8 Critical Controls for Cyber Security

Hi there, I’m Kyle, head of the risk engineering team at arch CyPro. We’re a collective of cybersecurity professionals working at every level of the insurance process at Arch to transform the way that we as an industry tackle cyber risk. Our mission is to pioneer a proactive and innovative approach to cybersecurity insurance, combining risk engineering with underwriting, to equip businesses with the tools they need to stay protected. Our team has identified eight critical controls that are key to this process. They help us assess incoming risk, support the claims process and constantly learn from cyber breaches to ensure businesses remain resilient in the ever-evolving cyber threat landscape. By sharing these with you, we’re working to remove some of the smoke and mirrors and the uncertainty that often surrounds the insurance application process. Think of these eight critical controls as your foundation, your first line all around defense against cyber threats. For you as a CISO, or risk manager that can act as a checklist of cyber essentials, making sure your bases are covered. To us they signal that you’re proactive, vigilant, and responsive; you’ve done your homework, and you’re ready to face cyber risks head on, making your organization more attractive for underwriting. In the wake of cyber threats, we believe it’s crucial to adopt this solution first mindset. This doesn’t just mean responding to breaches, but being prepared before they happen, and continuously learning and improving afterwards. That’s why our eight critical controls cover three essential and complementary areas. First are the proactive controls, which are your pre-emptive measures to prevent cyber threats. Next, we look at the vigilance of your analytical cyber defenses. These are the controls that allow you to constantly monitor for cyber threats. And finally, we look at how prepared your organization is to respond when a cyber incident occurs.

By approaching cybersecurity in this comprehensive manner, we help you ensure you’re prepared to encounter not only the current major threats of ransomware email compromise and financial frauds transfer, but also future threats that advanced technology may pose. If you want to make sure that your business is covered. Find out more about our eight critical controls on our website. And remember, cybersecurity is not just about protection. It’s about resilience in the face of adversity. Together, with the solution first mindset, we can build a more secure cyber future.

Hello, Kyle from Arch CyPro’s risk engineering team here. In this three-part series, we’re diving deeper into our eight critical controls for cyber resilience. The cybersecurity considerations that ensure your organization has all around cyber defenses and make you more attractive to insure. First, proactive controls; measures that are taken in advance to prevent cyber threats before they have a chance to attack. Critical control number one is multi-factor authentication or MFA. This isn’t just a password wall, it’s more like a fortified barrier. With MFA, unauthorized users must provide a username, password, and MFA token to gain access. The combination of these elements provides a solid first line of defense should one of your users’ passwords be compromised.

Next in our defensive lineup is vulnerability scan. It’s similar to a security guard patrolling your perimeter, constantly monitoring your systems for potential weaknesses that could be exploited by attackers.

This scan identifies any exposed ports or services that should not be publicly accessible and identifies vulnerabilities that should be patched before they become a real issue. Lastly, we look at security awareness training. Turning your employees from potential risk points into gatekeepers. By informing and educating your workforce, you can create a culture of cyber awareness where each employee understands their role in protecting the company’s digital assets.

Now let’s visualize a scenario. An unscrupulous entity tries to execute financial funds transfer fraud against your organization. Picture this, a phishing email comes through pretending to be from your CEO asking an unsuspecting employee to click a link and check their latest pay stub. This link leads to a page that closely mimics a legitimate Microsoft login page. The employee being caught off guard enters their login and password which are immediately captured by the threat actor. But the attacker’s celebration is short lived. When they attempt to use these captured credentials to access the victim’s VPN and email, they’re stopped in their tracks by your multi-factor authentication system. It demands a second form of verification which the attacker is unable to provide. This immediate roadblock keeps the attacker at bay. But suppose the phishing email also carried a hidden threat, a malicious document crafted to exploit a specific system vulnerability. In the background, your vulnerability scanning system, which has been continuously scanning your system for vulnerabilities, had previously flagged this particular issue. Prompt action from your IT team had already patched the vulnerability and the attacker’s exploit attempt fails, their efforts to leverage the malicious document amount to nothing. This scenario shows how with proactive controls in place, you have multiple layers of defense, each serving to ward off the attack. Your robust multi-factor authentication and the ever-vigilant vulnerability scanning working together to protect, in this instance, your organization’s financial and technical resources. And with some additional security awareness training for the team, it’s likely this email wouldn’t have gone any further than the inbox to begin with.

Implementing these controls is the first line of defense. But we all know cyber threats don’t rest, and neither should your strategy. And Arch CyPro, we believe in a solution first mindset. We see these threats not as roadblocks, but it’s opportunities to reinforce our systems, strategies and our defenses. To fully grasp their potential and for a more detailed understanding of all critical controls, you can find the rest of this series alongside a complete breakdown on our website.

Hey,

It’s Kyle from Arch CyPro’s risk engineering team back again, continuing our breakdown of the eight critical controls for cyber resilience. Cybersecurity considerations that ensure your organization has all around cyber defenses and make you more attractive to insure. In the first part of our miniseries, we outline the proactive controls, measures that are taken in advance to prevent cyber threats. Now, we’re moving to focus on our analytical controls, the vigilant eyes, and ears of your cyber defenses. Firstly, we have critical control number four, email security. Consider it the gatekeeper of your communication channels, equipped to detect, and neutralize malicious emails. By employing advanced filtering and detection mechanisms, it defends against phishing attempts and other malicious, email borne threats. Number five is endpoint detection and response. Each device connected to your network is a potential access point for an attacker. This system constantly monitors each endpoint, detects potential threats, and takes immediate action to neutralize them, thereby safeguarding your network. And control number six, a twenty-four by seven security operations center is the ever-watchful eye of your cyber defenses; operating around the clock to ensure swift detection and response to any potential threats. It’s a full-scale operation, always on the lookout for abnormalities that could signal an attack.

Let’s imagine another scenario, your organization is faced with an email compromise attempt. An unknown external sender shoots out a seemingly innocent email to several of your employees. It carries a dangerous payload or clickbait link that could potentially open access to sensitive data. Your email security steps up as the unsung hero marking and isolating the suspicious email even before it reaches your employees’ inboxes. Meanwhile, the endpoint detection and response solution is on high alert monitoring the situation. It detects unusual activity from a few devices where the email has slipped through and stops the malware from executing, preventing the attack from being successful. Simultaneously, the 24/7 security operations center, your round the clock radar, observes these fluctuations in the system. They investigate the matter, confirm the threat, and quickly direct the response teams to contain the attack and recover the affected systems. In this well-orchestrated response, every analytical control plays its part to protect your organization from the threats. At Arch CyPro, we believe in a solution first mindset. We see these threats not as roadblocks, but as opportunities to reinforce our systems, strategies, and our defenses. To fully grasp their potential and for a more detailed understanding of all eight critical controls, you can find the rest of this series alongside a complete breakdown on our website.

Kyle, from Arch CyPro’s risk engineering team here. Wrapping up on our eight critical controls miniseries. The cybersecurity considerations that ensure your organization has all around cyber defenses and make you more attractive to insure. So far, we’ve covered proactive controls, measures that are taken in advance to prevent cyber threats. And analytical controls, the vigilant eyes in the ears of your cyber defenses. Our focus now is on responsive controls, the rapid action plan to employ during a cyber-attack. First up, critical control number seven, plans and policies. These aren’t just a set of documents; they are your organization’s cyber playbook. They lay out the procedures to follow during a crisis, ensuring that every member of your team knows their roles and responsibilities when an attack happens. It’s about swift and decisive action to limit damage and begin recovering. And number eight, the final control, third party risk management. Think of this as your safeguard when extending your cybersecurity chain. It ensures that partners and vendors meet your security standards, preventing them from becoming the weak links that attackers can exploit.

Now let’s consider a final scenario. A ransomware attack is unleashed on a third-party vendor. Stealthy malware infiltrates their systems, gradually encrypting crucial files and they’re hit with a ransom note, pay up or lose your data. However, your organization is prepared for this contingency. On receiving the news, you immediately initiate your third-party ransomware playbook. The IT team springs into action, severing all network connections to the affected vendor, preventing potential malware propagation to your systems. They commence a thorough investigation of your network for any indicators of compromise. Because of your robust third-party risk management, you’re confident in your vendor’s ability to handle this crisis. You’ve thoroughly vetted them, audited their cybersecurity postures, and ensured that they have a robust backup and recovery strategy. Plus, you’re aware that all sensitive data they hold is encrypted, providing an additional layer of security. This scenario underlines the importance of effective preparation and response strategies. Your third-party risk management coupled with proactive and situation-specific plans and policies, work in unison to protect your organization. Even when facing a crisis with a partner, your controls helped to contain the impact, safeguard your systems, and maintain business continuity.

Through this series, we’ve traversed the landscape of cybersecurity from being proactive in security measures, through remaining vigilant through our analytics and responsive in the case of a potential crisis. We’ve outlined the vital cybersecurity measures that create an all-around defense, minimizing the risk forever. And it’s this solution first mindset that ensures fast and accurate insurance coverage with Arch CyPro. To recap and assess your organization’s defenses against our eight critical controls, and insure your business with Arch CyPro, visit our website.