Inexpensive measures working in tandem with your insurance policy can save your organization from a crippling cyber incident
When it comes to cyber security incidents, describing the fallout can be abstract and hard to quantify. There can be vagaries to describe the damage wrought across different industries and organizations, as each may have a unique risk profile that impacts losses and recovery. Yet one thing is certain, a cyber attack on a business can cause significant damage to a business, one that may even threaten its very existence. With that in mind, take a moment to consider if your organization could survive this scenario:
- Approximately 6 weeks of hard downtime, with an additional 2 months required for full recovery
- $1 million paid in ransom, with another $500,000 in direct recovery costs
- Significant loss of market confidence after customers filed multiple lawsuits
- Unknown costs due to legal liability and loss of further business
This was the case for an organization in 2022, a technology company with over $100 million in yearly revenue. After a ransomware attack, the company lost over 250 terabytes of data and millions of dollars in recovery costs in the attack’s aftermath. Without an insurance policy, the company could have shut down entirely. The tragedy is how easily this incident could have been avoided. The company could have prevented this attack entirely had it effectively deployed common security controls. While there is no single solution that can stop every cyber attack an organization may face, implementing basic cyber security measures is a straightforward action that all organizations can take to help prevent scenarios like the one above. Here are some of the simple yet effective security controls that can markedly improve an organization’s security posture:
The incident from the example above started with a phishing email that led an employee to enter their legitimate credentials in a fraudulent password manager login window. Had this organization been using multi-factor authentication (MFA) for those credentials, it would have helped prevent the attack in one of two ways:
- The attacker would have been stopped because they did not possess the means to obtain the other factor needed for a successful login.
- The attempt at obtaining a second factor would have signaled that someone was attempting to infiltrate the organization’s system.
At-Bay’s claims data shows that 8% of attacks leverage stolen credentials for intrusion. Attackers then use these credentials to make lateral movement through a network undetectable. While every organization will have a unique implementation of MFA based on its specific needs, existing infrastructure, and security requirements, it provides an extra layer of security that significantly reduces the risk of unauthorized accesses and compromises. There are different kinds of MFA, and any use of MFA is better than none. Some of the different versions of MFA are:
- Hardware tokens: Physical devices used as a second factor to generate and display one-time passwords or connect to a computer via a USB port.
- Software tokens: Similar to hardware tokens, software tokens are virtual, typically generated and stored on a mobile device or computer. They can be used in conjunction with a password or PIN for authentication.
- Smart cards: A combination of hardware and software, smart cards are credit-card-sized plastic cards embedded with a computer chip. They securely store authentication data and can be used for physical or digital access control as an authentication factor.
- Biometrics: This type of authentication relies on unique biological characteristics of the user, such as fingerprints, retina or iris scans, facial recognition, or voice recognition.
If cyber criminals can’t trick your staff into handing over their credentials, they are going to try to poke holes in your software. At-Bay has found that 12% of attacks exploited a software vulnerability for intrusion. However, your organization can plug these holes by developing a patching strategy that goes into action as vulnerabilities become public. When cyber criminals leverage these vulnerabilities, they move fast. Security professionals begin to see attacks targeting specific software vulnerabilities hours after a proof-of-concept exploit becomes available. Developing and executing a patching plan will allow your organization to prioritize and schedule patches and updates to ensure any security vulnerabilities will be taken care of systematically and promptly. It also helps in maintaining system robustness and efficiency, which are critical for smooth business operations. Creating such a plan can be challenging without the right expertise, so partnering with an InsurSec provider can assist in developing a plan that is tailored to your organization’s needs.
One way cyber criminals access an organization’s IT system is through remote desktop applications. At-Bay found that 24% of attacks use a remote access tool for intrusion. Attackers use widely available and legitimate remote access tools (like Microsoft Remote Desktop, Team Viewer, Splashtop, etc.) to facilitate uninterrupted access. A key reason criminals leverage this technology is that legitimate remote access tools do not trigger alerts from endpoint protection tools, unless they are specifically blacklisted. An organization should set strict policies in place to mitigate any unauthorized use of these tools. Tailoring access to remote desktops should be guided by the principle of least privilege, which means individuals should only have the levels of access necessary to complete their work — nothing more, nothing less. An additional layer of security can be added by establishing secure, MFA-enabled VPN connections for remote desktop users.
While creating backups of your organization’s data should be a standard security practice, it’s not one where you can just “set it and forget it.” Ransomware groups deliberately target backups to ensure that victims can’t easily recover their data. This can escalate the attack’s severity, making it much more debilitating and stressful, which strengthens attackers’ leverage during ransom negotiations. While approximately 90% of At-Bay policyholders report having backups, only 22% were able to successfully recover from incidents by using the data. Not only should backups be a part of an organization’s security strategy, but continuous maintenance and continuity measures can ensure that the data can be used in the event of an attack. To minimize the risk of falling victim to such attacks, it’s important to follow best practices for data backup:
- Maintain at least three copies of your data.
- Store these backups on two different types of media (USB drive, network-attached storage, magnetic tape)
- Ensure one of these backups is off-site or stored in the cloud.
- Regularly test backup and restoration procedures to ensure they work.
- Ensure backup systems are not permanently connected to the devices or networks they are backing up.
Small and medium-sized businesses (SMBs) often run a good portion of their IT stack on premise (physically located within their own facilities rather than being hosted on a cloud platform), particularly for email. These “on-prem” services paint a big target on your organization, as attackers gravitate toward internet-connected servers that they know house highly sensitive data. At-Bay’s claims data shows that ~41% of attacks used a malicious email as their method of intrusion, and on-prem email solutions have a 2.5X higher rate of claimscompared to the leading cloud email solution. Protecting on-premise infrastructure involves a multi-layered approach. It’s not just about protecting against external threats, but also about preparing to respond and recover quickly in the event of a breach. If your organization must rely on on-premise infrastructure, they should consider the following security measures:
- Network Segmentation: dividing your network into smaller parts, which can limit an attacker’s ability to move laterally within your network.
- Endpoint Security: Protect all endpoints (computers, mobile devices etc.) with appropriate security tools, such as endpoint detection and response (EDR) or managed detection and response (MDR) solutions.
- Firewalls and IDS/IPS: Use firewalls to block unauthorized access to your network, and Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) to detect or prevent attacks on your network.
- Patch Management: Regularly apply patches and updates to all software and hardware components (see “A Plan for Patching” above).
Each device connected to (and individual using) your network, no matter how insignificant, could be a potential weak point for cyber threats. This reinforces the importance of widespread and ongoing cyber hygiene practices. While a cyber insurance policy should serve as a key part of your overall security strategy, it should not be viewed as a “get out of jail free” card. Investing in best practices can save your organization significant expenses in the long run by raising the bar for malicious actors and minimizing the impact a cyber attack could have on your organization’s operations.
Meet the Author