Cyber security checklist: 10 questions for the modern Managing Director

1.If you suffered a ransomware attack, could you get back up and running or would you be forced to pay the ransomware?

The average ransom paid in 2020 was $170,404 with a third of victims paying up (Source – The State of Ransomware 2021 by Sophos).

2.If you are confident that you can you get back up and running, how long would it take for your business to get back online, and what would the impact be?

Ransomware recovery timeframes can vary widely. In very unusual situations, companies may only down for a day or two. In other unusual cases, it can take weeks. Most companies fall somewhere between the one to four-week range, given their struggle with not knowing what they are doing. In a well-managed ransomware recovery effort—being executed by an experienced team—a common time frame is one to two weeks. However, there are a tremendous number of variables to consider and it is important to state that “recovery” is defined here as getting the IT system back online so the company can transact business.

3. Should disaster strike, do you have sufficient internal IT resources available to quickly and efficiently restore access to your environment?

This could be internal resources or third-party suppliers. But remember that if you are reliant on a third-party supplier they may not have available resources to deal with your cyber-attack. The supplier could be mid-project work or even dealing with other attacks.

4. Do you really understand the threat of Cyber Security?

Too many people believe that it’s about anti-virus software and think that they are covered as they have this in place. It’s not. Cyber security is multi-layered and having anti-virus software alone will not protect you. As a minimum you should be undertaken a vulnerability assessment. It’s no different to securing physical premises. You’ll have physical deterring security measures such as multiple locks, alarms and gates. You’ll have measures for dealing with catastrophes such as fire and flooding. You’ll train staff in how to handle different scenarios to protect your business and employee’s welfare. You need to do the same with the threat of cyber attacks.

5.Would you suffer reputational damage if you suffered an attack?

What would customers, suppliers and other stakeholders think if you suffered an attack and were unable to trade for a number of days or weeks. Would your customer base or supply chain be impacted?

6. Are you complying with the terms of your business insurance policies?

As ransomware soars, insurers are trying to reduce their exposures by increasing their minimum security level requirements for each of their renewing and new business clients. Security measures that were a preference a year ago are now seen as mandatory and unless businesses take immediate steps to remedy any outstanding minimum standards, they may find it significantly harder, if not impossible, to obtain cyber cover.

Underwriting controls that are being mandated by the cyber markets have become more robust, but the list of controls is by no means static. Minimum standards evolve as technological processes advance and as cyber criminals’ tactics change.

Current minimum-security measures include:

Multi Factor Authentication (MFA): On all remote access, administrator accounts, RDP, emails and any other area in which this can be applied.

Endpoint protection software: For detection and response to malicious attacks on laptops, phones etc.

Server backups to the cloud and offsite locations: To allow a company to have something to fall back on in case of severe data encryption.

Frequent training of employees; especially around data protection and cyber threat e.g. Email phishing links.

In our experience, insurance renewals are often left until very late in the renewal cycle. Don’t get caught out and find that you can’t get cyber insurance protection because you have not addressed core cyber security requirements.

7. Have you assessed whether remote working increases your risk of cyber security attacks?

The COVID-19 pandemic has seen an increase in staff working remotely in either a full time or hybrid manner. Have you assessed whether this increases the risk of cyber security attacks to your organisation. Home connections are typically far less secure meaning that cyber criminals have an easier entry into business networks.

8. Are your staff trained to deal with and prevent possible cyber breaches?

Comprehensive cyber security awareness training is one of the best ways to help protect your business from malicious actors and prevent possible breaches. Your employees are often the first line of defense against a cyber security attack. Well-trained employees know the best tactics to prevent, respond to, and recover from an attack. The training should cover 4 key areas:

  • defending yourself against phishing
  • using strong passwords
  • securing your devices
  • reporting incidents (‘if in doubt, call it out’)

9. Is my patch management up to date and do I have outdated hardware that is a risk?

Patches are designed to repair a vulnerability or flaw identified after an application or software is released. Unpatched software can make the device a vulnerable target of exploits. Software patches are a critical component of IT operations and security and it is essential that you have policies and procedures for ensuring that these are adopted

10. When was the last time you actively assessed the vulnerability and risk of cyber security to your business?

Let’s be honest! We’re all busy struggling with busy workloads and what we believe are the immediate pressing business issues. Cyber security is all very technical and it’s probably not something that non-IT experts feel comfortable dealing with. However, it’s not something that can be ignored and is one of the key risks facing businesses in 2021.