Why organisations shouldn’t put all their eggs in the cyber insurance basket

The stakes for businesses taking a gamble on the cyber security front have never been higher: the average cost of a data breach hit a record high of US$4.35 million this year, according to the annual Cost of a Data Breach report.

New findings from the Ponemon Institute report reveal stolen or compromised credentials were responsible for 19 per cent of breaches; phishing was responsible for breaches 16 per cent of the time; and cloud misconfiguration caused 15 per cent of breaches.

Undoubtedly, businesses are vulnerable and at risk, facing an exhaustive list of ever-growing challenges and far greater complexities in how to manage these than ever before.

What’s more, attacks are more sophisticated — just consider that today, one successful zero-day exploit or ransomware attack, for example, has the potential to take down a business completely. Isn’t that a scary thought?

Even scarier is the fact that compromised privileged credentials and identities continue to be the root cause of the most damaging cyber attacks.

Companies need to circumvent obstacles like seasoned professionals, deliver meaningful impact on the cyber risk front, and implement a comprehensive cyber security strategy that’s holistic, and offers a risk-based approach to securing human and non-human identities.

Couple that with the fact that navigating the world of cyber insurance has become even more demanding, it’s truly a pressure cooker.

Take a blended approach

VIEW ALL

So, what’s the answer? Ensuring companies adopt a blend of advanced security solutions and sink their teeth into a solid cyber security insurance plan is a good “blended” security strategy.

Understandably, opting for a trusty cyber insurance policy is a smart move — it can help minimise post-incident business disruption, speed-up recovery efforts and curb related costs to the organisation and its partners — but it’s not the panacea for all corporate ills.

If anything, a company’s foundational pillars, most valuable data, systems and defences need to be fortified first — and that’s why adopting a strong identity security program centred on intelligent privilege controls as part of a foundational cyber security strategy is more important than ever.

Indeed, there are four core foundational cyber security strategy pillars to consider, including:

• Ensuring privileged access management (PAM) controls are firmly in place: least privilege controls, for example, may be required to strengthen ransomware defences, protect sensitive data in cloud environments and address compliance concerns.
• Adopting a multi-factor authentication (MFA) approach to bolster security and authenticate administrative access to those privileged accounts. Failure to implement MFA elevates your risk level, and your premium rates.
• Taking a risk-based approach to cyber security and ensuring both OT and IT aren’t compromised.

• Implementing a zero-trust model, which assumes that all digital identities — human or machine — are implicitly untrusted and must be authenticated and authorised regardless of their network or location.

Better still, companies need help controlling, managing and auditing privileged accounts, credentials and secrets for human and non-human users in order to reduce risk while also improving operational efficiency and compliance.

And security starts with identity. To put it mildly, there’s been an explosion in human and machine identities with the rapid acceleration of major initiatives such as digital transformation, cloud migration, among others.

And while cyber insurance should be an integral piece of every organisation’s proactive risk mitigation strategy — as it provides essential financial protection and operational support — foundational and security best practice should be in place, especially as insurers are asking for application control and password protection.

Cyber insurance upsurge

Still, let’s examine the cyber security insurance landscape. Needless to say, the pandemic changed everything, shaking up the world of security like a Category 5 hurricane.

According to the US Government Accountability Office (GAO), the number of enterprises electing to adopt new cyber insurance policies nearly doubled from 26 per cent to 47 per cent.

As more pandemic-driven cyber risks persist, we expect demand will grow. The cost of coverage is also rising. AIG, for its part, increased pricing by 40 per cent globally, according to Reuters.

Locally, many Australian firms say the cost of their cyber insurance policies have increased by 300 per cent — with some plans excluding ransomware and phishing, the most common attacks which spiked between January and June this year to more than 1.2 million per month, according to recent Barracuda Research.

The huge spike in costs comes amid hefty payouts — high-profile attacks have wiped out the billions generated via premiums by cyber insurance companies. As such, insurers have clamped down on their terms and conditions to address hefty cyber loss trends.

Adding “fuel to the fire”, many insurers are applying more stringent pre-audit requirements and demanding a stronger security posture both in terms of controls and incident response plans.

What all these signals is it’s never been more important to ensure an organisation’s security controls are up-to-date and firmly in place — to keep and maintain proper cyber insurance coverage and safeguard the company’s crown jewels.

Instead of “putting all of your eggs in one basket”, think big: implement a range of security solutions that address compliance concerns and help customers reduce privilege-related risk, but also confidently and securely move your business forward.

Now, that’s just good business protection.

Thomas Fikentscher is the regional director, ANZ at CyberArk.