Why Cyber Insurance Won’t Protect Your Business from Ransomware
Strict standards and rising insurance premiums are threatening to undermine the cyber insurance model.
Despite lots of attention from the national media and cybersecurity experts, the threat of ransomware attack continues to grow more serious. According to a recent article in Infosecurity Magazine, the number of ransomware attacks grew a staggering 485% in 2020 alone.
The threat is not just cybersecurity hype. In just the last 12 months, several major technology companies have fallen victim to ransomware attack. Here are just a few of the bigger cases:
- In April of this year, hackers stole confidential schematics from an Apple supplier and demanded $50 million to not release them.
- Kaseya, a leading provider of network monitoring and management tools, announced that it was the “victim of a sophisticated cyberattack” that infected between 800 to 1500 small to midsized companies with ransomware.
Those astronomical fees are quickly becoming the norm. According to Coalition’s 2020 Cyber Insurance Report, the average ransom demanded after a successful attack jumped up 47% from just Q1 to Q2 of last year, which is on top of an already 100% increase from 2019 and 2020.
But I Have Cyber Insurance, Isn’t My Business Protected?
To counter the threat of ransomware, some businesses have started to rely on cyber insurance policies, which will compensate them for all the costs associated with recovering from a ransomware attack, such as hardware costs, engineering manhours, forensic work, and others.
Just a few years ago that may have been a sound strategy, but no longer. Insurance companies who struggle to pay ever-growing claims have started to take steps to protect themselves. This includes limiting the types of protection they offer, raising the standards for coverage, and increasing their premiums.
How much of an increase? According to research by the U.S. Government Accountability Office (GAO), cyber premiums increased on average between 10% and 30% in 2020. Other research from international insurance broker Howden found that prices increased 32% year-on-year as of last month.
But higher premiums are just one reason why your business can’t rely on cyber insurance as protection from ransomware.
The Hidden Cost (and Danger) of Relying on Cyber Insurance
Higher insurance premium is not the only downside to over-reliance on cyber insurance; some experts believe that it lulls businesses into a false sense of security.
That’s what happened at Heartland Payment Systems, a payroll and credit card processing firm who bought a $30 million cyber insurance policy, only to later face a $115 million bill for remediating a devastating ransomware attack.
In cases like this one, insurance provides a feeling of being invulnerable, which means a company may not spend the proper amount of time and effort to keep their defenses optimized.
There may be other unintended consequences as well. This paper from the Royal United Services Institute (RUSI) finds that criminal gangs are now actively targeting companies that hold cyber insurance policies, because they know that they’re far more likely to receive their money from insured companies. These reliable payouts give criminals the resources and confidence to launch more ambitious attacks.
So, what should businesses in Ohio do?
Ransomware Demands an Emphasis on Cybersecurity Fundamentals
To purchase cyber insurance and keep your premiums within reason, businesses will have to view insurance as one part of their security toolbox. That means revisiting all their security controls and ensuring they’re up to standard.
Here are some of the steps that you should take in addition to purchasing cyber insurance.
- Regular Security Assessments
Your network changes every day. The only way to keep such a dynamic environment secure is with regular cybersecurity risk assessments from a team of experts. The regular assessments we perform help businesses find weaknesses in their hardware, software, and business processes, so that they can best allocate security manpower and resources. Here’s more information about our network security assessments.
- Vigilant Security Awareness Training
Your staff is the first line of defense against ransomware. Keeping them aware of the latest ransomware and hacking methods (which are constantly changing) is the single greatest way for you to defend your business and demonstrate preparedness to an insurer. Topics that you should include in your employee training include email security attacks, password hygiene, how to spot a phishing attack, and physical security best practices. You can learn more about the dangers of social media at work here.
- Deploy Multi-Factor Authentication
Multi-factor authentication (MFA) is when you use another method or “factor” to secure your network systems. This additional factor is often biometric information like a fingerprint, or a temporary password sent to a trusted mobile device. MFA is considered one of the most cost-effective and impactful security steps a business can take.
- Harden Your Network and Technology
For criminals to take your network hostage, they must have an entry point . The most common way into a business network is through outdated hardware or software systems, which is why you should be vigilant about applying new software patches and firmware as they’re released, then testing to make sure they haven’t harmed the stability of your network.
- Employ a Risk Management Framework
Enterprises have long employed security frameworks like the National Institute for Standards and Technology (NIST) Cybersecurity Framework to better assess risk and build meaningful protections. Now that cybersecurity is such a major concern, small and midsized businesses in Ohio should be looking for in-depth guidance from NIST and similar frameworks to guide their efforts.
- Monitor Your Network Security
Do you know if an unauthorized party has entered your network recently? The unfortunate answer is, probably not. The average “dwell time,” the measurement of how long ransomware remains undetected in a network, is 43 days. To ensure that you detect and respond to threats quickly, you’ll want to deploy systems for network monitoring and intrusion prevention, then maintain them so they always offer optimized defenses.
20 Years of World-Class Cybersecurity Service for Ohio Businesses
Cyber insurance premiums may be on the rise, but the cybersecurity team at Astute Technology Management can help. We’ll guide you through the process of optimizing your cybersecurity defenses, ensuring that you’ll qualify for the cyber insurance you want while keeping premiums under control.