By Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea
Businesses have been insuring themselves against the financial impact of malicious and accidental loss for hundreds of years. But while protection for physical damages is well understood, insurance for loss from cybercrime is a very new area that many organisations are still getting to grips with.
The cyber insurance industry barely existed a decade ago, but has now grown into a $7.6 billion global industry and is expected to increase to over $36 billion by 2028. The huge market growth reflects the increasing threat posed by cyber-attacks, as well as the fact that businesses have invested heavily in digital transformation efforts, and they worry about IT failures.
Protecting against loss from cyber-crime has become an increasingly important element of a risk management strategy but securing insurance coverage is often easier said than done. Reports indicate that prices increased by 130% in the US and 92% in the UK in the fourth quarter of 2021 alone.
Firms must also contend with increasingly complex and exacting criteria to qualify for coverage. They need to demonstrate genuine understanding about their IT estates and the value of the digital assets they safeguard, as well as prove they have effective controls and best practices in place.
What controls are cyber insurers looking for?
Just as with more familiar forms of insurance, cyber insurance providers will base their coverage on the apparent risk of the company. In this case, firms will need to prove that they have invested in the right solutions, processes and personnel against their cyber risk profile. Businesses that fall below the mark can expect higher premiums, or even find themselves unable to find a policy that will insure them at all.
The nascent cyber insurance industry does not yet have any specific standards, with some insurers basing their criteria on government regulators, and others devising their own bespoke metrics for evaluating risk. Nevertheless, most providers share a focus on network firewalls, antivirus and access security controls as the three main pillars of security readiness.
Access controls are perhaps the most important of the three, as cyber attacks are increasingly oriented around identity. Of the more than 66 million records breached in January 2022, over half of all incidents were due to credential leaks.
Maintaining effective control of how IT systems are accessed is the most critical security challenge facing organisations today and has become exponentially more difficult as digitalisation efforts progress and IT estates expand. Most organisations now have large numbers of digital identities scattered across multiple locations on-premise and in the cloud, and access is often shared freely with partners and other third-party connections.
Firms must get control of this situation to have any chance of effectively preventing the loss of their digital assets – let alone procuring cyber insurance coverage.
Why securing privileged access is a top priority
Effective identity security requires a multi-layered approach, with multiple solutions and processes working in tandem. A least privilege approach to system access is one of the most important baselines here, with all users only being able to access only the information and resources required for their job roles by default.
Automated password management is another important capability as it will reduce the risk posed by weak, manually created passwords, and the bad habit of credential sets being stored and shared insecurely. Multifactor authentication (MFA) is also essential, as requiring a second channel for verifying identity will make it harder for criminals to access the system with stolen credentials alone.
The top priority for identity security should be protecting privileged access that has elevated system access and capabilities. Privileged accounts are a top target for many cyber attacks as they allow threat actors to access and alter critical systems and data, as well as covering their tracks by altering logs.
Privileged Access Management (PAM) is the key to dealing with this threat. A PAM solution enables organisations to automatically identify the privileged accounts on the system and implement effective controls to safeguard them from abuse. For example, a solution could be put in place to set strict controls around how privileged accounts are used, implementing session time limits and monitoring to detect suspicious behaviour.
Privileged access credentials can also be tightly controlled through automated management systems, making it much more difficult for attackers to escalate their privileges should they compromise standard user accounts. PAM solutions can also provide extensive auditing and reporting capabilities, ensuring that the organisation can readily prove their commitment to security to insurers and regulators.
Why is cyber insurance important?
The volume and severity of cyber attacks has drastically increased in the last few years. The prevailing attitude in the security industry is now that a breach is a matter of when, not if, and enterprises are increasingly adopting this mentality.
While firms must still invest in the right solutions and processes to prevent themselves being an easy target, they also need to be pragmatic about the fact that risk of data breach can be greatly reduced but not completely eliminated. A good cyber insurance policy acts as an extra line of assurance against this outcome, increasing the organisation’s ability to weather the financial impact of a security incident and keep operating.
Better yet, the same controls required by insurance providers will also greatly improve the organisation’s security posture, reducing the chances of a breach occurring and mitigating the impact when one does occur.
