Over the past year, the increased visibility of cyberrisks brought about positive changes in the security posture of businesses, as many leaders took steps to avoid becoming the next news headline. In 2022, we can expect to see further progress in security initiatives to stem the exponential growth in cyberattacks, defined by a purposeful shift in defense and resilience strategies and aided by external pressure from law enforcement agencies.
Ransomware jumped to the forefront of the news in 2021 with high-profile attacks that impacted large populations. This will continue to be a driving force behind the growing focus on cyberrisk in 2022. Noteworthy and large-scale attacks in 2021 included that on Colonial Pipeline, which impacted vital infrastructure and JBS Foods which impacted food supply chains. These are just a few examples of how cyberattacks cross over to the physical world and impact people beyond a computer screen. Seeing the long-term and fiscal impact of such events has encouraged the growing emphasis on cyberrisk. While some may see this as too little, too late, these events have helped to focus efforts from governments and law enforcement agencies to take the fight to the attacker.
For too long, organizations were forced to try and solve the issue of computer security alone. We know that security is a complex matrix that includes a wide array of technologies, configurations and processes. Some organizations mistakenly assume that investing in one solution will solve all of their security challenges; others simply throw up their hands in the face of the complexity. Thankfully, the steady refinement of security frameworks and new security control requirements from cyberinsurers has helped to cut through the noise and created a roadmap for organizations to shift and uplevel their approaches.
Cyberinsurers have been uniquely positioned to focus more heavily on security requirements throughout the past few years. While they may seem unlikely contenders as leaders in security, cyberinsurers sit at a focal point of thousands of incidents. As cyberinsurance claims continue to pour in, cyberinsurers are paying closer attention to the trends to identify common points of failure that contribute to the frequency and severity of attacks. Leveraging data from cyberincidents, insurers have been able to whittle the hundreds of security controls recommended in industry frameworks down to a smaller core group that yields the greatest returns in cyberrisk mitigation. This provides an easier on-ramp for organizations into security practices.
Even with the choice of controls narrowed down, however, an overly eager approach can sometimes result in misguided investments that don’t deliver a solid cost-benefit proposition—or cause leaders to balk at the scope of the process and cost.
That is where the newer generation of technology-based security assessments powered by artificial intelligence/machine learning (AI/ML) comes in. By analyzing thousands of data points from the external perimeter of organizations and internal security controls, technology-driven security assessments from cyberinsurers can help predict the likelihood of a cyberincident and outline the best mitigating controls. Those insights are then translated into information that business leaders can understand. This is critical, as the information provides executives with a clearer representation of their risks and the ROI for security technology. While executives have often heard ambiguous messages about security technology making organizations safer, they can now see data-driven insights outlining how technology can reduce the likelihood of a security breach by a predefined percentage—saving companies a specific amount of money.
Insurtechs are well-positioned to continue to redefine proactive strategies, contributing to these solutions by bringing together AI/ML findings based on claims data and real-world attack scenarios identified through data science that determines common points of failures in security incidents. This is an iterative, evolving process—as are the trends in cyberattacks. As attackers continue to advance their methods to infiltrate organizations, so, too, must the insights insurtechs derive from them. With advanced data and technology at their fingertips, insurtechs must continue to improve strategies and tie key findings from security incidents into new required security controls for policyholders. Just as auto insurers were instrumental in bringing about the required use of seat belts, cyberinsurers must bring about the concept of a minimum-security stack that includes required security controls, technologies and processes.
Defense Strategies Evolve With Threats and Costs
As attack vectors change, so do the actions and remediation steps victims take. Breach response costs for cyberincidents—including assistance in legal, forensics and recovery efforts—increased from 29% to 52% of overall claims costs from 2019 to 2020, while business interruption costs shrunk as a percentage. Conversely, the demand-to-pay ratio is declining, a finding that could be attributed to new requirements set by cybercarriers. While organizations are getting better at protecting their backups from ransomware actors, incident response costs are still growing—a symptom of the increasing severity of cyberattacks. Focusing on the basics of a resilient backup strategy can have a positive impact. But while impactful, having to use backups means that an attack has already happened. Organizations must also work to prevent the attacks from ever taking place. Security researchers have long recommended vulnerability patching as a key tactic for proactive defense since threat actors commonly target open vulnerabilities to gain initial access to environments, which can then turn into ransomware attacks. Like many security basics, patching is yet another example of the less glamorous side of security that, when forgotten, results in large costs from security incidents.
Carriers should aim to increase focus on the implementation of security controls to minimize the attack surface and subsequent claims. Requiring MFA on remote access and applications, investing in EDR solutions and external monitoring—and, of course, investing in resilient backup systems—are crucial ways in which businesses can protect the easier barriers to entry from cybercriminals’ attacks, whether via ransomware or other means. All of these controls are now finding their way into the requirements before businesses purchase a cyberinsurance policy.
Thankfully, businesses are also finding that they no longer have to fight these battles alone. The creation of ransomware task forces and infrastructure bill investments throughout 2021 have supported the perception of proactive security measures as a high priority, helping to bring security requirements to the forefront. These efforts have helped increase appropriate investments into new technologies and discussions to drive larger research and initiatives. Subsequent advisories on handling cybercrime exemplify the gravity of the situation, further aiding cybersecurity teams to reinforce the need for investment in cyberhygiene. The U.S.’s $2 billion investment in the infrastructure bill will further support innovation in the security marketplace. If successful, we should see an emergence of new technology that will help shift the advantage back to the defenders.
In tandem, the U.S. and other governments are actively working to dismantle ransomware gangs and state actors. Until more recently, these groups have successfully operated with few repercussions. They have grown bolder, driving up ransom demands from several thousand dollars to millions of dollars. These malicious actors have been successful in the past because there was little pushback and little fear of penalty. As a result, new threat groups have unfortunately emerged, looking for accessible, low-risk and quick money-making schemes. While it is still too early to understand the impact these takedowns are having, criminal chatter around the topic shows that there are growing concerns around who could be next.
Be Attentive to Security in the Cloud and Third-Party Software
Ransomware is undoubtedly a key force in the fast-growing need for cybersecurity controls and risk mitigations, but organizations must also remember that other attack vectors remain, especially with evolving technology. While the security industry as a whole is still learning about cloud security, organizations that shift to a cloud-based infrastructure and increase their use of third-party software must not let their guards down. As we enter a new cycle of learning, attackers will issue a new cycle of attacks. Businesses must not find themselves in a position where the focus is exclusively on ransomware defenses; they have reinforced one area of their business but left themselves fully exposed in another.
Contrary to some organizations’ beliefs, the use of cloud-based software-as-a-service (SaaS) does not shift the responsibility of security away from companies. Many SaaS providers will handle security on the backend to prevent an attacker from hopping between client accounts. Yet the SaaS buyer is still responsible for proper configuration on the frontend, preventing an attacker from accessing their data specifically. For that reason, it remains essential for organizations to avoid a quick spin-up of a cloud or SaaS technology without exploring how to secure it. For many security professionals, this requires learning the complexities of cloud environments. Respondents from Cloud Security Alliance’s 2019 survey cited configuration problems—being able to proactively detect misconfigurations and security risks—as the biggest challenge they faced with cloud implementation. The challenge is especially prevalent when cloud platforms can have hundreds of interwoven configuration options. A minor configuration change in one area can introduce an unknown number of security issues in another—without intimate knowledge of that cloud platform, the security gap could go unnoticed. Cloud technology introduces a whole new environment to secure, operated by a different set of rules with potential issues, which organizations must consider. It is not enough to figure it out as you go. Attackers thrive on those error-prone approaches. Organizations must take a proactive approach to identify common misconfigurations that can expose data or allow attackers easy access to account compromises.
A prime example: In Microsoft Office 365, multifactor authentication (MFA) is, by default, not required for all users. Administrators must enable it and push for compliance among their users. Further, monitoring for drift control in cloud configurations becomes even more critical, as greater numbers of administrator user accounts are created and configuration changes can subsequently occur on a wider basis. With ever-evolving technology landscapes, organizations need to understand how to manage new security concerns, as the corporate network is no longer the only way to access data.
Shift the Strategy to Shift the Momentum with Cyberinsurers
Security, much like any technology topic, is constantly evolving—and to better an organization’s security posture in 2022, security professionals must continue to push for shifts in strategy while staying true to the fundamentals. There is no security technology that will solve all problems, and building a foundation of fundamentals remains a critical component of success. Organizations must be open to external help from cyberinsurers. With greater investments from governments and improved insights from cyberinsurance carriers, businesses have ample resources to help them cut through the noise of security and identify actionable items to improve their security and resilience. Proactive defense strategies and controls, including cyberinsurers, MFA, EDR and backup systems, are key to continuing the momentum we’ve seen in 2021. These strategies will help organizations prioritize their security investments, shifting the momentum back to the defenders.