As ransomware becomes more prevalent and claims increase, securing cyber insurance can be challenging, especially if you’re not working with a specialist cyber broker. As a result, premiums have been on a journey of incline before stabilisation. We’ve also seen underwriters expecting to demonstrate cyber resilience before policies are offered (much like in the real world when home insurers expect the front door to have a working lock.)
Insurance is run on ratios based on the probability of an event occurring, and ransomware, sadly, has become a widespread event. So whilst you may consider your organisation entirely on top of things, ransomware will likely be hidden in your business. Typically, it will be spotted sitting on a single laptop and cleaned off before it can spread. Osirium estimates that this kind of incident happens in every organisation once a month. If it’s missed, however, the ransomware could spread to a cloud drive or Sharepoint, for example, and from there to systems across the business.
This explains why insurers are ramping up criteria and requiring evidence that appropriate security controls, measures and monitoring are in place before issuing a policy.
Deciding not to take out cyber insurance is a viable option for some businesses, but I argue that this will create unacceptable risk. The potentially significant impact of this decision is one of the reasons cyber insurance has been quickly elevated from a ‘niche’ product that sits neatly within IT’s remit to a topic that should be discussed around the board table.
Being cyber ‘insurable’ is a whole company effort and responsibility. Implementing a comprehensive, multi-layered security strategy that will protect against an attack and minimise the damage if it happens requires input and commitment from across the organisation.
For those organisations that decide to purchase cyber insurance, the goal should be to get themselves on the right side of the ratio. This means preparing properly for a ransomware attack.
A solid starting point is to provide all users with ongoing education and training that covers the latest threats and teaches them how to spot phishing and other social engineering attempts. But humans are fallible, so education must be bolstered with security measures protecting the most sensitive and valuable data assets and critical IT systems. Identifying these is one of those tasks that must involve the entire business.
98% are aware that backups are targeted in ransomware attacks, yet only 35% take extra precautions to protect access
These days, cyber criminals are probably more likely to log in than hack in. All attackers are on the prowl for admin credentials that will allow them to install software, access systems remotely, configure customer databases, or change security settings. They can migrate their attack into the wider corporate IT environment if they successfully target the right individual.
Cyber insurers are taking their cue from regulators and requiring customers to protect privileged access by managing these powerful accounts. In best practice terms, this includes granting users the lowest level of permissions they need to do their work for as long as they need them only. But, again, this requires an organisation-wide understanding of who has access to what and whether they really require it.
Secure automation of routine tasks done with local admin rights – such as resetting passwords or removing logins from staff who have left – will further protect systems by preventing anyone from having direct access to privileged credentials. The above may be a requirement from cyber insurers, but even without that as a motivator, it’s just best practice advice that all organisations should follow regardless.
Protecting the systems that will enable the business to respond rapidly and effectively to an attack is vital to cyber resilience. In Osirium’s ransomware index survey, despite 98% of respondents stating they were aware that backups are targeted in ransomware attacks, only 35% took extra precautions to protect access. Ideally, backup management systems should be subject to multi-factor authentication (MFA) and privileged access management (PAM).
It’s also worth tapping into your insurance provider’s knowledge and experience in breach recovery. Don’t be shy in asking them for guidelines and recommendations around strengthening your recovery plan. This expertise is one of the benefits a good cyber insurance broker will offer.
To avoid being edged out of the cyber insurance market, organisations must treat cyber risk as the core business issue it undoubtedly is. Building the defences that will prevent – or at least delay – a ransomware attack will give you the best chance of qualifying for cover. This requires a cooperative approach directed and coordinated by senior leadership.
By strengthening cyber resilience and working with your insurer and broker to understand the fine print of your policy to ensure you’re covered in all the right places, you’ve got the best possible chance that your policy will pay out, or better still, that it won’t need to.
Andy Harris is the chief technology officer at Osirium. Andy has invented many leading-edge technologies, including several core components in Osirium’s product family. As co-founder and CTO of MIMEsweeper, Andy developed the world’s first content security solution, which became the default product in its space. He then created WebBrick Systems, a pioneering home automation technology and forerunner to IoT.