Cyberattacks are essentially a phenomenon of our time. In mid-May, the Road and Motorway Directorate of the Czech Republic was attacked, and from that time, the website dopravniinfo.cz did not function for a long time. A month earlier, Prague Airport managed to successfully ward off cyberattacks due to the top level of airport security, according to Milan Špaček, the board member responsible for cyber security.

But it is not only state institutions that are being attacked. Private companies, too. For both sectors, the specialists of Grant Thornton Advisory are a suitable partner, both for the formalization of processes and procedures, resulting in the preparation of strategic and operational documents, as well as for the implementation of penetration tests to detect threats to the company’s information systems, but also for supervision and quality assurance in the processing of documentation by external suppliers and administrators of information systems, or during a complete implementation of a new information system. The team of IT and process experts will also ensure compliance with legislation (ISO/IEC 27000 for information security management, GDPR or the Cybersecurity Act, etc.). 
One way to reduce the impact of cyber threats is to enter into cyber risk insurance. The insurance usually covers the risk of liability of the insured for data, personal data of third parties or damage that happens directly to the affected company, for example costs of restoring the systems.

A prerequisite for entering into such insurance is the completion of a questionnaire divided into several parts. The applicant fills in the object of the company’s business, what applications it works with, how many computers are used at the company, whether the company has its own servers and has a website. 

Another part of the questionnaire focuses on risk management and security of access to information. The questions relate, for example, to the processing of the information security policy. This is the most significant document that sets out how the company intends to address risks in relation to the security of its information. The policy describes why the company intends to address the issue, the goals it wants to achieve, and the framework procedures for countering threats and protecting its information assets. Specific procedures and processes in relation to the policy-defined areas are then described in separate documents, some of which are outlined below.

In relation to information access security, in addition to e.g. two-factor user authentication or centralized administration and monitoring, emphasis is placed on the development of Business Continuity and Disaster Recovery plans. It is a description of the assets (e.g. data, systems, servers, etc.) that need to be protected and a description of how to recover them in case of unavailability, loss, damage. This information can help an organization determine what is important to its operations.

Based on the completed questionnaire, the insurance company will offer the client a specific tailored insurance policy in relation to the level of both the formal treatment of the mentioned areas and the practical application of security procedures and practices.

Author: Jakub Šebek