Cyber Security Insurance – Things are changing…
Cyber Security Insurance – Things are changing…
Over the last month, I’ve had several conversations that have all sounded eerily familiar and all have involved the renewal of cyber security insurance.
The conversations have involved firms from completely different backgrounds/revenue/technology types. All the conversations however have had a very similar outcome. When going to renew or obtain cyber insurance, the insurance companies wanted a bucketload more information prior to agreeing to insure against any risk.
The key difference being Ransomware is highlighted several times and in much more detail than before and the answers required are much more technical in nature than before.
Just a few years ago, cyber security insurance was essentially a snake oil product, very few companies who suffered attacks seemed to get paid out at all. Typically, when applying for insurance, you’d fill in a few forms with a broker, they passed them to a panel of insurers and away you went, safe in the knowledge that should the worst happen, a policy would give some level of comfort to the situation you’re in.
The approach insurers have taken – insure anyone – but litter the policy with caveats – has given them invaluable data about breaches. When one of these organisations has been breached, they’ve had a front row seat to the incident response and got to get a great deal of data pertaining to which defences reduce risk.
For the insurers to ensure they got the level of risk correct, the insurers had to see into incidents, they had to understand what made life easier for attackers, what methods made it easier or more difficult for an attacker to move deeper into the organisation and get to other systems.
To get that insight and information, I felt that the insurance companies would initially happily insure without too many questions. In that guise, when a client had an attack, to organise a pay-out, they’d need to know the ins and outs of the compromise. If it was particularly interesting, they might send teams in that reported back to them. Over enough incidents, this started to give them a good view into what indicative factors gives better or worse cyber health.
Gaining insurance, however, has changed quite dramatically. Insurers have this data now and can assess risk in a more competent manner. This means they’ve a better cache of content that enables them to make a more informed decision about whether your business will be the victim of a cyber-attack.
At this point, if you have a need for cyber insurance, then it’s likely best to answer the questions as honestly as possible. If you’re “borderline” on a particular answer, go with the worse option as if that item is even loosely related to what causes a breach, you might be in a trickier place if a claim is being placed.
Our advice, however, is to use the forms as another sanity check on your environment. If you’re struggling to meet the standards mentioned in the questions, then there is a good chance you might be in a position where the worst should happen, you’ll suffer a relatively significant breach. If the breach is ransomware based, the issues might be even more severe.
To make matters worse, even in secure environments, attacks are becoming more prevalent and complicated. From an attacker’s perspective, there is a mountain of tooling available to them and this has given rise to the ability to use highly complicated tools that evade detection to perform ransomware attacks. If firms aren’t aware of an attacker gaining access, that issue can propagate within the organisation and eventually lead to all data being encrypted in a format only the attacker can unlock.
These attacks are becoming more and more common and much more aggressive and we’re seeing the frequency of attacks of this nature increase. These ultimately are the ones that insurers are paranoid about.
In information security, the CIA* of information isn’t always, when it comes down to it, organisations always have issues when the availability of information is compromised, ransomware does exactly that and makes it very tricky to get information back.
*Confidentiality – Who has access to the information
Integrity – Is the information assured and unmodified
Availability – Is the information available to those who need it
Ultimately, ransomware heavily targets the availability of information, and this scares insurance companies. The first two are hugely dangerous and shouldn’t be underestimated, but if information isn’t available, people immediately notice, the longer it’s not available for, the more likely they are to consider other sources to find that information. If your business depends on that information to function, the longer the issue goes on, the more likely your customers are to seek alternative suppliers.
With all that in mind, we’d always suggest asking the insurers a few questions to ensure they’re doing what they can to protect your information and to gain an idea of if they’ll pay out. Ensure answers to these questions are returned in writing by a named contact. Questions like those below, and how the insurer responds to them should certainly be considered.
- How will the insurer protect the answers to this form and exactly who has access to this information and what else can this information be used for.
- If a vulnerability scan is performed, how will they protect that assessment and who has access to this?
- How does the insurer protect the sensitive security posture information they now have on lots of different client’s security postures?
- Has the insurer paid out claims where the answers have been the same or worse than ours, in the same geographic/legal region. Will they also confirm this in writing – i.e., not just a verbal ‘yes’.
Ultimately, cyber insurance should be a policy that pays out and gives a level of comfort should the worst happen. Like any form of insurance however, prevention is often better than the alternative. Even with insurance, pay-outs and the expertise that arrives with it, it can be weeks to months to get certain systems back online and running.
So, an alternative approach, and one which we see paying dividends time and time again is using architectural controls and segregation of systems. The purpose of this? Ultimately to contain the blast radius of a ransomware attack, or any other attack for that matter.
Things to consider when looking at concepts and ideas to limit the blast radius of ransomware attacks.
- Email/Proxy Scanning/Monitoring – The vast majority of time, attacks come from email or web browsing sources. Scanning content/blocking malicious URLs/blocking unexpected email attachments can all help.
- Endpoint Protection – Good EDR/XDR style endpoint protection can be worth its weight in gold, occasionally it’s overly paranoid, other times, it’ll get you out of trouble. Companies like Elastic (Endgame), SentinelOne or Microsoft Defender ATP have good offerings in this space.
- Endpoint Lockdown – Even with the best EDR, locking down endpoints is crucial. Modern attackers depend on things like LOLBins (Living off the Land Binaries). These are standard tools included with the operating system which are normally useful for administrators. Attackers leverage these tools to help compromise systems. Locking down access to these tools, legacy protocols and disabling things like Macros where possible will significantly reduce the attack surface of a device.
- Pull not push backups – Backups should be “pulled” to a backup system rather than pushed. i.e., the backup system should have network/system access to reach into the network rather than the network pushing to the backup system. If the system is then compromised, it’ll be very difficult for the attacker to gain access to the backup system and compromise that. It’s old, but the backup 3-2-1 rule works well – 3 copies of data, 2 copies on different media (or clouds!) and at least one copy kept offsite – again ideally with no access to write to that.
- Enclave systems – should older/riskier applications be required, or should features like Macros be required, use a terminal server type approach and heavily segregate that system and put appropriate monitoring around it. This will ensure while you have a weak point in your architecture, it’s not necessarily the front door. (i.e., if 10% of your team need Macro access, disable it on 100% of endpoints, but enable it on a terminal server for that 10% of users). Heavily limit what that terminal server can talk to and heavily lock it down.
- Network Segregation – Try to design systems in a way that the internet via your VPN or via the Office Wi-Fi is essentially just a good internet connection. Move to the zero-trust framework and don’t assume because a device is on the network it should have permissions to freely move about.
- Cloud Security – if you’re using Cloud Services, remember that hardening/security is almost two-fold. One piece should focus on the workload within a cloud and the second should focus on the security of the cloud tenant itself. This also applies to SaaS services! Remember, services such as AWS have global login pages and APIs that are accessible all the time, if an attacker has credentials here, they can do damage to your systems very quickly.
- Standards, Standards and Standards – There are some good standards out there. ISO27001 used to be a good standard to aim for, and in many respects it still is. From an actual impact perspective though, we’d recommend getting Cyber Essentials certified as a starting point. Beyond that, there are CPNI frameworks/NIST frameworks/CIS/CSA standards that will dramatically help increase your overall security posture.
Some of these tips sound simple, easy and effective and people will often mention getting the basics right. The reality is, even getting the basics to a good level – and keeping at that level – is difficult, it shouldn’t be underestimated how hard some of the steps above and bits in frameworks like cyber essentials are to get right, especially in older and larger organisations.
It is however important to investment in time, expertise and effort to adopt these frameworks – or at least the bits that make sense for your workloads/organisation – as not just a security thing, but a general IT thing. Working to the standards will always challenge assumptions and will push you to improve and innovate your IT Services. This will ultimately mean you’re offering more resilient services to your users and customers and ensure everyone is better protected from attack.