cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Weighing up the business value of cyber insurance

The rising number of cyber security incidents and the spiralling cost of insurance are forcing many Australian businesses to re-evaluate the measures they have in place to protect themselves from the financial impact of an attack, Scott Hesford at BeyondTrust writes.

user iconScott Hesford
Tue, 08 Nov 2022
Weighing up the business value of cyber insurance
expand image

Meanwhile, alongside increasing premiums for cyber security policies, insurance companies are also re-evaluating the types of risks that they are prepared to cover. The result is a wide range of policies that offer very different levels of protection.

This situation is occurring as the cost of cyber attacks continues to grow. According to figures from the Australian Cyber Security Centre, self-reported losses from cyber crime totalled more than $33 billion in the 2020–21 financial year.

This comes at a time when the number of organisations taking out cyber insurance is on the rise. According to the Insurance Council of Australia, around 20 per cent of SMEs and up to 70 per cent of larger businesses have stand-alone cyber insurance policies in place.


Forces at work

There have been two key forces that have increased the risks faced by Australian businesses when it comes to cyber attacks. The first is the shift to remote and hybrid working that took place as a result of the global pandemic.

This shift means that many staff are no longer protected by the security measures traditionally in place within their office environments. Forced to access digital resources over a domestic internet connection at home, they are more likely to fall victim to an attack.

The second key force is the increasing ease with which attacks can be mounted. Where once cyber criminals required significant technical skills, they can now make use of a range of tools or services being offered online, including ready-made access to corporate networks via breached credentials.

Important preventative steps

Faced with these challenges, there are some key preventative steps that all organisations should take to improve their level of cyber security. These steps are also frequently required by cyber insurance providers before a policy can be put in place.

The steps include:

  • Limiting admin rights: One of the most powerful steps that can be taken is to review the number of staff who have admin-level access to IT resources. Cyber criminals often seek to obtain credentials through phishing or malware schemes to gain entry to a network and the data within it. Since privileged credentials can access the most data, they are the most valuable, and their theft can cause the most damage. Lowering the number of staff with these top-level rights serves to lower the organisation’s attack surface and reduces the chances of a successful attack.
  • Improving network visibility: Another important step to take is to increase the level of visibility that the IT security team has into the network — something even more vital in this era of remote and hybrid working. Tools need to be deployed that allow the team to constantly monitor who is accessing the network, when it’s being accessed, the amount of access granted, and from where it’s being accessed. Without this level of visibility, it can be difficult — if not impossible — to spot threats and prevent damaging attacks.
  • Deploying MFA: A third vital step is the rollout of a multi-factor authentication (MFA) capability. MFA requires users to provide proof above and beyond a simple password that they are who they claim to be when requesting access to resources. Authentication factors can include one-off codes generated by a mobile app, a fingerprint, or facial recognition. The more factors that are required, the more secure an organisation’s IT infrastructure will become.

The decision to insure

The decision of whether to take out a cyber insurance policy depends on a range of factors but should be carefully considered by all organisations. The financial costs associated with an attack can be significant and, in some cases, bring the target to its knees.

It is important to carefully review the types of cover on offer and the requirements that the insuring party will place on the organisation when it comes to deploying security measures.

The threats posed by cyber criminals are going to continue to evolve and grow in coming years. Taking time now to review insurance options and the protective measures that are in place is vital, whilst is taking proactive steps to avoid a breach in the first place.

Scott Hesford is the director of solutions engineering, Asia-Pacific region and Japan, at BeyondTrust.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.