“Highly recommend John Phillips. We’ve recently had to claim on our insurance due to the loss of our websites and the whole process has been SO efficient. Every company should have cyber insurance”
Almost every business will handle data in some way. This can be customer data, payments or even the personal data of your staff. Whatever data you store or process there is a necessity within law and an expectation in business that you will ensure its security to the highest standard.
In order for you to be able to use the data you hold effectively and to understand the exposures you face there are companies which work on mapping your data. This will both help you work more efficiently and put you in line with the latest updates in data protection legislation.
A private healthcare clinic was the victim of a cyber attack where patient information had been stolen. Hackers were threatening to post the data on a public website unless they received a ransom payment of $13,220 in Bitcoin.
After an investigation of the insured’s network, the forensic specialist was able to advise that data relating to 3,000 patients had been compromised, but it was a database containing names and addresses only – no sensitive medical data had been accessed.
Part of this process is getting to grips with your role as the data controller and fully engaging with your data processors. This can help you understand where you fit within a supply chain and consider what you expect from your suppliers. More and more it is becoming usual to expect a reasonable level of protection and so make this part of your due diligence process.
They can also help with day to day privacy issues which are becoming more prevalent with GDPR.
This can include Subject Access Requests and any privacy concerns reported which must be investigated. If you do not have the processes in place dealing with these issues will take valuable time and resources from your business.
There have been additional challenges in this field for businesses attempting to do this during the COVID-19 pandemic whilst many people are working from home and this is likely to increase and diversify even after pandemic. Data consultancy businesses are one of these businesses who have worked hard to adapt to the new working world and so have a unique perspective on how to help you get ahead of curve.
It might seem a daunting prospect to invite another firm into your business to assess your cyber security measures but it means they are able to be entirely objective.
Generally a security company will approach an audit in two ways. Firstly your system security and secondly they will assess how secure your people are. The intention is not necessarily to pick faults but allow you to be more proactive in your approach and take control of the elements you can. Having an outside view is also helpful in highlighting issues you may not have even considered such as outdated procedures. On the technical side of this a consultant can advise on different possibilities to automate procedures to remove the possibility of human error.
A security company will perform an audit where they review all of these factors and may perform some tests. They will then provide a detailed report explaining their findings and providing recommendations on improvements. This will allow you to improve your cyber security, staff awareness and ensure that your policies and procedures are fit for purpose and can adapt to the times.
Following on from an audit you may decide you require more ongoing support. This can take a number of forms. From penetration testing to regular consultancy with a virtual CISO (Chief Information Security Officer). As an SME you may not need or have the resources to employ a full time CISO but there are companies who offer the opportunity to pay for a certain number of hours per month in order to help you to come up with a risk management strategy and help you to review this periodically and keep you up to date on best practice within your industry.
There are also companies who can offer on demand penetration testing. You may think you have taken all of the necessary steps to protect your organisation but there is no substitute for testing this with a real life example.
This can be through simulated social engineering. Phishing attacks are no longer the poorly spelled mass mailshots we have all been warned about countless times but are now nuanced and much harder to spot. Social media has made it much easier for cyber criminals to access all kinds of information about an individual which they can use to tailor an attack.
Ethical hacking is also available where a cyber security company attempts to hack your system. This is one of the best ways to really test your system as they will be using the same techniques as the cyber criminals you are looking to protect against. 1 in 5 penetration tests revealed a critical risk in need of immediate remediation.
All of these steps will help to demonstrate a culture of security to cyber insurers but more importantly to your customers as cyber security becomes a priority in choosing partners to work with.