[joe_the_user]

What kind of create standards could you create?

Some thoughts:

1) Certain infrastructure should be off the net automatically - pipelines, water treatment plants and similar things (or online with hardware guaranteed one ways connections).

2) Standards for testing backups.

3) Standards for IoS devices (a million insecure Internet light bulbs, what could possibly go wrong).

4) Standards for not having a hundred companies auto-updating onto the systems of critical infrastructure companies.

[balgan]

The great thing about insurance is that we don't just get to create baselines our policyholders must adhere to, we also get to enforce them. A perfect example of this is anyone that has a policy with us must have RDP behind VPN/ whitelisted only to specific IPs. I spent years trying for free to convince orgs to do this and was ignored, here we convince all our policyholders to do it and everyday more and more companies as we onboard them.

For backups, not only do they need to have it, they need to be tested, kept offline and encrypted - this doesnt apply to all its split by revenue bands/industry/mix of other logic.

IoT devices - they get notified in Control if we find any on the internet and told to not have them directly exposed

[balgan]

The same thing we do with RDP we also do with any critical vulnerability we notify customers in Control (example all of the latest Exchange vulns)