Why incident response and insurance must learn to be bedfellows

Why incident response and insurance must learn to be bedfellows

Dominic Trott, UK Product Manager, Orange Cyberdefense, tells us why maintaining a good understanding of your security posture is paramount, as well as the factors which contribute to a defence-in-depth approach to cybersecurity – an approach he refers to as one that offers ‘the most effective protection against cyberattacks’.

The history books will no doubt record the period between late 2019 and today as one in which the world has been dominated by the pandemic. However, the past two years have also been overshadowed by a significant increase in a threat that is impacting businesses and consumers across the globe: cyberattacks.

On a seemingly daily basis there is news of yet another high-profile security incident. The motives and tactics of these attacks may vary, but they all result in significant disruption for the victim, often impacting stakeholders outside the boundaries of the organisation, including customers, partners and suppliers.

Research by Orange Cyberdefense shows that the number of cyberattacks targeting businesses increased by 13% between 2020 and 2021, with manufacturing, professional services and retail hit the hardest. Accounting for 38% of the total, malware – malicious software designed to cause disruption – has become the number one incident type.

The trend has continued to evolve in the first months of 2022, with the Russia-Ukraine conflict having a knock-on impact on the threats facing organisations globally. The UK National Cyber Security Centre (NCSC) advised that, following Russia’s ‘unprovoked, premeditated attack on Ukraine’, organisations should bolster their online defences. It pointed to a historical pattern of cyberattacks against Ukraine and that ‘HermeticWiper’, a wiper malware used against Ukrainian organisations, also has the potential to impact firms outside of the country.

Insuring against the risk

The growing cyberthreat landscape has led to a corresponding burgeoning of a benevolent counter industry – cyber insurance – as cybersecurity experts have invested more and more time and money to stay ahead of the curve.

According to a recent survey by Fortinet, ransomware attacks increased nearly 11-fold between July 2020 and June 2021. A large proportion (72%) of respondents said they have a cyber ransom insurance policy in place and 49% stated they would pay a ransom outright. The average ransom paid by mid-sized organisations was US$170,000.

In a typical ransomware attack, malicious hackers encrypt data until a ransom has been paid. For those that have ransomware insurance, the insurer often pays the ransom and compensation for business downtime and data recovery. For those organisations that have insurance against ransomware, when the ransom is paid to get the data back, 94% of the time it is the insurance company that pays.

One key challenge for today’s security value chain is the fact that, unfortunately, cyber-insurers and cybersecurity incident response teams (CSIRTs) are fighting over the same budget from customers. Thankfully the market has moved on from the situation five to 10 years ago when some, less mature, organisations would include security tools and services more generally in the same budget category.

This improvement has been driven by an increasingly prescriptive approach from cyber-insurers as to the baseline security controls they expect to see in place before they are willing to provide coverage. The fact remains that cyber insurance and incident response functions should both be perceived as stakeholders in a team that needs to work together. One is needed to assess, manage and prevent cybersecurity-related emergencies, as well as coordinate the incident response efforts after an event has taken place. The other is needed to seek financial compensation after the event has finished and once the damage can be properly assessed.

Mind the gap

As the cyber insurance market matures and hardens following a surge in losses, CSIRTs can potentially fill the gaps in cases where businesses are left exposed in their preparedness.

With many cyber-insurers starting to see their costs rise in line with the intensifying threat landscape, they are rightfully looking at means by which they can start to bring these costs back under control. Among other tactics, there are three key themes to this approach: to better quantify their customers’ levels of risk; to become more specific in terms of the security tools and services policy holders are expected to adopt in order to qualify for coverage; and to become more specific in terms of what does and does not fall under coverage of their policies.

The huge rise in prices for cyber insurance is a wake-up call for all sections of the industry to work together better. As partner stakeholders in the cyber insurance ecosystem, both cyber-insurers and CSIRTs are dependent on each other and should be working together to achieve a mutually beneficial balance.

Cybersecurity should be at the forefront of priorities for all chief executives, regardless of whether they have separate cyber insurance policies to mitigate their losses. Whatever their specific circumstances, senior figures within every organisation should remember the following:  

  • Presume you will be hit by ransomware and shore up your defences accordingly.
  • Take a life cycle approach to managing and protecting your data, from identification and classification, through to backup and eventually ‘end of life’.
  • Malicious actors look for vulnerabilities and gaps in privileges. Take a proactive and layered ‘defence-in-depth’ approach to block them at as many points as possible.
  • As simple as it may seem, security awareness training is one of the key actions that can help drive good hygiene behaviour around, for example, malicious links.
  • Make sure systems are regularly updated and security solutions adequately configured.
  • Security testing should be done on new applications and penetration testing completed at least annually.
  • Any new project should be thoroughly checked for security flaws.
  • It is vital to keep up to date on current security threats, so you know what to look out for.

Whether or not you choose to be supported by an insurance company, maintaining a good understanding of your security posture is paramount. As well as classic perimeter controls (such as network and endpoint security), organisations should consider approaches such as: visibility into the flaws across their attack surface (audit, pen test); insight into contextually relevant threats (threat intelligence); security of their cloud environments and applications; a solid approach to identity and access management; and, last but not least, the training and awareness of their employees.

These approaches can support a defence-in-depth approach to security, which remains the most effective protection against cyberattacks and will help to keep any damage to a minimum.

Browse our latest issue

Intelligent CISO

View Magazine Archive