Lower cyber insurance premiums at your NDIS org with these eight crucial cyber security strategies.

Cyber insurance premiums are on the rise, affecting many organisations and causing unprecedented effects on annual IT budgets, but why the sudden spike in premium payments?

The main driver is the increasing activity, and success, of global cyber-criminals with their relentless ransomware attacks. Ransomware attacks are up 13% over the last 12 months, representing a greater increase than the last five years combined. The majority of cyber-attacks are now focused on data breaches – with both encryption and theft opening up target organisations to extortion.

The Insurance Council of Australia has called out “the unique challenges cyber risk poses to designing and providing affordable cyber insurance policies. The ever-changing nature of cyber risk, which means coverage cannot be predicted on prior historical claims experience, and incomplete data sets makes it difficult to price premiums.”

Insurers have been making mounting losses on their cyber insurance policies over recent years. A ransomware attack has the potential to consume the full-limit loss of a cyber-insurance policy in a single event if the ransom demand is high enough. Legal liabilities, through class-action lawsuits, regulatory fines, penalties, and investigations are adding to the pricing pressure on premiums. The insurance industry is now playing catch-up and increasing premiums to match real-world costs.

NDIS organisations, with their sensitive client physical/mental health records, are particularly vulnerable to cyber blackmail. Trust is at the heart of all care – trust that the provider is managing all aspects of their responsibilities with regard to vulnerable members of our community. For some NDIS providers, the public release of confidential patient information may be a breach of trust large enough to cause an existential event for the organisation.

How NDIS organisations can contain their cyber insurance premiums.

Premiums will need to rise to reflect the actual underlying increase in the frequency and impact of cyber-crime across the entire market. But there is still scope for individual organisations to demonstrate that they have a relatively lower risk profile through a focus on cyber security hygiene and best-practices.

The easiest and most-transparent way to demonstrate to insurers (and your board) your own organisation’s security focus to adopt and pursue one of the standard security frameworks. There a handful to choose from (ISO27001, CIS, NIST, etc…), each with their strengths and weaknesses, but as a starting point Bluescale recommends NDIS orgs follow the guidance from The Insurance Council of Australia which “endorses the Australian Cyber Security Centre’s Essential Eight Maturity Model as a good first step towards improved cyber security health.”

The cyber-security questionnaire most NDIS organisations are receiving as part of their insurance renewal process, regardless of your provider, is closely aligned with the strategies defined in the ACSC Essential Eight.

The ACSC Essential Eight Key Strategies are:

1. Application Control
2. Patch Applications
3. Configure Microsoft Office Macro Settings
4. User Application Hardening
5. Restrict Admin Privileges
6. Patch Operating Systems
7. Multi-factor authentication
8. Regular Backups

The ACSC Essential Eight Overview

The Australia Cyber Security Centre provides extensive guidance for organisations to mitigate and manage cyber threats, including their comprehensive Strategies to Mitigate Cyber Security Incidents. The Essential Eight represents a distilled subset of the full guidance, presented in a more consumable and actionable bundle, making it easier for organisations to implement.

Note that the Essential Eight has a strong focus on strategies to support Microsoft Windows-based networks – which is where the majority of NDIS and NFP organisations are already playing, given the extensive NFP discounts that have traditionally been available from Microsoft

To assist organisations with their implementation of the Essential Eight, four maturity levels have been defined (Maturity Level Zero through to Maturity Level Three) based on mitigating increasing levels of adversary tradecraft (i.e. tools, tactics, techniques and procedures).

NDIS organisations should be targeting Maturity Level 1, at a minimum. Check out a quick summary of the eight crucial cyber security strategies below.

Strategy 1 – Application Control

Application control is designed to protect against malicious code by ensuring that only pre-approved applications (executables, scripts, installers, and drivers) can be executed.

Strategy 2 – Patch Applications

Security research and cyber criminals regularly discover new vulnerabilities in applications. To protect your environment, it is vital that these vulnerabilities are identified and fixed in a timely manner. Some applications, such as those that connect directly to the internet, and some systems, such as those directly reachable from the internet, need prompt remediation.

Strategy 3 – Configure Microsoft Office Macro Settings

The majority of end-users do not need the additional functionality provided by Microsoft Office macros. Macros should be disabled where possible, and no macros downloaded from the internet should ever be permitted to run.

Strategy 4 – User Application Hardening

Web browsers are a primary interface between end-users inside your environment and the internet. The risks associated with older browsers, poorly configured browsers, or browsers running legacy application code are high, and special attention is needed to control and reduce these risks. Locking down browser permissions has a significant effect on so-called “drive by” infections.

Strategy 5 – Restrict Admin Privileges

Admin users present a special security challenge. It is vital for these users to have elevated rights and permissions to perform their work, including the support of end-users. However, their administrative privileges make them an attractive target for cyber-criminals.

Implementing this strategy prevents admins from performing their administrative activities from the same accounts they use to access email and the internet, and restricts admin accounts to essential activities only.

Strategy 6 – Patch Operating Systems

As with “Strategy 2 – Patch Applications” above, the regular stream of new vulnerabilities being discovered in operating systems needs to be addressed. This includes non-Microsoft operating systems, such as Linux and Apple devices, as well as your network devices. As above, some systems, such as those directly reachable from the internet, need more prompt remediation.

Strategy 7 – Multi-factor authentication

Multi-factor authentication (MFA) is perhaps the simplest and quickest overall improvement you can make to your organisation’s security posture. It is important to make sure that MFA is used for all internet-facing services or any system that processes the organisation’s sensitive data.

Strategy 8 – Regular Backups

Reliable backups can mean the difference between whether you even consider paying ransomware. Backups need to be tested in a coordinated manner as part of disaster recovery exercises. And, as cyber criminals now try to target backups too, it is important that backups are secured offsite with separate credentials.

Work With Bluescale for Further Advice on Reducing Premiums

Beyond the Essential Eight strategies outlined above, there are a range of initiatives that can help to lower your security risks and your premiums. Bluescale recommends that NDIS organisations consider the following additional strategies as part of their IT security planning:

• Security Awareness Training – End-users are one of the most vulnerable parts of your IT environment. Security Awareness Training is “patching” for your staff. Getting your end-users to avoid falling for Phishing and Social Engineer attacks will help improve your security posture almost as much as implementing MFA.
• Regular Pentesting – As the management guru Peter Drucker famously said, “If you can’t measure it, you can’t manage it.” Regular pentesting is the best way to ensure that your security strategies are properly implemented. New attack techniques are constantly being revealed. Pentesting can help keep you one step ahead of the cybercriminals.
• Security Governance and Audit – Structuring your security activities within a well-defined framework can help to prioritise initiatives and, equally importantly, can help communicate and obtain the necessary budget for security projects with the board and senior management.

Reach out to us and the team at Bluescale, so that we can explain to you how our Managed IT services, designed specifically for NDIS organisations, can help you align your Cybersecurity practices with common security frameworks and save yourselves some money while you’re at it.