As the number and severity of cyber losses has increased in virtually every industry sector, public and private companies alike have made cybersecurity an enterprise-wide priority, with many searching for solutions to manage their security risks within a reasonable working capital investment.
Many of the losses of the last few years can be attributed to the concentration of remote and hybrid workplaces, third-party partnerships, outsourcing and cross-company access to IT systems, an upswell in M&A/corporate transaction activity, and, perhaps most significantly, the ever-increasing sophistication of the cybercriminal. The overall impact of cybercrime is enormous. In fact, according to one estimate, cybercrime will cost the world $10.5 trillion per year by 2025, equal to $20 million per minute.
Every company is a potential target, regardless of its size, footprint or industry. Consequently, all companies need to assess and address their IT-security hygiene, both for enterprise protection (e.g., securing corporate loans and other company matters) and to obtain insurance (e.g., cyber, transactional liability, etc.). Cyber insurance carriers in particular have reacted to this sharp upswing in the cost of claims by materially increasing the intensity of underwriting scrutiny, increasing premiums and retentions, and, in certain instances, constricting coverage terms and available capacity. To that end, most cyber insurance carriers will provide comprehensive terms only if certain “gating” issues are resolved or mitigated.
“Insurers are beginning to understand which controls have the largest impact in reducing cyber insurance claims and are changing their underwriting process to reflect this understanding,” said Paul Ihme, co-founder and managing principal at Soteria. “Organizations must understand that a failure to implement foundational security controls such as multi-factor authentication, vulnerability management, and aggressive incident detection and response capability are at a heightened risk for being affected by a cybersecurity incident and, therefore, will have a much harder time getting insured.”
As risks continue to rise, obtaining proper cyber insurance coverage heightens has become a necessity rather than a contingency. In addition, there are a variety of actions businesses can take to protect against and mitigate the potentially devastating impact of a cyber-related event and ensure maximum recovery of data, systems and money, including:
- Implement multi-factor authentication (MFA). MFA carries the greatest cost-benefit ratio of these controls and should be considered table stakes for all organizations. At minimum, implementing MFA on email and other critical internet-facing services is inexpensive and will thwart many attacks.
- Cover endpoint threats with remote desktop protocol security. If your organization uses remote desktop protocol (RDP), ensure your RDP servers are not accessible via the public internet. Despite the name, this service is not designed to be publicly accessible.
- Actively manage systems and configurations. Most software is not configured in a secure manner by default. IT and security teams must review and configure systems to be as secure as possible while supporting business functions.
- Continuously hunt for network intrusions. Systems should be monitored continuously for suspicious behavior. As new techniques and tools are discovered, security teams should hunt for any evidence of these techniques within your environment. Note that organizations may require a third-party cybersecurity partner to implement this capability properly.
- Update and upgrade software immediately. Priority should be given to public-facing applications and infrastructure (internet). The Cybersecurity and Infrastructure Security Agency (CISA) maintains a catalogue of software and vulnerabilities that are actively exploited by threat actors. Organizations should continuously compare their respective software inventory against the CISA catalog updates and take appropriate action to update any vulnerabilities.
- Provide regular training on social engineering and cybersecurity. Train users to identify and report any threats, even if they identify the threat after they fall victim. Punishing employees who are victimized by scams can reduce your ability to respond effectively.
- Mitigate third party exposure threats. Understand which third parties could most significantly impact your business and take steps to mitigate these risks via contractual or technical means.
- Develop and exercise a system recovery plan. All organizations will experience some form of security incident at some point. Develop and exercise your response and recovery plan to ensure an aggressive and timely recovery.