Posts

Best Practice – Completing Security Surveys and Questionnaires

/in

Data Protection & Security

In our recent Security Update Series blog post, New Security Demands & Requirements for Small and Midsize Businesses, we discussed three drivers for increased business security. We noted that expectations will often be expressed in security surveys and questionnaires you are asked to complete. Providing incorrect, incomplete, or misleading answers, whether intentional or not, can impact premiums and your available coverage.

To minimize the risks and potential pitfalls, here are five best practices to follow:

1 Know the Process

Before starting your response, have the broker or agent walk you through the process in detail. What role do the security surveys or questionnaires play in the underwriting process? While some carriers only use a single survey, others will ask for follow-up information and/or request evidence supporting your answers.

Understanding the process will guide how you answer questions and the nature and amount of information you provide.

2 Follow the Rule of Absolutes

Following the “Rule of Absolutes,” answering “yes” or “no” to a question means “yes” or “no” everywhere and in every instance. 

For example, if you answer “yes” to the question, “Do you require multi-factor authentication for user login?”, you are stating that MFA is in place for every possible user login for every system or service. Answering “yes” if this is not the case will be considered a misleading or deceptive response.

The better approach is to answer with commentary that accurately responds to the intended questions without absolutes. Using the above example, provide a list of systems for which MFA is required, optional but recommended, and/or not available. In addition to being a more accurate response, the information will better inform the underwriting risk assessment.

3 Understand the Questions

Not all questions may be clear. Some questions will focus on technology. Others will focus on policies, processes, and procedures. Still others will focus on outcomes.

For example, these three questions:

  1. What security incident and event management (SIEM) system is in place?
  2. Do you have security incident and event management?
  3. Do you monitor, save, and analyze security event logs to identify alerts and conditions that require responsive action?

Question 1 appears to be asking about specific software or tools. The second Question asks about capability; the software tools and operational resources may be implied or assumed with a “yes” answer. Question 3 probes procedures, possibly independent of the supporting technology and/or existence or use of a security operations center (SOC).

If you are not sure how to best answer the questions, consult with the broker or agent for guidance.

4 Pause and Implement

In reviewing the security surveys or questionnaires, you may notice an emphasis on certain aspects of your security systems, solutions, policies, and processes. 

If your answers appear to indicate weakness in these areas, consult with the broker or agent for guidance. You may benefit from pausing the effort until you can update or implement expected services and solutions.

In some cases, indicating that an improvement is in process may be sufficient to move forward.

5 Get Legal Advice

You own and are legally bound by the survey and questionnaire responses you provided. This holds true even if IT providers, vendors, and others have drafted portions of your response.

Before submitting your responses, review the surveys or questionnaires and your responses with qualified legal counsel familiar with cyber security. Understand if answers provided by third parties may create issues or liabilities. Understand any and all commitments expressed and implied in your responses.

What to Do:

The best course of action is to assess and, if appropriate, adjust your security services before you face a survey, questionnaire, or audit. Our Rapid Security Assessment provides a quick review of core security services. Our Cloud Advisors are ready to assist with any questions or concerns.

Contact us or schedule time with one of our Cloud Advisors

About the Author

Bill Seybolt bio pictureBill is a Senior Cloud Advisor responsible for helping small and midsize organizations with cloud forward solutions that meet their business needs, priorities, and budgets. Bill works with executives, leaders, and team members to understand workflows, identify strategic goals and tactical requirements, and design solutions and implementation phases. Having helped over 200 organizations successfully adopt cloud solutions, his expertise and working style ensure a comfortable experience effective change management. 

 

XChange of Ideas – Security

/in ,

XChange EventsLooking at what we learned during three packed days at the XChange 2022 Conference, we have much to share.  The XChange conferences help IT service providers, like Cumulus Global, explore emerging trends, challenges, products, and solutions.  While we attend to improve our service offerings and business, many of the insights will benefit your business as well. This XChange of Ideas shares three emerging security trends.

1 Security is Not a Technology

Most small and midsize businesses see themselves as having security because they have some security technologies and systems in place.  Security, however, is not a technology; security is an ecosystem that spans people, processes, and systems, as well as a lifecycle of prevention, response, and recovery. As important, we need to understand that managing our security

Most businesses still lack the basic set of security protections that span the security lifecycle. A solid security foundation should include advanced threat protection, next-gen endpoint protection, DNS security, web protection, multi-factor authentication, and encryption. A solid backup/recovery is also necessary; having a business continuity solution is preferred.

With the dynamic nature of threats and cyber attacks,  many businesses are at higher risk and should be deploying advanced security services. Advanced security services may include managed security incident detection and response (MDR) services, internal application whitelisting, segmentation, and other protections that can detect, halt, and stop the spread of an attack.

2 Cyber Insurance is Not Assurance

Cyber Insurance is more than a good idea, it is a necessity for almost every business.  But cyber insurance is not assurance that you can quickly recover from a cyber attack.

  • Cyber insurance underwriters have you complete a questionnaire or audit about your cyber protections, policies, and procedures. When you submit a claim, most cyber insurers will ask you to demonstrate that the protections were in place, how they were functioning, and that you follow the policies and procedures noted in your application.  If you cannot show that you do what you promise, expect your claim to be denied.
  • Your cyber insurance underwriters may prevent you from starting your systems and data recovery. Recovery typically destroys evidence of the attack, it’s cause, and it’s method of propagation. You may be unable to restore your systems and data for days — or even weeks — while your insurer completes a forensics investigation.

Having the right protections in place, and being able to demonstrate compliance, is a clear expectation to resolve cyber insurance claims.  Having a continuity solution in place that allows you to return to operation in parallel with a forensics investigation should be considered.

3 HIPAA is Not Just For Doctors

HIPAA is the regulatory cornerstone for protecting personal health information (PHI). These regulations control how we store, transmit, and share — procedurally and technically — PHI. Compliance, however, is not just required of healthcare providers, insurers, and others direct access to patient records. Businesses serving healthcare providers — those that sign a Business Associates Agreement — face compliance requirements as well.

HIPAA enforcement is expanding beyond Covered Entities to Business Associates, as is notable on the US Department of Health and Human Services Office of Civil Rights HIPAA “Wall of Shame

If you are not sure that your security services are up to par, contact us about our security assessments, or schedule an intro call with one of our Cloud Advisors.

Cyber Protection Solutions for SMBs

/in

Data protection iconAs our businesses become even more reliant on technology and cloud services, the frequency and sophistication of cyber attacks continue to accelerate. Your Cyber Protection 

Cyber Protection Needs

We need our businesses — and our people — to be aware, protected, and able to recover.

At Cumulus Global, our CPR model maps the necessary components of cyber security into three areas.

  • Communicate & Educate
    • Ensure you team understands the risk, educate them so they can avoid falling prey, create a culture of security and data privacy.
  • Protect & Prevent
    • Leverage advanced and “next gen” technologies to prevent attacks and to protect your networks, systems, data, and people from attacks.
  • Recover & Respond
    • No system is perfect; make sure you can recover your data and systems, return to normal operations, and respond to the technical, legal, and communication challenges.

Successful Cyber Protection relies on your policies and procedures, technologies, and people working in sync. Across more than a dozen focus areas, you need to balance the level or protection you need with the costs and with the risks of not doing enough. You need to balance external requirements, such as government and industry regulations, with internal priorities.

Your Cyber Protection Solution

To design and implement an affordable, integrated, and effective cyber protection solution for your business, start with a Cyber Protection Assessment (CPA).  A CPA will assess your needs, within the context of your business, and preferred solutions across 15 areas of focus:

  • Written Information Security Plan
  • Patches and Updates
  • Email Encryption
  • Data Destruction
  • Background Checks
  • Written Information Response Plan
  • Antivirus and Intrusion Detection
  • Email and Web Security
  • Account and Identity Management
  • Employee Training
  • Firewalls
  • Backup / Continuity / Disaster Recovery
  • File Encryption
  • Network Access Security
  • Responsible Parties

Using the results of the Cyber Protection Assessment, you can plan and implement your levels of protection in each area to create the balance that is best for your business.

Next Steps and Resources

Your best next step is to contact us and discuss your cyber protection status and needs with one of our Cloud Advisors. Consider using our Cyber Protection Assessment to understand your needs, current protections, gaps, and priorities.

Related Resources:

Cyber Protection: Time for New Best Practices to Safeguard Your Business in the Digital Age

/in

Cyber ProtectionAccording to a recent survey* of IT service providers, ransomware attack downtime costs 23 times more than requested ransom. The average ransom for small and midsize businesses (SMBs) victims jumped 37% to $5,900 from 2018 to 2019.  And lastly, the average cost of ransomware downtime jumped from $46,800 to $141,000, an increase of more than 200%. This underscored the importance of having cyber protection protocols in place in an increasingly digital age.

To add to your cyber security concerns, SMBs fall victim to cyber crime and ransomware attacks even when they have traditional antivirus, email/spam, ad/pop-up blockers, and endpoint protection in place.  67% of IT service providers report their SMB customers fall victim to phishing emails; 30% report that most customers still rely on weak passwords and access management.

The Need for a New Approach to Cyber Protection

Traditional cyber security solutions are no match for many cyber attackers. We need a new modernized approach to ransomware, with business continuity at the core.

Using business continuity as a guiding principle drives new best practices for preventing and responding to cyber security attacks. With a business continuity mindset, you focus on what is needed to keep the business running, and how quickly you can “return to operations”.  When we discuss business continuity, we understand that we need to take steps to prevent disruption, mitigate the scope of potential disruptions, respond effectively when disruptions happen, and have the systems and processes in place to recover quickly.

For over a year, we have promoted and refined our CPR model to help ensure appropriate data protection and security.

Implementing The Following CPR Model Can Help Combat Cyber Threats

Communicate and Educate: Involve everybody in the solution by educating your team on the risks, how to spot and report fraudulent content, and how their behavior can prevent or help an attack.

Protect and Prevent: Implement multi-layer, multi-vector protections that focuses on your people (identities), data, applications, and systems. Our data, our businesses, no longer sit comfortably hidden in a computer room behind a firewall.

Respond and Recover: No defense is perfect. Have services in solutions in place that let you recover and return to operations within a time frame that protects the health of your business. More than getting data and systems back on line, put in place the forensics, legal, public relations, and customer service resources you will likely need in a cyber attack emergency.

Here are 10 Actions you can initiate today to improve your cyber protection:

  1. Ensure your computing environment is protected across multiple attack vectors: Identity, Endpoints, User Data, Cloud Apps, and Infrastructure.
  2. Deploy multi-factor authentication, advanced threat protection, next-gen endpoint protection, and DNS/web protection across your ecosystem for a comprehensive baseline or protection.
  3. Encrypt your data at rest and in transit.
  4. Educate your team on the risk and how their actions can impact the business.
  5. Actively manage your cloud and “as-a-Service” subscriptions, standardize on-boarding and off-boarding of staff and contractors based on role, application needs, and appropriate access to data.
  6. Understand how your team uses your business and unauthorized (“shadow IT”) applications and services.  Reign in shadow IT by ensuring your business systems provide staff with the necessary capabilities.
  7. Test your staff’s behavior related to cyber attacks and follow up with additional coaching and guidance. Discipline and, if needed, terminate those who are unwilling or unable to adapt to the current realities of behavior and risk.
  8. Upgrade from data backup/recovery to a business continuity solution that will get you up and running in minutes or hours, instead of days, should an attack get past your defenses.
  9. Arrange in advance for the legal, forensic, PR, communications, and customer service resources you need to respond to an attack with a potential or actual data breach.  Prepaid breach response services give you nearly instant access, reducing your risks and liability while bundling in baseline cyber insurance coverage.
  10. Get cyber insurance, either a baseline policy bundled with Breach Response services and/or a fully underwritten policy from your business insurance provider.

Please contact us for more information about your cyber protection, available assessments, and solutions. We are happy to schedule a free, no obligation Cloud Advisor Session.

* Global State of the Channel Ransomware Report. Datto, Inc. Oct. 2019.

 

Cyber Insurance vs. Breach Response: Why Not Both?

/in

Cyber AttackIf you’re debating between cyber insurance and breach response, you should consider getting both to be fully protected. For example, cyber liability insurance covers monetary losses as well as legal protection in the event of a breach. A data breach response plan, on the other hand, will provide you with immediate resources to combat the cyber attack and protect your financial interests.

There is a large discussion, and no small amount of pressure, for businesses to obtain cyber insurance policies.  Articles appear in a range business and technology publications, from the Memphis Business Journal to the Wall Street Journal, and from Inc. Magazine  to Forbes. But getting the right cyber insurance policy is not easy, and can be costly. And while cyber insurance helps cover damages, many policies do not provide immediate assistance with managing your response to an attack or data breach.

Cyber Insurance

For SMBs, three key cyber insurance considerations are the barriers to entry, coverage exclusions, and coverage delays.

  • Barriers to Entry
    • Most cyber insurance policies go through underwriting to determine coverage limits and premiums. This means the insurer will want to review and audit your security related policies, procedures, and technologies. Insurance carriers may also demand that you invest in new or additional measures in order to qualify for a policy or to ensure the premiums will be affordable.  For many small and midsize businesses (SMBs), this process requires specialized skills, time, and money. Many SMBs will need to spend over $5,000, with some spending up to $20,000, in order to pass the underwriting process.
  • Coverage Exclusions
    • Cyber insurance claims are routinely reduced or declined due to non-compliance with policy requirements.  Even after the underwriting process, most cyber insurance policies include dozens of security requirements that must be in place and properly maintained.  Any gap or misstep can be costly.
  • Coverage Delays
    • If your business is the victim of a cyber attack, your response has legal requirements and requires specific technical expertise. Claims processing can delay your ability to secure the resources you need for hours or days.

Clearly, cyber insurance one piece of the solution, along with appropriate security measures.

Breach Response

Having a Breach Response plan and resources in place will save you time and money.

In any cyber attack, start by assuming the attackers have stolen information.  If an attack can encrypt your files, it can steal under-protected files and data from your systems.  With a data breach, federal and state laws dictate a range of reporting and communication requirements that, if missed, can trigger fines and legal action. With a data breach, you need a range of expert resources and you need them quickly.

  • Legal Expertise fluent in cyber security laws and regulations helps ensure you comply with reporting and communication requirements to minimize your legal and financial exposure.
  • Forensics Expertise can identify the cause, timing, and scope of the attack and any breach, and can help validate that the issues allowing the breach have been resolved.
  • Public Relations Services will help you communicate with employees, vendors, customers, and as is often the case — the press. Providing accurate and appropriate information can protect your business relationships and your public reputation.
  • Contact Center Services provide a place for customers, vendors, and associates to call for timely and accurate information.  You are further protecting your business relationships and reputation.
  • Credit Monitoring for individuals whose personal or business information may have been compromised can reduce litigation risk and may be required by law.

Final Thoughts on Cyber Insurance vs. Breach Response

While cyber insurance policies generally cover these services, most do so as part of the claims approval process. As such, you may be out of pocket for thousands of dollars and fighting for reimbursement once your claim is processed.

By subscribing to a Breach Response service, the resources and expertise you need are available instantly,  7×24, without any additional cost over the monthly or annual fee.  These services often include basic cyber insurance policies that do not require any underwriting.  For many SMBs, the annual cost of this type of Breach Response service, with basic cyber insurance coverage, is significantly less than the cost of the underwriting process for a traditional cyber insurance policy.  Additionally, you can use this policy for coverage until they completing a policy with underwriting, or to cover initial loss coverage under a higher deductible (lower premium) traditional cyber insurance policy.

For more information about Breach Response Services and affordable Cyber Insurance, please contact us for a no obligation Cloud Advisor call.

 

Webcasts

Get IT Ready for Recession

/in

(7/19/2022) – Cutting IT costs can help your bottom line in the near-term, but may do more harm than good. Smart IT planning helps your business survive and thrive through a recession and beyond.

Read more

A Cyber Insurance Primer

/in

(6/21/2022) – With the increase in cyber attacks, cyber insurance is a necessity. All too often, however, businesses learn that the process is significantly more complicated. Cyber Insurance is a tool, not a solution.

Read more

Next Normal: IT Efficiency

/in

(02/23/2021) – COVID-19 and the events of the past 10 months have, and continue, to change the way we run our businesses. Are the IT choices made during the crisis the best for your business in the long term?

Read more

library

A Cyber Insurance Primer (Slide Deck)

/in

Slide Deck | Source: Cumulus Global —
Cyber Insurance is a tool, not a solution. This deck is from our June 2022 3T@3 Webcast: A Cyber Insurance Primer and discusses the what and why of cyber insurance and how it fits into your cyber security and incident response plans.

Read more

15 Best Practices for Cyber Protection

/in

eBook | Source: Cumulus Global 

Read more