Here’s a sign that ransomware and other shenanigans aren’t going anywhere: getting cybersecurity insurance is much harder. And that applies regardless of the size of your business.
When insurance professionals get involved, you can be quite sure of a couple of things. One is that they understand risk very well. The other is that they will only underwrite risks where there is a better than reasonable prospect of profit. After all, in the absence of this approach, insurers wouldn’t be profitable nor would their businesses be sustainable.
I’ve written on cyber insurance previously, essentially endorsing it as a pretty good idea for any and every organisation. The justification is simple: everyone is a target, and cybersecurity insurance is a great safety net on the one hand, and a preventative measure on the other.
Safety net because if it does go pear shaped and you’re hacked, you’ve got an organised response in your corner. Preventative measure because those underwriters will assess your environment carefully before taking on the risk. Essentially, they’ll tell you ‘straight’ if you’re excessively exposed, and you won’t get that cover you want. This provides an excellent opportunity for tightening up those areas the prospective insurer says are lacking, and so reducing the risk your organisation faces.
We recently hosted a webinar with a couple of our vendor representatives (Silverfort and SentinelOne – we combine their software in our solutions, and the vendors themselves work together on threat detection and prevention) along with a representative from a major insurer.
One of the overriding impressions one got is that while their lines of business are quite different, insurers and cybersecurity vendors are singing from the same song sheet.
This is almost comforting for those of us in cybersecurity. There’s always a sense of being a ‘doom and gloom’ merchant, but the only reason we’re like this is because the risks are real, prevalent, and present. We must keep our guard up at all times, and exhort you to do the same. Anything less would be a dereliction.
Anyway, the insurer’s representative is a cyber risk consultant and straight out the gate he said rising cybercrime and high claim rates amongst a ransomware surge means all underwriters are cautious and selective of who they take on as a client. Assessing risk is challenging for insurers, and when the cybersec consultants get involved, they often don’t like what they see.
Which begs the question: what is it that they see and don’t like? Simply put, the feedback is that many organisations lack robust security measures. The response from insurers is that the application process becomes more stringent (proposal forms for cyber insurance were once single pagers, they now generally run to around 20) and the number of businesses insured reduces.
Specifically, the insurer’s representative cited insufficient controls like Privileged Access Management. This means when a hacker gets in, they’re able to move laterally through the organisation, often starting with a low-level compromised account which turns out to be the keys to the entire kingdom.
Other issues include weak or absent Endpoint Detection and Response, leaving personal devices as a weak spot, and absent or weak Data Loss Prevention Controls.
The big lesson is that these are among the major shortcomings insurers are watching for in your security settings. They’re watching these shortcomings for a singular, simple reason: this is how most of the failures they’re paying out for, happened.
The good news is that a lot of this stuff is procedural. It isn’t difficult to do, but it must be done. And it must be done consistently and properly.
That’s why a regular security review is so essential. You need to know that your organisation is secure all the time, with appropriately implemented and configured security settings across all your people, and across all your applications and services. We’ve been saying it for ages – and for the best of good reasons, the insurance folks are saying it too.