Sashnee Singh, Cybersecurity Leader, Marsh Africa
As cyberattacks and related claims have skyrocketed, insurers are taking a much more cautious stance — tightening their underwriting controls, carefully scrutinizing all cyber insurance applications, and asking more questions than ever before about applicants’ cyber operating environment.
Cyberattacks continue to increase, fueled by more sophisticated and persistent attackers. Ransomware attacks have increased by a staggering 148%, and multimillion-dollar ransom payment demands are no longer a rarity. And unlike in past years, where certain industries such as healthcare are more likely to be targeted, companies in all sectors are at risk.
Controls are key
Even companies with no cyber claims history face an arduous renewal process, and those that don’t satisfy insurers’ expectations often face the prospect of non-renewal or are unable to get their preferred coverage, with limitations becoming more common especially in relation to ransomware.
Insurers are focusing on the controls that organisations have in place to become cyber resilient. While these controls have been established best practices for several years, some are still struggling to adopt them — most haven’t been able to justify the cost or didn’t understand or see the need for these controls. Although cyber resilience controls were previously required in regulated industries, they were often more about checking a box than enhancing security.
However, with their insurability, and potentially also their financial stability, at stake, organisations must adopt controls that mitigate ransomware risks and improve their cybersecurity posture and resilience.
Five Controls To Adopt Now
Organisations should prioritise the following five cyber-hygiene controls to ensure insurability, mitigation, and resilience:
Multifactor authentication (MFA)
Hackers can break user passwords, even strong passwords — especially when users reuse passwords across multiple sites, which often happens. Organisations should bolster their security through MFA, which requires at least two pieces of evidence (factors) to prove the user’s identity. Usually, the two factors are something you know and something you own.
An MFA can either be a time-sensitive pin code delivered through an app or via text message, which is another protective layer on top of the user’s password. Although no cybersecurity tools are perfect, MFA provides a substantial barrier to entry.
Endpoint detection and response (EDR)
It is important for companies to have up-to-date information about the security posture of any devices employees use to receive corporate information, whether it is a laptop, desktop, or mobile device. Widely available software gathers critical information, such as the location of the device, the last time it was updated, current software version, and any attempts to download new software. EDR offers continuous monitoring and more advanced detection and automated response capabilities. The monitoring software will watch for any suspicious or irregular activities. EDR also facilitates rapid incident response across an organisation’s environment.
Secured, encrypted, and tested backups
Increased ransomware activity underscores the need for organisations to have a robust backup strategy for their critical data and applications. Backup intervals will depend on how often the data changes, but most organisations run periodic full backups on a weekly basis or multiple times per month, along with regular incremental backups daily or every few days.
Backups should be encrypted. It is a best practice to logically separate backups from the network to ensure they are not easily accessible to any threat actors. Immutable backups, which lock up previous versions of your backup to prevent it from being altered or deleted, offer a similar layer of security. The IT/IS department should establish a data restoration testing schedule during which backups are restored to ensure that they are working as intended.
Privileged access management (PAM)
Users should be required to use higher security login credentials to access administrator or privileged accounts. Special users, such as IT, network, or database administrators, should only be allowed to carry out specific tasks through their privileged access. Users with privileged or administrator accounts should be required to log out of their privileged accounts to conduct any non-privileged tasks. That means that a system administrator that logged in through their privileged account to change security settings should log out after that task is completed and be required to use ‘standard user’ credentials to check email or browse the web, even if these are work-related tasks. Many organisations implement privileged access management solutions to automate privileged credential management and session management.
Email filtering and web security
Email and web browsing platforms are mired with pitfalls and need to be controlled to avoid threat actors gaining an initial foothold into your network. Email filtering seeks to identify any messages that include links or attachments. Advanced systems will screen links and attachments to identify any potential malware or other malicious content.
Flagged attachments can be opened in a “sandbox” to be thoroughly checked for malware. Organisations should block access to any web pages that are deemed inappropriate and those that may contain malware. These security controls should be active at all times, whether a user is working at the office or remotely, to prevent exposure to websites where bad actors may be seeking to take advantage of unsuspecting web browsing activity.
In a more difficult insurance market, having the necessary controls in place can help you achieve your risk transfer goals. The right cyber hygiene controls will provide organisations with a higher level of security, a better ability to identify threats, and, ideally, allow you to recover more quickly from an attack.