6 things cyber underwriters love

Remote Desktop Protocol (RDP) allows users to access their office desktop and computing resources remotely. While convenient, especially in the age of working from home, it can also make businesses extremely vulnerable to ransomware attacks if not configured properly. In fact, our cyber claims team estimates that over half of the ransomware attacks it deals with stem from open RDP ports, making it the single most common cause of these types of events.

If a company’s Remote Desktop Protocol is not absolutely necessary, we would expect it to be turned off. And if RDP is something that is needed, we recommend that it is secured behind a virtual private network and multi-factor authentication.

MFA, or multi-factor authentication, is an extra layer of security used to verify the identity of the person trying to gain access to an account. This could be anything from a thumbprint to a unique code texted to the individual and is a nearly ubiquitous feature across technology platforms these days.

A lack of MFA on business email accounts or RDP (see above) can be a disaster. Usually through brute-force attacks (where criminals try multiple username and password combinations in quick succession) or through stolen credentials from the dark web (as so many people reuse username and password combinations), criminals can quickly gain access to business email accounts without this extra piece of security. This often results in funds transfer fraud losses where money is rerouted to fraudulent bank accounts, but it is also increasingly leading to ransomware events and major privacy breaches.

For that reason, our cyber underwriters love when a business has MFA in use across all business email accounts and on other key business software too. 

Our underwriters like to be able to quickly understand the types and amounts of data held by any company for whom they are quoting cyber cover. But more than that, they want to be able to see that the data is being stored and segregated appropriately. For example, if a business holds 100,000 client records, we’d like to see that data split across multiple servers. This means if one server is compromised, not all data is lost at once, reducing the likelihood of a business-ceasing event or catastrophic loss.

If a business outsources their data management, as many small businesses do, it’s good to make sure that they have the right authorised access controls in place and that they are running security checks on any third party partners. All of this can indicate overall good cyber hygiene.

Firewalls and antivirus software aren’t enough to ward off today’s more sophisticated cybercriminals. That’s why our cyber underwriters love to see businesses using endpoint detection and response (EDR) tools, which continuously monitor any device that can be connected to a network – the figurative doors and windows a business has around its technology infrastructure – to ensure that each is secure and free of malicious activity. An endpoint might be anything from an employee workstation to a company server to a mobile phone.

Backup practices can vary widely, so our cyber underwriters would like to know more. How often are they taken? Where are they stored? We are keen to see that data is being backed up regularly, segregated from the main network, and stored offline in an offsite location. Afterall, out-of-date backups or backups that are kept on the same system as the files they are backing up aren’t much use when the whole system in compromised.

Having good backups can be the difference between recovering systems relatively quickly and easily following a ransomware attack and forking over a six or even seven figure extortion demand to criminals that have encrypted entire systems including backups.

Often times, our underwriters simply want to see evidence that a business has good security governance. Does a business have policies and procedures in place in relation to cyber risk management? Have they put a person in charge of these policies and procedures? Are they aware of the different kinds of data they hold and how it’s stored?

A willingness to implement fixes for security vulnerabilities that our in-house security team  has detected and to use our risk management services – specifically our mobile app – to educate employees and detect vulnerabilities also demonstrates a lot about a business.