Test your cyber plan ‘like it’s a smoke alarm’
Australian businesses should have an established cyber incident response procedure in place and regularly test it in much the same way smoke alarms are frequently checked for faults, 360 Underwriting Solutions says.
The advice comes after Prime Minister Scott Morrison warned last week that organisations are being targeted by a “sophisticated state-based cyber actor”.
360’s National Underwriting Development Manager of Cyber Jodie Piddington says all the key areas of a company must be “ready to act”.
“Think of how many times we test our fire alarms in case of a fire,” she told insuranceNEWS.com.au. “A cyber risk can be seen the same way, given the amount of damage hackers can do in such a short space of time.”
Cyber insurance policyholders should make contact with the incident responder at their insurer now, and not wait until a breach has occurred, to be best prepared for unexpected events, 360 says.
Managers should familiarise themselves with who the personnel they will be dealing with and know what to expect in what can be a “highly stressful new experience”.
Risk managers should also ensure there is immediate notification of any incident to their insurer using the incident response service available with their policy, Ms Piddington says.
“This process should be well known to all the key decision-makers in the corporation and factored into [its] incident response procedure.”
360 advises companies to do the following to be cyber-ready:
- Ensure all critical patches are on systems immediately and a reputable commercial grade anti-virus and firewall protection is in place which updates itself every hour
- See that staff are trained to be able to identify scam/spam/phishing emails and pick up the phone to get verbal confirmation for critical monetary decisions.
- Ensure backups are updating regularly, are tested for integrity and check the restorage of documentation from the Cloud is working to reduce business interruption time
- Consider implementing multi-factor authentication on all systems, especially if staff are working remotely
- Risk management teams should know where their cyber policy is and what to do inside the business before calling their insurer.
- Have an in-house legal team ready to address any potential breach of contract or duty of care issues to clients and employees.