Cybersecurity insurance is a must-have for organizations of any size as threats mount and attackers become more sophisticated. Many business insurers now offer or include cyber insurance as part of their regular coverage. But that doesn't mean it's easy to qualify for cybersecurity insurance.
That's because carriers generally require their business customers to implement specific information-security protections before they can receive insurance coverage. If your organization hasn't implemented all of them, you may have to expand your cybersecurity budget. The upside is that you may make your money back with a reduction on the cost of your insurance premiums.
Here are 12 cybersecurity protections that insurers often want you to have. Your particular carrier may require only some, or may tack on others, but these provide the basics of a strong security posture.
1. Multi-factor authentication.
Mandatory, strong MFA for privileged or administrative accounts is an absolute must-have, and it's tough to get cyber insurance without it. Cybersecurity experts recommend MFA for all accounts, not just privileged ones, which may get you lower rate quotes.
2. Identity and access management/privileged access management.
Strong identity security goes far beyond MFA. A robust, cloud-based IAM or PAM platform lets you monitor user behavior, enable context-aware MFA, quickly onboard or deprovision employees, and change system permissions as individual users take new positions.
3. Staff security training.
Your people can be the weakest part of your cyber defenses, or the strongest. If your employees learn to spot phishing emails, social engineering scams and other forms of suspicious behavior, your IT or SOC teams will gain powerful allies in the fight to keep the bad guys at bay.
4. Browser protections and web security.
Web browsers aren't meant to be secure, yet many applications today are built atop browsers or accessed through them. Hardened browsers and secure enterprise browsers let your IT team control what staffers access, print and download; block phishing sites and malware; and log and monitor user behavior. Other protections do the same for non-browser web connections.
5. Email protections.
Phishing scams will be with us until the end of time, and business email compromise attacks can be devastating. Strong email filters will block obvious scams, and email verification protocols like DMARC, SPF and DKIM will screen out miscreants, fraudsters and spammers.
6. Remote/virtual desktop protections.
Attackers with stolen credentials can often easily log into remote or virtual desktops as legitimate users and cause all sorts of havoc from the inside. In addition to protecting the credentials (see Steps 1 and 2 above), it pays to protect the endpoint being accessed, whether it sits on a desk or lives in the cloud.
7. Extended and expanded logging and monitoring.
A strong cybersecurity posture requires monitoring and logging EVERYTHING: staff sign-ons, email usage, browser usage, local and remote network connections, application and machine behavior, data requests and on and on. The resulting visibility will help you protect your systems and anticipate threats.
8. Endpoint detection and response (EDR) or extended detection and response (XDR).
This is far more than antivirus software. EDR platforms spot, block, investigate and respond to suspicious activity on endpoints; XDR wraps those same protections around servers, cloud assets, mobile devices and your network itself.
9. Incident response planning.
A strong company is a prepared company. Draw up individual response plans for the most likely worst-case scenarios. Make your SOC team run through tabletop exercises to gain muscle memory. Your insurance provider may want to see your incident response plans and make additions or changes.
10. Vulnerability management and proper patching.
Even today, many companies struggle to keep their software and systems patched. Per Sophos' 2024 State of Ransomware report, exploited vulnerabilities are behind 36% of ransomware attacks. Use a vulnerability management platform and make timely patching routine.
11. Managed detection and response.
Does your SOC team work on nights and weekends? That's when attackers love to strike. Beef up your defenses by contracting with an external MDR service that can pick up the slack. It'll keep watch over your systems and respond to any cybersecurity incident that occurs while you're otherwise engaged.
12. End-of-life/deprecated systems management.
How much outmoded hardware are you still running? How much of it do you need? Draw up a plan to gently replace those dusty old servers, and to add extra protections to antiquated systems that can't be easily replaced.
