Cybersecurity In-Depth

The Edge

Cybersecurity Should Focus on Managing Risk

Preventing all data breaches is an unrealistic goal. Instead, focus on finding and minimizing the greatest risks.

There is a common misconception that all problems have clear, straightforward solutions — as long as you look hard enough. While this is a bold and ambitious goal, it's misguided when applied to cybersecurity.

Organizations cannot prevent data breaches or cyberattacks altogether, and avoiding a breach or cyber incident is nearly impossible in the modern era. Organizations can, however, take steps to reduce an attack's negative impacts.

Before I joined Coalition, I was similarly under the impression that cybersecurity companies should be focused on thwarting attacks. But I have found that companies — especially in the cyber insurance space — are more aptly concentrated on managing risk and creating the right incentives for themselves and their clients to get to an acceptable level of risk.

Why? Eradicating risk is an impractical goal because you cannot "solve" something that constantly changes. Instead, cyber insurers are in the business of helping companies avoid having to file a claim by managing their digital risk.

To Understand Where Claims Come From, Think Like an Attacker

Threat actors are, first and foremost, opportunistic. They will always look for the easiest targets to maximize their financial gain. So intimately understanding an organization's level of risk is the first step to managing and reducing it — and making yourself less of a target.

Coalition compiles risk assessment data by analyzing complex public data sets, threat intelligence, and proprietary claims information. For the third year in a row, we gave that data to Verizon, which incorporated it into its most recent "Data Breach Investigations Report" (DBIR). Verizon found four critical ways that threat actors most frequently use to compromise organizations large and small: credential compromise, phishing, vulnerability exploitation, and botnets.

These findings were consistent with our most recent "Cyber Claims Report Mid-year Update," which further found that phishing accounted for 57.9% of reported cyber insurance claims — a 32% increase over 2021. The report also found that ransomware attacks continued an upward trend, with an almost 13% increase in 2022. This increase was nearly as big as the previous five years of attacks combined.

The DBIR also reported that 40% of ransomware incidents involved the use of desktop-sharing software, and 35% involved email. This split attack vector makes it incredibly hard to anticipate.

These findings were once again consistent with Coalition's data. We have observed that ransomware demands continue to hover around an average of $1 million — a high price for any size organization to pay. And these attacks are becoming increasingly complex and harder to prevent.

Ultimately, understanding this complex threat landscape is the first step to being informed and aware of your organization's risk — knowledge that empowers more effective risk management.

Take Steps to Manage Risk

Not every organization can afford a dedicated security or IT team or sophisticated cybersecurity technologies, but any organization can implement an appropriate incident response plan and apply an offensive security mindset to mitigate overall risk.

For example, hosting security training can increase positive cybersecurity behaviors from employees, such as developing strong passwords. Implementing multifactor authentication (MFA) and having a backup solution — even that hard drive you take home at the end of each day is better than nothing! — can help reduce risk. Increasing basic email security can also help minimize credential compromise, phishing, and botnet attacks.

Finally, taking the time to map out a system's top vulnerabilities can help organizations gain a macro look at where in their networks they are the most at risk and understand where to prioritize patching; this is all to reduce the likelihood of being exploited by attackers. Some would argue that gaining total visibility into a digital infrastructure is the simplest — and smartest — way for an organization to manage and reduce its risk.

Where Cyber Insurance Comes Into Play

Cyber insurers can serve as risk management partners for organizations that need help knowing where to start. They can help these organizations improve their defenses today to reduce negative impacts tomorrow.

Traditional insurance — like that offered for vehicles, natural disasters, and healthcare — maps risk based on predicting the future and evaluating potential costs. But cybersecurity will never be predictable. This is why cyber insurance will never be (and should never be) a one-size-fits-all approach. Organizations cannot simply checkbox their way to a stronger security posture.

Cyber insurance is more than just a fail-safe for when things go wrong. It should work with an organization to improve overall risk exposure. Yes, insurance can absolutely help businesses in dire times, but insurers should focus on assisting companies to avoid disasters in the first place.

Cyber insurance, and all efforts focused on improving cybersecurity defenses, should be ever-evolving. "Solving" dynamic digital risk is a journey, not a destination. In the end, it's about managing and reducing risk, not preventing it altogether.