During the pandemic, threat actors capitalized on cyber insurance policies to hold businesses for ransom, collect payouts and, in some cases, threaten lives. Insurance coverage often makes it possible to pay hackers large sums of money to free seized networks. Unfortunately, these funds do more than just reward hackers; they also support and encourage additional attacks.
Cybercriminals have sought to rapidly evolve their tactics to capitalize on vulnerabilities created by the proliferation of work-from-home devices. This includes exploiting known passwords on circulating lists to gain direct access to corporate networks, traversing unintended connectivity between previously separated networks, and leveraging distracted workforces to improve social engineering campaigns.
Unfortunately, the issue has reached a tipping point. Now, some insurance providers have begun to reduce ransomware insurance payouts, while others have upped the criteria for businesses looking to get coverage. Furthermore, insurers are now actively requesting that businesses confirm their security posture rather than accepting an passive assurance from an applicant to verify they have sufficient cybersecurity protection.
Easy payouts promote ransomware attacks
Although cyber insurance was intended to lessen the financial strain brought on by cyber threats, these fast and simple ransom payments have boosted the incentives for threat actors, paving the way for a new wave of financially motivated attacks.
In addition to incentives, cyber insurance’s prominent role in risk management has created a questionable level of complacency within organizations. This pattern of ransom payments and payouts has become unsustainable and will exacerbate the issue. As a result, cyber insurance providers will likely follow the lead of healthcare insurers and impose numerous limitations, co-pays, and deductibles. Businesses and consumers may potentially suffer enormous losses when insurers impose caps or stop coverage altogether.
Why organizations need proactive security
The “insurance is cheaper than protection” mindset must change. Instead of relying on cyber insurance coverage as a mitigating factor of a breach, organizations should seek to develop a proactive approach to their cybersecurity strategy for more robust protection.
Over one-third of respondents to our recent study claimed that cyber insurance was a suitable solution on its own. We believe it’s a false assumption because insurance policies don’t cover businesses for lost revenue, which amounts to $1.59 million on average for every data breach, not to mention the brand impact and possible regulatory fines.
To shift this narrative, organizations must abandon reactive security, which focuses on resolving breaches only after they occur. Proactively working to minimize the impact of breaches altogether is the future of security. Here are three ways leaders can implement a cybersecurity transformation:
- Recognize the transition to a new cybersecurity playbook as an iterative process. Identify the company’s existing cybersecurity maturity level. Once the team makes an assessment, it can then create a practical road map.
- Determine whether the security team can succeed. Has the company established procedures, roles, and functions with clear definitions that align with industry best practices? Does the company have the data it needs to make strategic changes and tactical advancements?
- Understand that only a small number of organizations operate at the optimal, final maturity level. Think of an optimized maturity level as a stage of cybersecurity management where the company can continuously assess its security posture against the attack surface using a risk-based approach. It’s a journey with lots of twists and turns, so it’s important to persevere.
Evaluate the effectiveness of an organization's cybersecurity processes, controls, and compliance programs proactively and regularly. Put into place a companywide standard method to optimize security planning, implementation, and remediation procedures to lower exposure risk. Robust cyber hygiene and proactive security posture management techniques help protect against cyberattacks, while also ensuring that cyber insurance policyholders can continue to be eligible for coverage in a world that is only getting riskier.
In today’s digital age, companies need to get rid of outdated reactive behaviors. Proactive security measures are the only universal option to safeguard against substantial impacts from ransomware. Taking security measures before an attack occurs costs much less than assessing a company’s security program after the fact when the damage costs are mounting.
Proactive security reduces the likelihood of successful attacks and will deprive threat actors of the money they look to secure. Organizations can use proactive security planning to find a balance between security expenditures and reasonably priced insurance rates. Companies can significantly lower the chance of new ransomware attacks occurring if financial incentives to initiate attacks are eliminated.
Terry Olaes, senior technical director, Skybox Security
