Is Cyber Breach Insurance part of your Cybersecurity roadmap?

Insurance companies today want to know that you are taking cybersecurity and privacy of data seriously. They want to know that you have conducted an internal risk assessment of your business. An assessment would provide the insurer comfort that you do take these risks seriously and manage them by monitoring, remediating, and staying ahead of critical data security concerns.

We know there is tremendous fraud now that many companies have a larger remote work environment and data is often shared in cloud environments. Fraud can come from inside or outside your organization. As you develop the trust of your customers by assuring them that you protect critical data using industry standards and best practices, you will also need to monitor any threats to your data on an ongoing basis. We can help you build a roadmap for data security that is both thorough and flexible and can grow as your organization expands.

There are four categories of controls to consider. The controls you implement will differ based on your data flows and how your internal and external users access data. The four categories of controls are:

      1. Managerial Controls are the policies and procedures we often discuss with clients. They aren’t as “cool” as a new software control, but they exist to give structure and guidance to you and other members of your organization, ensuring nobody gets fined or causes a breach.

       2. Physical Controls limit the access to systems in a physical way; fences, CCTV, dogs, and even fire sprinklers.

     3. Technical Controls are those that limit access on a hardware or software basis. These don’t limit access to the physical systems the way physical controls do, but rather access to the data or contents.

     4. Operational Controls involve people conducting processes on a day-to-day level. Examples could include awareness training, asset classification, and reviewing log files.

Depending on the threat and your vertical, below are additional controls you can use to mitigate your data risk:

      1. Preventative Controls exist to not allow an action to happen and include firewalls, fences, and access permissions.

      2. Detective Controls are only triggered during or after an event, such as video surveillance, or intrusion detection systems.

      3. Deterrents discourage threats from attempting to exploit a vulnerability, such as a “Guard Dog” sign, or dogs.

      4. Corrective Controls are able to take an action from one state to another. This is where fail open and fail closed controls are addressed.

      5. Recovery Controls get something back from a loss, such as the recovery of a hard drive.

      6. Compensating Controls are those that attempt to make up for the shortcomings of other controls, such as reviewing access
logs regularly. This example is also a detective control, but compensating controls can be of various different types.

Comments are closed.