A business security framework for the cyber insured

The introduction and subsequent uptake of insurance focusing on “cyber” have shown that the insurance industry is serious about protecting the assets of businesses all over the world.
The level of protection is dependent on the policy, your business requirements and also how much protection you need for your business.
Insurance without looking at increased protection however, will not work.  A breach would / could put you in the situation where you are not covered.
If you do not get your business security and protection correct then you will be in a situation where a cyber crime against your business will not be covered under your insurance policy
Here is a basic framework that aligns with most cyber insurance policies.
  1. Technology.  There are a number of areas where technology investment is paramount.   Here are a few
    • Router, modem, firewall – get the best you can afford.   Definitely get rid of the system supplied by the ISP or the shop bought one from a home retail shop.  As a level of protection they will not protect your organisation.   Minimal spend should be around $600 for a small business up to more than $20k for a large organisation
    • End point protection – 2 things about end point protection, they will catch malware and suspect applications because, like us the hackers are inherently lazy and use old known code.   The second is doing a regular scan, this will allow systems to catch up with malware that has been recently discovered.
    • Wifi – access to your wifi allows access to your systems, whether it is set up to have access or not.   Once again spend a little and invest in the best you can afford.
    • Encryption – if you are collecting staff, user, client and financial information then it need to be protected from ease dropping with encryption.   Encryption needs to focus on data at rest, where and when it is stored as well as in transit.
    • Patching and updates – operating systems – do it, applications – do it, websites – do it, tablets and phones – do it.   Absolutely critical to protecting anything digital in today’s world.
    • Up to date operating systems and applications – if you are using old versions of MAcOS, windows XP, android – replace them ASAP
  2. Management.

    • Policies procedures and processes – policies are very important as they tell your staff where you stand on passwords, internet usage, email usage, education and training.   Make sure everyone reads and understands them.   Procedures allow you to specify how things are done so that anyone can walk in and do a task without supervision.   Processes will also allow systems inside the organisation to be implemented as a standard
    • Audit and reporting – it is no use collecting information from the system if no one is going to look at it.   You need to implement a standard process that audits the information and reports it to management.
    • Logging and alerts – all systems have some level of logging.  In a small organisation daily checks of individual logs can be done, in larger organisations there is a need for a central location and a system that alerts staff to issues coming from firewalls, intrusion detection or AV.
    • Password management – in today’s world passwords are your passport to the digital world so they have to have 3 components – must be more than 10 characters, must be unique for each location and must be complex, having letters, numbers, capitals and symbols.
    • Education and training – there is a 300% ROI on education in an organisation.   Your staff are the first and last line of defence, when the technology fails an educated user will be the last line of defense
  3. Sustainability
    • Disaster recovery – when it alls goes to custard (and it will) you better have a way back.   This is what disaster recovery is all about.   It doesn’t matter if it is physical (flood, fire), digital (cyryptovirus, failed hard drive) everything that is stored digitally is vulnerable.
    • Risk management – you need to way up the risks of a issue impacting your organisation.   The higher the risk the more you need to mitigate it.   If you use the NIST framework to manage your risk and exposure it will benefit the process of risk management
    • Backups – everything that is important need to have a backup made of it.   If it is business critical then the risk of something happening needs to be weighed up against mitigation and cost.   Virtual imaging backup software is a huge solution to this priblem
    • Business continuity – what happens if the district where you office is locked down and noone can access the office.  What contigencies have yo got in place.
  4. Compliance – if you are collecting PII (personal identification information) then you will have a compliance requirement.   If you are collecting financial information then PCI DSS compliance requirements come into the situation as well
 So insurance is all very well but unless your organisation invests in the additional components of your cyber protection you may find that the cryptovirus that has encrypted all of your data is not covered.
If you want to know more get my book or ebook
Roger Smith is the CEO of R & I ICT Consulting Services,(http://rniconsulting.com.au), Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime (http://www.amazon.com.au/CyberCrime-Clear-Present-Danger-Security-ebook/dp/B00LEJTN5Y), author of the Digital Security Toolbox (http://www.rogersmith.com.au/roger/toolbox/) and the SME digital security framework (http://smesecurityframework.com.au/csb/).   He is a Speaker (http://www.rogersmith.com.au/roger/roger-smith/), Author, Teacher and educator (http://securitypolicytraining.com.au/cybersecurity-awareness-introduction/) on cybercrime and how to protect yourself from the digital world.

Cybersecurity and business security training when it is working, you WILL know!

Joining the Cybersecurity IN Crowd

When it comes to proving that your Cybersecurity and business security training is working there is usually not much to show!   In most cases there is a general rumbling within an organisation, like every other training: wasting time, effort and sometimes money.   

BUT, there is a little known fact that when cybersecurity training is embraced there is an overwhelming camaraderie created.

Complete the course and you are one of the crowd.  

A part of the IN crowd.  

Look at that you, know a little more about computers, security and that is important for moral within any organisation.

Like any other training and education program we need to know how to use the tools that we are given in the organisation.   Cybersecurity and business security focuses on protecting the information that those tools generate.

How do you know that your training is being embraced

If they are discussing the training – you win

Getting people involved in any training is hard – most people just want to do their jobs.  More importantly, in todays world they either think they know it all or management doesn’t think it is important.  

If you have delivered any type of business security or cybersecurity training or presentations and they are talking about it in the break room then that is a vast improvement.     

This increase in awareness allows the organisation to concentrate on other areas of core business namely products and services.   In addition this level of discussion also makes for increased awareness, better protection for the organisations infrastructure.   

A win for the staff as well as a win for management.

There is a distinct lack of visible passwords

If your training is working you will find that everyone is more aware of the organisations password strategies.   This awareness should be visible with a distinct lack of post it notes all over peoples work stations, monitors and under keyboards.   

When everyone has been taught how to create complex passwords that are unique to every website or location, that are easy to remember and are longer then 10 characters, security within the organisation just has to improve.

Errors and mistakes with digital information start to disappear.

Once a training package has been completed there is a distinct decrease in the number of silly mistakes made by the people who have received the training.

Why don’t People make as many silly mistakes.   They do not open email attachments, follow links, email critical information outside the organisation, make silly regretful comments on social media and are less susceptible to social engineering attacks.   They think about the consequences and the have a higher awareness threshold

They have been taught to follow the “trust no one” philosophy, are paranoid of the digital world, show an increased awareness in what and how the bad guys are targeting them, your organisation and their access to money.  

Bragging about recognizing a specifically sneaky phishing / spear phishing email

The biggest off shoot is when staff members start to brag about cyber attack failures that they have been involved in.  A targeted email that was aimed at the accounts department.   A phone call they thought was fishy.

When that happens everyone feels good.

There is an increase in business interaction

With an increased awareness of what is a true business proposal and what is krap, business can start to make an impact in their areas of core business.

If you combine a true cybersecurity, business security training package with an above average NIST score you can start to influence your market niche, control who you do business with and improve their business capabilities.

As we all know training and education of staff, management, C-Level execs and board members is very important.   The significant changes in internal attitudes to cybercrime and fraud increase significantly if a decent training.

If you are interested in a decent inexpensive training package for small and medium enterprise then contact us on one of the following links.


Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and the SME Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world.