to verify and apply updates, ensures that your systems have current security fixes and features.

Your Next Steps

Having these five cybersecurity standards in place represents a no-nonsense minimum that protects your business and can improve your cybersecurity coverage and premiums.

Our eBook, Cyber Security Requirements for Cyber Insurance, dives deeper to define basic, preferred, and best practices. You can, and should, scale your cybersecurity to meet your business’s specific risks, priorities, and budget.

We offer multiple assessments to help you understand and benchmark your current cybersecurity.

  • Rapid Security Assessment
  • Cyber Insurance Risk Assessment 

These assessments are free with a Referral Code. Contact us or schedule time with one of our Cloud Advisors to learn more and obtain your code.

Help us keep the ideas flowing. If you have any blog posts that are leadership thoughts you want to share, please let us know.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

7 IT Blind Spots Small Businesses Miss the Most

/in

IT Blind Spots

Your small business depends on your IT services to run effectively and efficiently. Even so, like many small business leaders, you likely have one or more “IT Blind Spots”. The blind spots are not “all or nothing.” They evolve from decisions about what IT services are needed, wanted, and worthy of spending on at a particular point in time. Over time, internal and external factors change. If we do not take a fresh look, our IT services will not keep up. 

While not intentional, these blind spots create unnecessary risks and expenses. Here are the seven (7) blind spots we see the most.

1Security and Privacy

As small business owners and leaders, we understand the need for security – especially in today’s environment. We wonder, however, how much security is enough and what we should prioritize. We see small businesses with antivirus protection on their computers, strong passwords, and basic backup/recovery. While these services were the benchmark for basic security, they are now insufficient.

Check your IT blind spots for other core security services, including multi- or two-factor authentication (MFA/2FA), advanced threat protection (ATP) for email, advanced endpoint protection and response, encryption, and immutable backup/recovery services.

If you do not have these in place, your security is likely insufficient to protect your business.

2Duplicate Services

It has never been easier to sign up for new services. With a few clicks, payment information, and a quick setup, your new, cloud-based application or service is up and running. The convenience is great when you need something specific or a new solution. The low barrier to entry, however, makes it easier to sign up for apps and services that duplicate others you already have in place.

Check your IT blind spots for these duplicate services. We most often see companies paying for Zoom or GoTo, even though they have Microsoft Teams or Google Meet for online meetings and presentations. Some spend on Slack and other tools instead of using Teams or Google Chat services that are already in place. Rather than managing permissions to share files from Microsoft 365 or Google Workspace, small businesses often spend more on Dropbox and other services. While these are the most common duplicate services, we often see others across a wide range of apps and functions.

3Shadow IT

We used to define Shadow IT as any IT service in use without proper vetting or authorization. Today, we expand the definition to include consumer-grade hardware, software, and services. Team members using unauthorized IT services typically create security risks, increase costs, reduce control of company information, violate information privacy rules, and put data at risk. While less costly up-front, consumer-grade equipment, software, and services typically lack the security and integration needed for business use.

Check your IT blind spots and survey your environment for Shadow IT. Team members often go rogue for personal preference, convenience, or because they do not understand how to use features and functions already in place.

4Latent Apps and Services

When was the last time you looked to see if you were paying for IT services that you no longer use or need? With the low barrier to entry for cloud services, we often see companies that have signed up for an app or service, only to later decide that it is not the right solution or to see usage decline over time. Without a set process for on/off-boarding IT services, these often remain idle, incurring monthly or annual fees.

Check your IT blind spots for applications and services. Review company and staff personal credit cards for recurring payments. Scan Microsoft 365 and Google Workspace accounts for apps and services with federated logins.

5Business Continuity

While almost all small businesses like yours have backup/recovery in place for most of their systems and data, most still lack a business continuity solution. Even without a big disaster, the loss of a single, key system can be crippling.

Check your IT blind spots for business resilience. Can you run your business without your IT systems and services? For how long? Which systems and services can you live without for a short period of time and which are critical to your business? The answer to these questions dictates the types and extent of business continuity services you need. Focus on what you need to reasonably run your business while you make repairs and complete larger recovery efforts.

6Cyber Insurance

Most small businesses know that they should have cyber insurance in place, and many do. Too often, however, we see small businesses signing on to policies with inadequate or inappropriate coverage. We also see many businesses overpaying for cyber insurance to cover risks that could easily be reduced with incremental security services.

Check your IT blind spots for appropriate cyber insurance coverage and rates. If your policy was not purchased through a specialized agent or broker, an independent review may be worthwhile. If you do not yet have a policy, check out our resources and ask about our cyber insurance readiness assessment.

7Utilization

Multiple services tell us that most small businesses use about 15% of the capabilities in their Microsoft 365 or Google Workspace services. Your investment in Microsoft 365 or Google Workspace includes a rich set of features and functions – major and minor – that help your team collaborate and work more efficiently, individually and as a team.

Check your IT blind spots to understand how well your team is using the tools available to them. A little bit of education, training, and guidance can boost productivity within Microsoft 365 and Google Workspace by up to 60%.

Call to Action:

If you suspect, or just wonder, what is in your IT blind spot, we can help. We can help you check your blind spots and assess what, if any, changes are necessary or recommended. Once decided, we can help you plan and execute those changes. Contact us or schedule time with one of our Cloud Advisors

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

Best Practice – Completing Security Surveys and Questionnaires

/in

Data Protection & Security

In our recent Security Update Series blog post, New Security Demands & Requirements for Small and Midsize Businesses, we discussed three drivers for increased business security. We noted that expectations will often be expressed in security surveys and questionnaires you are asked to complete. Providing incorrect, incomplete, or misleading answers, whether intentional or not, can impact premiums and your available coverage.

To minimize the risks and potential pitfalls, here are five best practices to follow:

1 Know the Process

Before starting your response, have the broker or agent walk you through the process in detail. What role do the security surveys or questionnaires play in the underwriting process? While some carriers only use a single survey, others will ask for follow-up information and/or request evidence supporting your answers.

Understanding the process will guide how you answer questions and the nature and amount of information you provide.

2 Follow the Rule of Absolutes

Following the “Rule of Absolutes,” answering “yes” or “no” to a question means “yes” or “no” everywhere and in every instance. 

For example, if you answer “yes” to the question, “Do you require multi-factor authentication for user login?”, you are stating that MFA is in place for every possible user login for every system or service. Answering “yes” if this is not the case will be considered a misleading or deceptive response.

The better approach is to answer with commentary that accurately responds to the intended questions without absolutes. Using the above example, provide a list of systems for which MFA is required, optional but recommended, and/or not available. In addition to being a more accurate response, the information will better inform the underwriting risk assessment.

3 Understand the Questions

Not all questions may be clear. Some questions will focus on technology. Others will focus on policies, processes, and procedures. Still others will focus on outcomes.

For example, these three questions:

  1. What security incident and event management (SIEM) system is in place?
  2. Do you have security incident and event management?
  3. Do you monitor, save, and analyze security event logs to identify alerts and conditions that require responsive action?

Question 1 appears to be asking about specific software or tools. The second Question asks about capability; the software tools and operational resources may be implied or assumed with a “yes” answer. Question 3 probes procedures, possibly independent of the supporting technology and/or existence or use of a security operations center (SOC).

If you are not sure how to best answer the questions, consult with the broker or agent for guidance.

4 Pause and Implement

In reviewing the security surveys or questionnaires, you may notice an emphasis on certain aspects of your security systems, solutions, policies, and processes. 

If your answers appear to indicate weakness in these areas, consult with the broker or agent for guidance. You may benefit from pausing the effort until you can update or implement expected services and solutions.

In some cases, indicating that an improvement is in process may be sufficient to move forward.

5 Get Legal Advice

You own and are legally bound by the survey and questionnaire responses you provided. This holds true even if IT providers, vendors, and others have drafted portions of your response.

Before submitting your responses, review the surveys or questionnaires and your responses with qualified legal counsel familiar with cyber security. Understand if answers provided by third parties may create issues or liabilities. Understand any and all commitments expressed and implied in your responses.

What to Do:

The best course of action is to assess and, if appropriate, adjust your security services before you face a survey, questionnaire, or audit. Our Rapid Security Assessment provides a quick review of core security services. Our Cloud Advisors are ready to assist with any questions or concerns.

Contact us or schedule time with one of our Cloud Advisors

About the Author

Bill Seybolt bio pictureBill is a Senior Cloud Advisor responsible for helping small and midsize organizations with cloud forward solutions that meet their business needs, priorities, and budgets. Bill works with executives, leaders, and team members to understand workflows, identify strategic goals and tactical requirements, and design solutions and implementation phases. Having helped over 200 organizations successfully adopt cloud solutions, his expertise and working style ensure a comfortable experience effective change management. 

 

XChange of Ideas – Security

/in ,

XChange EventsLooking at what we learned during three packed days at the XChange 2022 Conference, we have much to share.  The XChange conferences help IT service providers, like Cumulus Global, explore emerging trends, challenges, products, and solutions.  While we attend to improve our service offerings and business, many of the insights will benefit your business as well. This XChange of Ideas shares three emerging security trends.

1 Security is Not a Technology

Most small and midsize businesses see themselves as having security because they have some security technologies and systems in place.  Security, however, is not a technology; security is an ecosystem that spans people, processes, and systems, as well as a lifecycle of prevention, response, and recovery. As important, we need to understand that managing our security

Most businesses still lack the basic set of security protections that span the security lifecycle. A solid security foundation should include advanced threat protection, next-gen endpoint protection, DNS security, web protection, multi-factor authentication, and encryption. A solid backup/recovery is also necessary; having a business continuity solution is preferred.

With the dynamic nature of threats and cyber attacks,  many businesses are at higher risk and should be deploying advanced security services. Advanced security services may include managed security incident detection and response (MDR) services, internal application whitelisting, segmentation, and other protections that can detect, halt, and stop the spread of an attack.

2 Cyber Insurance is Not Assurance

Cyber Insurance is more than a good idea, it is a necessity for almost every business.  But cyber insurance is not assurance that you can quickly recover from a cyber attack.

  • Cyber insurance underwriters have you complete a questionnaire or audit about your cyber protections, policies, and procedures. When you submit a claim, most cyber insurers will ask you to demonstrate that the protections were in place, how they were functioning, and that you follow the policies and procedures noted in your application.  If you cannot show that you do what you promise, expect your claim to be denied.
  • Your cyber insurance underwriters may prevent you from starting your systems and data recovery. Recovery typically destroys evidence of the attack, it’s cause, and it’s method of propagation. You may be unable to restore your systems and data for days — or even weeks — while your insurer completes a forensics investigation.

Having the right protections in place, and being able to demonstrate compliance, is a clear expectation to resolve cyber insurance claims.  Having a continuity solution in place that allows you to return to operation in parallel with a forensics investigation should be considered.

3 HIPAA is Not Just For Doctors

HIPAA is the regulatory cornerstone for protecting personal health information (PHI). These regulations control how we store, transmit, and share — procedurally and technically — PHI. Compliance, however, is not just required of healthcare providers, insurers, and others direct access to patient records. Businesses serving healthcare providers — those that sign a Business Associates Agreement — face compliance requirements as well.

HIPAA enforcement is expanding beyond Covered Entities to Business Associates, as is notable on the US Department of Health and Human Services Office of Civil Rights HIPAA “Wall of Shame

If you are not sure that your security services are up to par, contact us about our security assessments, or schedule an intro call with one of our Cloud Advisors.

Cyber Protection Solutions for SMBs

/in

Data protection iconAs our businesses become even more reliant on technology and cloud services, the frequency and sophistication of cyber attacks continue to accelerate. Your Cyber Protection 

Cyber Protection Needs

We need our businesses — and our people — to be aware, protected, and able to recover.

At Cumulus Global, our CPR model maps the necessary components of cyber security into three areas.

  • Communicate & Educate
    • Ensure you team understands the risk, educate them so they can avoid falling prey, create a culture of security and data privacy.
  • Protect & Prevent
    • Leverage advanced and “next gen” technologies to prevent attacks and to protect your networks, systems, data, and people from attacks.
  • Recover & Respond
    • No system is perfect; make sure you can recover your data and systems, return to normal operations, and respond to the technical, legal, and communication challenges.

Successful Cyber Protection relies on your policies and procedures, technologies, and people working in sync. Across more than a dozen focus areas, you need to balance the level or protection you need with the costs and with the risks of not doing enough. You need to balance external requirements, such as government and industry regulations, with internal priorities.

Your Cyber Protection Solution

To design and implement an affordable, integrated, and effective cyber protection solution for your business, start with a Cyber Protection Assessment (CPA).  A CPA will assess your needs, within the context of your business, and preferred solutions across 15 areas of focus:

  • Written Information Security Plan
  • Patches and Updates
  • Email Encryption
  • Data Destruction
  • Background Checks
  • Written Information Response Plan
  • Antivirus and Intrusion Detection
  • Email and Web Security
  • Account and Identity Management
  • Employee Training
  • Firewalls
  • Backup / Continuity / Disaster Recovery
  • File Encryption
  • Network Access Security
  • Responsible Parties

Using the results of the Cyber Protection Assessment, you can plan and implement your levels of protection in each area to create the balance that is best for your business.

Next Steps and Resources

Your best next step is to contact us and discuss your cyber protection status and needs with one of our Cloud Advisors. Consider using our Cyber Protection Assessment to understand your needs, current protections, gaps, and priorities.

Related Resources:

Cyber Protection: Time for New Best Practices to Safeguard Your Business in the Digital Age

/in

Cyber ProtectionAccording to a recent survey* of IT service providers, ransomware attack downtime costs 23 times more than requested ransom. The average ransom for small and midsize businesses (SMBs) victims jumped 37% to $5,900 from 2018 to 2019.  And lastly, the average cost of ransomware downtime jumped from $46,800 to $141,000, an increase of more than 200%. This underscored the importance of having cyber protection protocols in place in an increasingly digital age.

To add to your cyber security concerns, SMBs fall victim to cyber crime and ransomware attacks even when they have traditional antivirus, email/spam, ad/pop-up blockers, and endpoint protection in place.  67% of IT service providers report their SMB customers fall victim to phishing emails; 30% report that most customers still rely on weak passwords and access management.

The Need for a New Approach to Cyber Protection

Traditional cyber security solutions are no match for many cyber attackers. We need a new modernized approach to ransomware, with business continuity at the core.

Using business continuity as a guiding principle drives new best practices for preventing and responding to cyber security attacks. With a business continuity mindset, you focus on what is needed to keep the business running, and how quickly you can “return to operations”.  When we discuss business continuity, we understand that we need to take steps to prevent disruption, mitigate the scope of potential disruptions, respond effectively when disruptions happen, and have the systems and processes in place to recover quickly.

For over a year, we have promoted and refined our CPR model to help ensure appropriate data protection and security.

Implementing The Following CPR Model Can Help Combat Cyber Threats

Communicate and Educate: Involve everybody in the solution by educating your team on the risks, how to spot and report fraudulent content, and how their behavior can prevent or help an attack.

Protect and Prevent: Implement multi-layer, multi-vector protections that focuses on your people (identities), data, applications, and systems. Our data, our businesses, no longer sit comfortably hidden in a computer room behind a firewall.

Respond and Recover: No defense is perfect. Have services in solutions in place that let you recover and return to operations within a time frame that protects the health of your business. More than getting data and systems back on line, put in place the forensics, legal, public relations, and customer service resources you will likely need in a cyber attack emergency.

Here are 10 Actions you can initiate today to improve your cyber protection:

  1. Ensure your computing environment is protected across multiple attack vectors: Identity, Endpoints, User Data, Cloud Apps, and Infrastructure.
  2. Deploy multi-factor authentication, advanced threat protection, next-gen endpoint protection, and DNS/web protection across your ecosystem for a comprehensive baseline or protection.
  3. Encrypt your data at rest and in transit.
  4. Educate your team on the risk and how their actions can impact the business.
  5. Actively manage your cloud and “as-a-Service” subscriptions, standardize on-boarding and off-boarding of staff and contractors based on role, application needs, and appropriate access to data.
  6. Understand how your team uses your business and unauthorized (“shadow IT”) applications and services.  Reign in shadow IT by ensuring your business systems provide staff with the necessary capabilities.
  7. Test your staff’s behavior related to cyber attacks and follow up with additional coaching and guidance. Discipline and, if needed, terminate those who are unwilling or unable to adapt to the current realities of behavior and risk.
  8. Upgrade from data backup/recovery to a business continuity solution that will get you up and running in minutes or hours, instead of days, should an attack get past your defenses.
  9. Arrange in advance for the legal, forensic, PR, communications, and customer service resources you need to respond to an attack with a potential or actual data breach.  Prepaid breach response services give you nearly instant access, reducing your risks and liability while bundling in baseline cyber insurance coverage.
  10. Get cyber insurance, either a baseline policy bundled with Breach Response services and/or a fully underwritten policy from your business insurance provider.

Please contact us for more information about your cyber protection, available assessments, and solutions. We are happy to schedule a free, no obligation Cloud Advisor Session.

* Global State of the Channel Ransomware Report. Datto, Inc. Oct. 2019.

 

Cyber Insurance vs. Breach Response: Why Not Both?

/in

Cyber AttackIf you’re debating between cyber insurance and breach response, you should consider getting both to be fully protected. For example, cyber liability insurance covers monetary losses as well as legal protection in the event of a breach. A data breach response plan, on the other hand, will provide you with immediate resources to combat the cyber attack and protect your financial interests.

There is a large discussion, and no small amount of pressure, for businesses to obtain cyber insurance policies.  Articles appear in a range business and technology publications, from the Memphis Business Journal to the Wall Street Journal, and from Inc. Magazine  to Forbes. But getting the right cyber insurance policy is not easy, and can be costly. And while cyber insurance helps cover damages, many policies do not provide immediate assistance with managing your response to an attack or data breach.

Cyber Insurance

For SMBs, three key cyber insurance considerations are the barriers to entry, coverage exclusions, and coverage delays.

  • Barriers to Entry
    • Most cyber insurance policies go through underwriting to determine coverage limits and premiums. This means the insurer will want to review and audit your security related policies, procedures, and technologies. Insurance carriers may also demand that you invest in new or additional measures in order to qualify for a policy or to ensure the premiums will be affordable.  For many small and midsize businesses (SMBs), this process requires specialized skills, time, and money. Many SMBs will need to spend over $5,000, with some spending up to $20,000, in order to pass the underwriting process.
  • Coverage Exclusions
    • Cyber insurance claims are routinely reduced or declined due to non-compliance with policy requirements.  Even after the underwriting process, most cyber insurance policies include dozens of security requirements that must be in place and properly maintained.  Any gap or misstep can be costly.
  • Coverage Delays
    • If your business is the victim of a cyber attack, your response has legal requirements and requires specific technical expertise. Claims processing can delay your ability to secure the resources you need for hours or days.

Clearly, cyber insurance one piece of the solution, along with appropriate security measures.

Breach Response

Having a Breach Response plan and resources in place will save you time and money.

In any cyber attack, start by assuming the attackers have stolen information.  If an attack can encrypt your files, it can steal under-protected files and data from your systems.  With a data breach, federal and state laws dictate a range of reporting and communication requirements that, if missed, can trigger fines and legal action. With a data breach, you need a range of expert resources and you need them quickly.

  • Legal Expertise fluent in cyber security laws and regulations helps ensure you comply with reporting and communication requirements to minimize your legal and financial exposure.
  • Forensics Expertise can identify the cause, timing, and scope of the attack and any breach, and can help validate that the issues allowing the breach have been resolved.
  • Public Relations Services will help you communicate with employees, vendors, customers, and as is often the case — the press. Providing accurate and appropriate information can protect your business relationships and your public reputation.
  • Contact Center Services provide a place for customers, vendors, and associates to call for timely and accurate information.  You are further protecting your business relationships and reputation.
  • Credit Monitoring for individuals whose personal or business information may have been compromised can reduce litigation risk and may be required by law.

Final Thoughts on Cyber Insurance vs. Breach Response

While cyber insurance policies generally cover these services, most do so as part of the claims approval process. As such, you may be out of pocket for thousands of dollars and fighting for reimbursement once your claim is processed.

By subscribing to a Breach Response service, the resources and expertise you need are available instantly,  7×24, without any additional cost over the monthly or annual fee.  These services often include basic cyber insurance policies that do not require any underwriting.  For many SMBs, the annual cost of this type of Breach Response service, with basic cyber insurance coverage, is significantly less than the cost of the underwriting process for a traditional cyber insurance policy.  Additionally, you can use this policy for coverage until they completing a policy with underwriting, or to cover initial loss coverage under a higher deductible (lower premium) traditional cyber insurance policy.

For more information about Breach Response Services and affordable Cyber Insurance, please contact us for a no obligation Cloud Advisor call.

 

Webcasts

Get IT Ready for Recession

/in

(7/19/2022) – Cutting IT costs can help your bottom line in the near-term, but may do more harm than good. Smart IT planning helps your business survive and thrive through a recession and beyond.

Read more

A Cyber Insurance Primer

/in

(6/21/2022) – With the increase in cyber attacks, cyber insurance is a necessity. All too often, however, businesses learn that the process is significantly more complicated. Cyber Insurance is a tool, not a solution.

Read more

Next Normal: IT Efficiency

/in

(02/23/2021) – COVID-19 and the events of the past 10 months have, and continue, to change the way we run our businesses. Are the IT choices made during the crisis the best for your business in the long term?

Read more

library

A Cyber Insurance Primer (Slide Deck)

/in

Slide Deck | Source: Cumulus Global —
Cyber Insurance is a tool, not a solution. This deck is from our June 2022 3T@3 Webcast: A Cyber Insurance Primer and discusses the what and why of cyber insurance and how it fits into your cyber security and incident response plans.

Read more

15 Best Practices for Cyber Protection

/in

eBook | Source: Cumulus Global 

Read more