12 ways to help protect your business from getting hacked
September 15, 2014
Basic and advanced tips to reduce the chance of cyber security breaches.
Law 1: Everything that is connected to the Internet can be hacked.
Law 2: Everything is being connected to the Internet.
Law 3: Everything else follows from the first two laws.
Whether we like to believe it or not, our lives are now governed by these laws, according to Zurich Insurance and the Atlantic Council. Because of this, the Zurich and Atlantic Council team thinks we need now more than ever before, a plan to protect our companies and our information.
There are two broad sets of tips to address, according to the duo. The first set, the one we’ll discuss in this post, is for individual organizations, whether companies, government agencies, or even individuals.
The second set is for improving the Internet as a systemic whole, to help reduce the chances of global cyber shocks and their impact. These are for governments, organizations with a system-wide view, and select companies like major Internet service providers (check out that post here).
Local Risk: Tips for Individual Organizations
Basic: These actions are the most simple and have not changed much in the last decades. But, one of the reasons cyberspace remains so pervasively insecure is that many organizations ignore them.
- Application whitelisting: Do this, they advise. When organizations only allow computers to run a limited set of pre-approved programs, it can prevent a hacker’s software from working, stopping intrusions in their tracks.
- Use of standard secure system configurations: Computers with only a few standard configurations are far less expensive and can be simpler to defend.
- Patch application software within 48 hours: Get this, they say. A “window of vulnerability” opens once new “patches” are released to fix software. Dropping this window from weeks to days can reduce opportunities for hackers to strike.
- Patch system software within 48 hours: Get this too, they also say. This is critical for application software and for system software.
- Reduced number of users with administrative privileges: Users with “administrative privileges” have the keys to the castle. They’re able to do anything they want on the network, yet many companies allow every employee this access.
Advanced: Larger organizations should engage in more advanced cyber risk management. Some of the action items in ascending order of difficulty:
- Cyber insurance: With cyber insurance, companies can transfer cyber risks associated with data breaches or business interruption. Talk to your broker about what’s available.
- Demand more resilient and secure standards and products: Bigger organizations can push the standards for the organization to incorporate more security and resilience.
- Pushing out risk horizon: Advanced companies can extend their view of risk management to counterparties, outsourced partners, and upstream infrastructure. This helps push out risk.
- Board-level risk management: Cyber risks can bankrupt and ruin companies; companies must include a broad view of global aggregations of cyber risk, hold executives to account, and move away from a checklist/audit perspective.
Resilience: Future cyber shocks might be of such frequency and intensity the organizations might have to suffer through them as they do natural disasters. So, resilience will be critical.
- Redundancy: Provide alternatives during Internet disruptions. An example of redundancy is having ISPs connected to the same peering points. Diversify, diversify, diversify.
- Incident response and business continuity planning: Have trained teams ready to respond when the worst happens.
- Scenario planning and exercises: Build muscle memory for responding to incidents. Have drills, exercises, and seize every opportunity to create “teachable moments” for responders and executives.
Read the full report By Zurich Insurance and the Atlantic Council.
The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.