This is a quick guide containing some of the most important controls that an organization can implement that will help protect them from the pervasive and continuous threats posed by cyber criminals. Insurance agencies have a heightened exposure given the amount and types of data held on behalf of not only their customers, but their partners and even employees. They have an obligation and a liability to keep the data they hold safe. That can only be accomplished through a strict combination of policies, procedures and cybersecurity controls.

As quickly as companies are deploying new technologies to remain competitive and serve their customers more efficiently, threat actors are often using the same technology to launch attacks against them. It’s important that agencies institute protective measures to thwart those efforts ahead of time. This can be achieved by implementing many of the following controls. In combination, these measures can leave a company less exposed than the one who fails to utilize them.

1. Multi-factor Authentication: This is an extra step in confirming a user’s identity, in addition to login credentials. An example of this is when a code is sent to an authentication app after you enter your username and password. Only when you enter the code sent to that separate device will you gain access to the network.
2. Endpoint Detection and Response: This technology continuously monitors endpoints, logging and feeding information back to the security team so that anomalous behavior in the network can be flagged. For example, if a device on a domestic company’s network is logged into at 2 a.m. in Ireland, the EDR tool will log and isolate the incident so that a human can action once reviewed.
3. Secure Backups: Making sure backups are conducted frequently is critical to the company’s ability to recover expeditiously from a cyber incident. Ideally backups are also secured and offline to further mitigate the impact of an incident. The ability to restore backups should be tested regularly.
4. Email Filtering and Security: Firewalls and quarantine solutions are critical in keeping threat actors from being able to commandeer email addresses as well as to reveal phishing campaigns, which might ultimately lead to financial loss of the company.
5. Privileged Access Management: A method of controlling and monitoring privileged accounts to ensure the highest level of security is in place for things like critical systems. An example of a critical system is one that daily operations depend on and would be significantly interrupted by a compromise. Unauthorized access to a company’s critical systems is a substantial risk. Privileged access management (which can be done via a product/solution or a cluster of compensating controls) is crucial to its security.
6. Vulnerability and Patch Management: Vulnerability scanning (external or internal) is the process of observing and monitoring environments for areas of potential exploitation. Some companies continuously monitor their external environments, while internal vulnerability scanning is typically done on a monthly or quarterly basis. Doing so ensures that things are properly identified, assessed, prioritized and remediated. Patch management is the deployment of a fix for an identified vulnerability. An example of general patch management is “patch Tuesdays” by Microsoft, where every Tuesday they release a list of all critical vulnerabilities in the Microsoft environment so their customers can action upon the ones most relevant to them.
7. Cyber Incident Response Plan: This may be one of the most important things to a company operating in today’s world — essentially a cyber playbook. This plan should involve folks from IT/security to leadership, and details precise steps to be followed should the company suffer a cyber incident.
8. Employee Training: Every organization should train their employees regularly on the importance of cybersecurity awareness. Every person has a role in protecting the company from threat actors. Training should be conducted at least annually, with phishing campaigns run at least monthly.
9. Vendor Management: There are security products available to help companies monitor their vendor attack surface, in addition to other efforts involving vetting vendors ahead of time with cybersecurity questionnaires and validating the vendor’s purchase of their own cyber insurance. Holding vendors accountable for strong cybersecurity postures can mean the difference between a company remaining open or having to close its doors after an incident. This has become much more important over the last few years, as we have all seen large scale SaaS provider cyber incidents (like Crowdstrike, CDK, Change Healthcare) affect hundreds of thousands of downstream organizations.
10. End-of-Life Systems Management: Legacy systems that are no longer supported from a security standpoint are huge exposures for any organization. If a system can no longer receive updates or be patched, the system is left vulnerable to threat actors. These systems can be exploited by cyber criminals given they cannot be properly secured. The company should decommission these systems as soon as possible to prevent incidents.

This list is simply a collection of some of the most important tools to implement as part of an organization's defense-in-depth strategy. But as with any strategy, there are layers to it. Security is also not static, it's continuous. We understand that many businesses cannot implement all these measures, especially not at once, but it's just important that you start. Your clients and employees will thank you.

Applied Client Network offers year-round peer-led education to help users succeed. Visit our members-only Learning Center for access to on-demand resources, including: 

• Technology and Security Learning Bundle
• Partner Webinar: 10 Rules for Agency Cybersecurity
• Big Cybersecurity Breaches: What it Means for the Future of Cybersecurity for You and Your Clients