Written by: Griffiths & Armour on: 21 Jul 2022
Quantifying your Cyber Risk exposures and essential Cyber Risk Management for 2022
How to quantify your Cyber Risk Exposures
Our Cyber Insurance Assessment has been completely reconfigured in line with NIST’s (National Institute of Standards and Technology) industry-leading framework to provide enhanced client feedback, presentation and risk ratings in the following key areas:
Assessment coverage has also been extensively updated to reflect the latest insurer trends with a view to streamlining data collation, analysis and insurance market presentation. Outputs of the exercise include:
- Risk exposure evaluation vs probability to assist in determining the correct level of insurance coverage.
- Prioritised risk improvement recommendations to meet the latest insurer requirements.
- The results of network perimeter cyber security risk reconnaissance as might be undertaken by prospective insurers, allowing time to address any issues before approaching the market.
Further information on the new Cyber Insurance Assessment service is available via your usual contact at Griffiths & Armour.
Essential Cyber Risk Management for 2022
Griffiths & Armour have recently issued their latest cyber risk management guidance. The detailed publication includes advice on:
Taken from the guidance essential risk reduction and control measures should now be considered to include:
- Compliance with recognised ICT security standards, such as ISO 27001 or the Government-backed Cyber Essentials Plus scheme.
- Tightly limiting the number of domain administrator user and service accounts (with disabled interactive login).
- All accounts permissions to be on the basis of least privilege. Administrator privileges should be disabled for standard users on their machines.
- Authenticating the identity of all users. Particular attention should be paid to authenticating users with privileged accounts, such as domain administrators, and those accessing systems from and/or located outside the network. Multi-factor authentication is now commonplace for such users. It is also increasingly a requirement for standard users even when within their own network.
- Establishing anti-malware and intrusion detection software across the entire system (including portable devices). Regular updates to such software should be applied. Advanced malware protection, such as end point detection and response software should now be considered the ‘norm’.
- The means to quickly become aware of and apply critical security patches for all operating systems, applications, firmware, plug-ins and components. Ideally, critical updates should be applied within a maximum of seven days. Unsupported software, such as obsolete operating systems, should be removed from the system. Where this is not possible, strong mitigation measures should be established.
- Establishing a security operations centre to provide 24/7 specialist cyber security monitoring and support.
- Security hardening of operating systems and applications in accordance with recognised guidance.
- Segmenting internal and external networks by means of properly configured firewalls (with strong port and service restrictions), Demilitarised Zones (DMZs) and Virtual Local Area Networks (VLANs). Web Application Firewalls (WAFs) should also be provided for websites considered to be at higher risk, such as those holding sensitive personal information.
- Encrypting and authenticating communications, such as those over wireless and virtual private networks.
- Security scanning and filtering of emails.
- Ensuring regular off-network or immutable data backups are generated to protect against ransomware attacks.
- Undertaking regular system vulnerability scanning and periodic penetration testing.
- Providing cyber security training to staff, administrators and developers.
- Conducting social engineering tests on staff.
- Installing physical security, CCTV systems and intruder alarms to key ICT areas, such as server rooms.
- Preventing users from downloading, transferring or installing executable files.
- Generating secure audit trails of user and system activity, including ICT staff, and flagging suspicious behaviour. Security incident event management systems can assist with monitoring and flagging higher risk activity.
- Disabling or restricting USB ports.
- Establishing a cyber incident response plan
Griffiths & Armour recommend that organisations review their cyber security provision against the above. If you have any questions about the contents of this article, please click below to submit your enquiry to Risk Management Managing Director, Greg Street.
The full guidance document is available via RMworks, Griffiths & Armour’s online risk management portal, available to all clients or via your usual contact at Griffiths & Armour.
