informa
/
Risk
Commentary

Get Ahead of the Hack: Why Cyber Insurance Is Not Enough

Cybersecurity insurance is a smart investment to protect against the effects of ransomware and other attacks, but it shouldn't be your primary defense.

Recently, ransomware attacks that shut down a major oil pipeline and a major meat producer caused the affected firms to pay more than $5 million and $11 million, respectively, to regain control over their operations.

To avoid suffering the same fate, many organizations are taking a hard look at their cybersecurity strategies (or lack thereof) and opting to add or increase their ransomware insurance coverage to hedge against the risk of cyberattacks.

While the reasoning behind this decision is understandable, ransomware insurance on its own is not a productive approach to the security challenges faced by almost every industry vertical. Think about it: when organizations rely on giving in to bad actors and ransomware policies that pay out vs. investing in strengthening the security of their environment, attackers are emboldened, and the target on insured organizations grows larger.

Insurance is only a palliative approach to reducing cyber-risk. While insurance is important, it doesn't help an organization secure its IT infrastructure to proactively prevent attacks in the first place. In fact, one recent study revealed that companies that held cyber-insurance policies had a 260% increase in ransomware attacks.

Instead, organizations need a two-pronged strategy: 1) begin with investing in tools that enable you to take a proactive stance in hardening your infrastructure, and 2) insure your company.

So, what do I mean by hardening infrastructure? Simply put, it is all about attending to the basic best practices of endpoint management and good cyber hygiene — making sure all systems are patched and configured correctly at all times. Every CIO and IT operator knows that keeping up with these practices reduces their target surface and the likelihood of a breach. Then why do breaches continue to rise?

The dirty secret is that few CIOs know what infrastructure they have out in the wild, let alone whether it is hardened from attack. And even if they have the visibility, few have the manpower to sustain it. So, for some, their best option is to insure themselves against the threat.

The Hidden Risk in Cyber Insurance: Failure to Maintain
Often referred to as the negligence or "failure to follow" exclusion, some carriers contain an exclusion within their policy that precludes coverage for claims arising from the insured's failure to maintain minimum or adequate security standards. Here is an example of one exclusion clause:

"Failure to ensure that the computer system is reasonably protected by security practices and systems maintenance procedures that are equal or greater to those disclosed in the proposal."

Yes, probably time to check your policy for exclusions like this.

Instead of signing up for a lifetime of ever-increasing ransomware insurance premiums and remaining exposed to attackers in perpetuity, you'll be much better off diversifying your security investments. Strategies will vary based upon your company, resources, and what is in place today. If you're not sure where to start, here are some best practices to get you going in the right direction.

Find (and Fix) Your Vulnerabilities Before the Hackers Do
Unpatched or misconfigured operating systems on an endpoint such as a server, desktop or laptop computer, workstation, mobile device, etc., are often the most exploited weaknesses in a cyberattack. A recent report from WhiteHat Security found that the average time for an organization to fix critical vulnerabilities has increased from 197 days to 205 days. Most breaches are weaponized within seven days, so we have to start using this as our benchmark for remediation.

That is a massive window of opportunity for an attacker. If an organization can proactively identify and fix these vulnerabilities, it becomes much harder to attack. It's best to select a platform that automates patch management tasks and to follow a 24/72 threshold for endpoint hardening, which means remediating zero-day vulnerabilities within 24 hours and critical vulnerabilities in 72 hours.

Invest In Tooling and Platforms That Give Your ITOps Team a Competitive AdvantageWhat about all the tools and platforms your company has already invested in? One of the main challenges for IT today is that they have a lot of tools — not all of them effective, fast, or able to communicate with other tools, including those that the security side of the house is using. By ensuring that your ITOps and SecOps teams are able to work together, it becomes that much more difficult for adversaries to find their way into your environment.

Speed is also one of your greatest competitive advantages in protecting against cyberattacks. The best way to do that is through cloud-native automated tools. It's no secret that by automating manual processes and tasks, IT teams remediate vulnerabilities up to 30 times faster, more efficiently, and with higher accuracy. Trading legacy, on-premises solutions for cloud-native automated ones will allow your IT teams to streamline workflows and minimize the organization's risk and exposure, which ultimately delivers better security outcomes for the business.

The Bottom Line
Ransomware is the single fastest route to monetization for hackers, and it's not going away anytime soon. In fact, all signs point to ransomware attacks becoming more commonplace, with the average cost of ransomware attacks increasing more than 300% in 2020.

If you're thinking about (or already paying) lots of money for ransomware insurance as your sole solution to an attack, it's time to rethink your approach. By investing in your cybersecurity strategy and tools — instead of relying on an expensive insurance policy that may not even pay out in the end — you'll make real progress toward safeguarding your organization by reducing your target surface and making it harder to attack in the first place.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5