The increase in remote working during and after the pandemic has greatly increased cyber vulnerabilities. Speaking recently on the BBC’s Today programme, Nikesh Arora, CEO of Palo Alto, discussed how people in business can work from anywhere.
“This brings up the challenge that your company is now in every employee’s home, he said. “I can attack the network in that home and potentially get access to your company.”
This, says Arora, means that the attack surface for attacks has exploded. During the early days of the pandemic, hackers tried the techniques they previously used when attacking enterprise systems, to target homes. But now, cyber attacks are increasingly becoming weaponised and hackers are using attacks to make money, he says.
Globally, the average cost of a serious breach was $3.9m in 2019 and it is going up, says Carl Nightingale, cyber security expert at PA Consulting. Given the outlook that more damaging and costly attacks are on the rise, Nightingale urges IT security leaders to look seriously at investing in cyber insurance.
But he warns: “Cyber criminals are exploiting organisations’ uncertainty about cyber security, realising they can tailor attacks to the risk appetites of their targets. In an increasingly popular type of ransomware attack, the criminals research their victims to assess how amenable they might be to paying. These criminals know that if the targets see their demands as more affordable and less disruptive than restoring systems, then they will often prefer to pay the ransom.”
Cyber risk management
When approaching cyber insurance, Paddy Francis, CTO at Airbus CyberSecurity, recommends that IT security chiefs first identify what it is that needs to be protected. What are the organisation’s valuable data assets and what systems or services, if impacted by an attack, could severely damage the business? The next step is to take these into account, assessing the costs involved if there is an attack. These could include:
- The cost of responding to the attack itself, either internal, or external service provider costs, media and social media management, etc.
- Legal and regulatory costs (such as notification to the ICO and affected third parties).
- Cost of loss of access to systems or data, in particular from a ransomware attack. Including loss of production.
- Third-party claims – loss of personal data, third-party financial losses, damages for late deliveries, inability to deliver services, etc.
- Customer claims if your products or services that have been infected with malware are part of a supply chain attack.
- Reputational damage and other intangible costs that may not be covered.
This should help to identify what any policy should cover and also provide an estimate of the level of cover that may be needed.
Earlier this year, analyst Forrester looked at the rising cost of cyber security insurance for its Top cybersecurity threats for 2022 report. The report’s authors note that cyber insurance does not substitute for proper security controls.
“The sharp increase in ransomware attacks in 2019 and the long-tail fallout from multiple software supply chain incidents in 2021 led firms to buy or increase their cyber insurance coverage,” the report’s authors warned. “Ironically, it also made them a more attractive target for attackers.”
Subsequently, cyber insurance firms upped their underwriting processes and ramped up scrutiny of policy holders and applicants. According to Forrester, this led to a 25% average increase in premiums and some insurance removed coverage for specific attacks.
In the report, the Forrester analysts say this illustrates what security leaders have long known but senior executives and boards are just now learning – without a risk mitigation strategy and investment in security programme maturity, relying on cyber insurance alone is a threat to the organisation.
But according to Nightingale, only 11% of UK businesses have adequate cyber insurance. In his experience, a lack of clarity about cyber insurance is a key concern among IT security chiefs. He says that due to the relative immaturity of the market, “premiums are often inconsistent, expensive and vague about the extent of cover,” adding: “This has made it difficult for CISOs to trust cyber insurance to pay out in the event of a breach or to be sure they are meeting the insurer’s auditing requirements.”
Cyber security maturity
For Nightingale, one of the biggest challenges for IT security chiefs is how to quantify cyber risk. IT security leaders tend to overestimate their cyber maturity and underestimate cyber insurance premiums, he says. “When the insurer recommends ways to make cover more affordable, the disruption and investment can be unpalatable,” he adds.
Organisations may also need to comply with certain IT security regulations, such as the Cyber Insurance Framework issued by New York State Department of Financial Services, if such frameworks become part of underwriting criteria, says Forrester.
Although approaches and frameworks such as NIST CSF, CIS 20, NCSC Cyber Essentials and ISO 270001 help to develop cyber security capabilities, as Nightingales notes, such frameworks don’t provide the tools to quantify the risk.
And while an organisation may choose to pay off a cyber attacker, Nightingale says: “The ethics of negotiating with criminals are questionable, and the business impacts will be substantial. It’s only a matter of time before regulators, private equity firms and shareholders start to call out such tactics.”
Forrester recommends that IT security professionals use the attention on cyber insurance as an opportunity to push for security initiatives aligned both to ransomware protection and new underwriting requirements, and present both as top risks to the organisation.
Referring to recommendations on the National Cyber Security Centre (NCSC) website, Mike Gillespie, vice-president of the C3i Centre for Strategic Cyberspace and Security Science (CSCSS), says that the onus is on the CISO to make sure the organisation’s cyber security procedures are accurate, up to date and effective. He says this may include a range of technical, physical, procedural and human controls that need to be in place before looking for a cyber insurance policy.
“Once you are confident in the effectiveness of your controls and feel sure that they provide you with the right level of cyber resilience, then you can look for a cyber insurance policy,” he says.
There are also new developments in the cyber insurance market that are designed to help organisations take a better approach to cyber security and avoid the need to pay ransomware attackers. Some of the leading cyber insurance providers are offering innovative cyber insurance options, says Nightingale, which tailor the insurance cover to the organisation’s individual needs by bringing in cyber security experts to assess cyber maturity.
But, as Nightingale points out, many organisations may be reluctant to let a company with a product to sell run such a large-scale investigation into their inner workings. “That’s when it can be helpful to have an independent review of your internal risks,” he says.
According to Nightingale, such a review can help organisations meet the audit and compliance requirements of insurance policies. It also helps them to focus on the key areas where they need to seek assurance. One of the areas where assurance is needed is around process, which, he says, means understanding the risks in IT operational policies, processes and controls, and making sure roles and responsibilities are well defined.
Finally, backup and recovery are the building blocks of a sound IT security strategy and are key requirements of cyber insurance. CISOs will also need to ensure their organisation has an effective backup management and recovery procedures from operational failures. Nightingale says: “This should include managing the particular risks around maintenance and support by controlling changes introduced to the IT infrastructure and application landscapes.”
Backup and recovery procedures should be reinforced by security controls, he says. There also needs to be a complete set of policies and procedures that support the information integrity objectives of the organisation. Such a policy should include processes to control the adding, change or removal of user access and manage data access requirements and regular review of that access.
At the same time, Nightingale urges security leaders to assess the risk to critical data at the operating system level and check physical security measures.