Cyber insurance creates virtuous security cycle
Not too long ago many organizations were opting to take out cyber insurance policies to recover any losses from a ransomware attack versus making the additional investments required to thwart the threat. Now it appears organizations won’t be able to get cyber insurance if they don’t make those investments.
After racking up major losses from cyber insurance claims, carriers now require cybersecurity assessments before either creating a policy or renewing an existing one. A recent survey conducted by Microsoft and Marsh, a provider of cyber insurance, found that 61% of organizations have already taken out a cyber insurance policy.
While many of those organizations may have a robust set of cybersecurity defenses in place there are undoubtedly just as many that don’t. The cyber insurance policy that they initially took out to cover any losses due to a ransomware attack is now becoming the vehicle that will drive a lot more organizations to finally improve their cybersecurity posture. In fact, many of the requirements, such as multifactor authentication (MFA), go well beyond the base level of security that organizations might have previously implemented to achieve compliance with one mandate or another.
In effect, the need for cyber insurance is starting to create something akin to a virtuous cycle that will lead to an overall improvement in the state of cybersecurity. That’s critical because one of the inconvenient truths about ransomware is that organizations are too easily compromised. Many of the fundamental processes and basic tools such as strong passwords, staying on top of software updates, and ensuring backups are tested that would have thwarted a routine ransomware attack have for one reason or another simply not been put in place.
Most of those organizations have also yet to realize how big a business ransomware has become. The entities that orchestrate these attacks now operate more like a multi-billion dollar consortium with thousands of employees that receive benefits and paid vacations just as if they were working for a legitimate company. They are now not only methodically studying targets before launching attacks; they also have specific ransom price points in mind before negotiations might ever begin.
Organizations that don’t negotiate are told sensitive data will soon be exposed on the Dark Web. Of course, even after a ransom is paid it’s not uncommon for ransomware gangs to double-dip by either launching another attack or simply demanding more money not to publicly disclose sensitive data. A recent survey of 1,456 cybersecurity professionals published by Cybereason, a provider of an extended detection and response (XDR) platform, finds only about 22% of the respondents impacted by the attack admitted they paid a ransom to recover data. However, 80% of those organizations were hit by ransomware a second time, with 68% reporting the second attack came less than a month after the first.
It's clearly going to be a while before the current ransomware scourge subsides. In the meantime, the focus as always needs to be on ensuring the same set of fundamental cybersecurity capabilities required to both thwart an attack and qualify for the cyber insurance that is sorely needed after a breach has been discovered.