Insurers Want Businesses to Brush Up on Cyber Hygiene
Cyber insurers are experiencing a higher volume of claims plus heightened demand for coverage, making it increasingly difficult for businesses to obtain cyber protection at a favourable rate—if at all.
Tricia Crews, Cyber Specialist with Rogers Insurance, attributes this to the drastic spike in ransomware and business email compromise attacks, plus the rapid transition to remote work in 2020, which left a lot of companies more susceptible to cyberattacks.
The number of ransomware claims in the first six months
of 2021 exceeded the total number of claims in 2019.
“Fortunately, there are three fairly straightforward steps businesses can take to improve their cyber hygiene, which will make them less vulnerable to a cyberattack and, therefore, more appealing to insurers,” she said.
Cyber hygiene is the routine maintenance and improvements a business makes to strengthen its online security. According to Crews, insurance companies are currently favouring businesses who practice good cyber hygiene in the areas of:
- Perimeter security
- Email security
- Data security
Perimeter security is the methods businesses use to defend their network against a malicious attack. Some examples include firewalls, vulnerability scans and penetration testing.
A top concern for insurers these days is remote desktop protocols (RDP), which enables remote access to a company’s network.
“A lot of companies have these open ports exposed on the Internet, which are easily used by cybercriminals to initiate a ransomware attack,” explains Crews. “Some insurers are automatically declining cyber coverage if a business has open RDPs because these are such a vulnerability.”
According to one insurer, almost half of the ransomware attacks they see stem from open RDPs.
Crews advises businesses to close all open RDP ports that aren’t necessary and, if remote access is needed, to instead create a secure virtual private network (VPN) that can only be accessed by using multi-factor authentication.
Multi-factor authentication requires an individual to verify who they are in a minimum of two ways. This entails something an employee knows (such as a password) coupled with either something they have (such as a verification code) or something they are (such as a biometric identifier like a fingerprint or facial recognition).
The protection that multi-factor authentication provides cannot be stressed enough. “Even if a company has firewalls, has closed open RDPs and is doing vulnerability scans, without multi-factor authentication, they are essentially leaving the front door open to cybercriminals,” says Crews.
“Email is one area in which companies are most vulnerable to a cyberattack,” says Crews. These can take the form of phishing, extortion and social engineering attacks.
To protect against business email compromise and phishing attacks as well as compromised passwords, Crews says insurers are looking for businesses that:
- use multi-factor authentication;
- regularly conduct employee awareness training; and
- use email filtering software.
Weak or stolen passwords are a hacker’s weapon of choice. “It’s so much easier for cybercriminals when only a password protects access to a core work application, such as email,” says Crews. “Multi-factor authentication provides a double layer of protection and, by some estimates, can block over 99.9 per cent of attacks.”
That said, finding and using compromised passwords is just one way that cybercriminals infiltrate a company’s email. Another is social engineering attacks in which attackers deceptively manipulate a person into providing sensitive data or confidential information. One of the most common types of social engineering is a phishing email, which is an email that dupes a victim into unwittingly providing confidential information or clicking on a malicious link that can lead to the installation of malware.
This is why businesses who routinely educate staff on cybersecurity best practices are more attractive to insurers.
“Cyber insurers are looking for businesses to conduct ongoing phishing and employee awareness training,” says Crews. “It can’t just be one and done; insurers want training throughout the year.”
In conjunction with the employee training, email filtering software is another layer of protection for email security. When enabled, the software is able to independently analyze incoming emails for red flags that signal phishing content.
“A company’s data is probably the most valuable part of its computer system,” says Crews.
This is why cyber insurers are critically examining:
- How frequently businesses are backing up data. Crews advises once a week, at a minimum.
- If a backup is connected to a company’s system or if backups are offline and completely separate from the system. Crews says the latter is preferable as ransomware can also take hostage backups that are connected to a company’s system.
- How many copies businesses are keeping and for how long. Crews advises keeping multiple copies, stored on at least two different kinds of media, including one that is stored safely offsite. She also recommends keeping older versions for two to three months as more recent backups may be corrupted or already affected by malware.
- If backups are being regularly tested. Crews says companies need to ensure their data is accessible and readable.
By properly backing up its data, a business will be in a better position to respond to a ransomware attack, for which the severity of payouts has skyrocketed. Plus, ransomware attacks can result in lengthy business interruptions, causing an organization to be out significantly more than just the ransom payment. There’s also no guarantee a business will get all its data back after paying the ransom.
Ransomware victims paid an average of $570,000 in 2021,
compared to $312,000 in 2020.
(Source: Unit 42 cybersecurity consulting group)
“In the event of a ransomware attack, you want to be able to restore your system from backups,” explains Crews. “Restoring from your backups can be more reliable and less expensive, plus you’re not paying the criminals.”
Remember: Diligent and proactive cyber hygiene is an organization’s best defence against cyberattacks—and will help with securing cyber insurance in today’s hard market. To discuss further, please contact your broker.