business matters
June/July2022 june/july 2019 business edge
Cyber Security insurance, things have changed We’ve had many, many conversations of late around this subject, with the consensus being that insurance companies now want a bucket-load more information at renewal.
Robert Morgan Founder, Factory Internet Ltd
Why? Ransomware. This is highlighted several times and in much more detail than before, requiring answers that are much more technical in nature. The approach insurers have taken to ‘insure anyone’ but litter the policy with caveats – has given them invaluable data about breaches. When an organisation has been breached, the insurance companies have a front row seat to the incident response and can gather a great deal of data pertaining to which defences reduce risk. Insurers now have a detailed view into what indicative factors give better or worse Cyber health. This means that the process of getting insured has changed dramatically. With this newfound data, insurers can assess risk in a more competent manner and make more informed decisions around a company’s particular level of risk and likelihood of being attacked based on their cyber practices.
Our advice With more sophisticated tooling and detection evasion, attacks are becoming more common and aggressive – particularly Ransomware attacks. These are ultimately the attacks that insurers are paranoid about. Organisations always have issues when the availability of information is compromised and ransomware does exactly that, making it difficult, expensive, impossible - or all three - to get information back. When dealing with business information and data, there are three important aspects to consider:
4
Availability – Is the information readily ---available to those who need it? Ransomware typically targets the availability of information, which is often immediately impactful – people will notice if something isn’t available, and the longer it is unavailable for, the more likely they are to consider other sources to find that information. The confidentiality and integrity of information shouldn’t be underestimated either. Whilst changes are less obvious than availability, both can have a major impact on the validity of information or data. Attacks on any of these aspects scare insurance companies.
Questions to ask Insurers 1.
How will the insurer protect these answers, who exactly has access to this information and what else can it be used for?
2.
If a vulnerability scan is performed, how will they protect that assessment and who has access to its results?
3.
How does the insurer protect the sensitive security posture information they now have on lots of different clients?
4.
Has the insurer paid out claims where the answers have been the same or worse than ours, in the same geographic/legal region. Will they also confirm this in writing – i.e., not just a verbal ‘yes’.
Ultimately, cyber insurance should be a policy that pays out and gives a level of comfort should the worst happen. However, like any form of insurance, prevention is often better than the alternative.
Considerations to limit the blast radius of ransomware attacks. Email/Proxy Scanning/Monitoring – The
Confidentiality – Who has access to the ---information?
---majority of attacks come from email or ---web browsing sources.
Integrity – Is the information assured and ---unmodified?
Architectural controls and segregation of ---systems.
www.sussexchamberofcommerce.co.uk
Endpoint Protection – Good EDR/XDR ---style endpoint protection can be worth ---its weight in gold. Endpoint Lockdown – Even with the best ---EDR, locking down endpoints is crucial. Pull not push backups – Backups should ---be “pulled” to a backup system rather ---than pushed. Enclave systems – should older/riskier ---applications be required, or should ---features like Macros be required, use a ---terminal server type approach and ---heavily segregate that system and put ---appropriate monitoring around it. Network Segregation – Try to design ---systems in a way that the internet via ---your VPN or via the Office Wi-Fi is -- essentially just a good internet connection. ---Move to the zero-trust framework and ---don’t assume because a device is on the ---network it should have permissions to ---freely move about. Cloud Security – if you’re using Cloud ---Services, remember that hardening/----- security is almost two-fold. Standards – There are some good ---standards out there. ISO27001 used to be ---a good standard to aim for, and in many ---respects it still is. From an actual impact ---perspective though, we’d recommend ---getting Cyber Essentials certified as a ---starting point. Some of these tips may sound simple and people will often mention getting the basics right. The reality is, even getting the basics to a good level – and keeping at that level – is difficult and shouldn’t be underestimated. Frameworks such as Cyber essentials are also hard to get right, especially in older and larger organisations. It is important, however, to invest in time, expertise, and effort to adopt these frameworks, or at least the parts that make sense for your workloads/ organisation, as not just a security measure, but a general IT practice. Cyber Security Insurance – Things are changing… - Factory Internet Cyber insurance | Business Insurance | ABI Cyber insurance costs up by a third (computerweekly.com)
tel: 01444 259 259
