Inexpensive measures working in tandem with your insurance policy can save your organization from a crippling cyber incident

When it comes to cyber security incidents, describing the fallout can be abstract and hard to quantify. There can be vagaries to describe the damage wrought across different industries and organizations, as each may have a unique risk profile that impacts losses and recovery. Yet one thing is certain, a cyber attack on a business can cause significant damage to a business, one that may even threaten its very existence. With that in mind, take a moment to consider if your organization could survive this scenario:

  • Approximately 6 weeks of hard downtime, with an additional 2 months required for full recovery
  • $1 million paid in ransom, with another $500,000 in direct recovery costs
  • Significant loss of market confidence after customers filed multiple lawsuits
  • Unknown costs due to legal liability and loss of further business

    This was the case for an organization in 2022, a technology company with over $100 million in yearly revenue. After a ransomware attack, the company lost over 250 terabytes of data and millions of dollars in recovery costs in the attacks aftermath. Without an insurance policy, the company could have shut down entirely.   The tragedy is how easily this incident could have been avoided. The company could have prevented this attack entirely had it effectively deployed common security controls. While there is no single solution that can stop every cyber attack an organization may face, implementing basic cyber security measures is a straightforward action that all organizations can take to help prevent scenarios like the one above.   Here are some of the simple yet effective security controls that can markedly improve an organizations security posture:  

Multi-Factor Authentication

The incident from the example above started with a phishing email that led an employee to enter their legitimate credentials in a fraudulent password manager login window. Had this organization been using multi-factor authentication (MFA) for those credentials, it would have helped prevent the attack in one of two ways:  

  1. The attacker would have been stopped because they did not possess the means to obtain the other factor needed for a successful login.
  2. The attempt at obtaining a second factor would have signaled that someone was attempting to infiltrate the organizations system. 

  At-Bays claims data shows that 8% of attacks leverage stolen credentials for intrusion. Attackers then use these credentials to make lateral movement through a network undetectable. While every organization will have a unique implementation of MFA based on its specific needs, existing infrastructure, and security requirements, it provides an extra layer of security that significantly reduces the risk of unauthorized accesses and compromises.   There are different kinds of MFA, and any use of MFA is better than none. Some of the different versions of MFA are:  

  • Hardware tokens: Physical devices used as a second factor to generate and display one-time passwords or connect to a computer via a USB port.
  • Software tokens: Similar to hardware tokens, software tokens are virtual, typically generated and stored on a mobile device or computer. They can be used in conjunction with a password or PIN for authentication.
  • Smart cards: A combination of hardware and software, smart cards are credit-card-sized plastic cards embedded with a computer chip. They securely store authentication data and can be used for physical or digital access control as an authentication factor.
  • Biometrics: This type of authentication relies on unique biological characteristics of the user, such as fingerprints, retina or iris scans, facial recognition, or voice recognition.

A Plan for Patching

If cyber criminals cant trick your staff into handing over their credentials, they are going to try to poke holes in your software. At-Bay has found that 12% of attacks exploited a software vulnerability for intrusion.[1]  However, your organization can plug these holes by developing a patching strategy that goes into action as vulnerabilities become public.   When cyber criminals leverage these vulnerabilities, they move fast. Security professionals begin to see attacks targeting specific software vulnerabilities hours after a proof-of-concept exploit becomes available. Developing and executing a patching plan will allow your organization to prioritize and schedule patches and updates to ensure any security vulnerabilities will be taken care of systematically and promptly. It also helps in maintaining system robustness and efficiency, which are critical for smooth business operations. Creating such a plan can be challenging without the right expertise, so partnering with an InsurSec provider can assist in developing a plan that is tailored to your organizations needs.

Rein in Remote Access

One way cyber criminals access an organizations IT system is through remote desktop applications. At-Bay found that 24% of attacks use a remote access tool for intrusion.[2]  Attackers use widely available and legitimate remote access tools (like Microsoft Remote Desktop, Team Viewer, Splashtop, etc.) to facilitate uninterrupted access. A key reason criminals leverage this technology is that legitimate remote access tools do not trigger alerts from endpoint protection tools, unless they are specifically blacklisted.   An organization should set strict policies in place to mitigate any unauthorized use of these tools. Tailoring access to remote desktops should be guided by the principle of least privilege, which means individuals should only have the levels of access necessary to complete their work nothing more, nothing less. An additional layer of security can be added by establishing secure, MFA-enabled VPN connections for remote desktop users.

Backups, but Better

While creating backups of your organizations data should be a standard security practice, its not one where you can just set it and forget it. Ransomware groups deliberately target backups to ensure that victims can’t easily recover their data. This can escalate the attacks severity, making it much more debilitating and stressful, which strengthens attackers’ leverage during ransom negotiations.   While approximately 90% of At-Bay policyholders report having backups, only 22% were able to successfully recover from incidents by using the data.[3] Not only should backups be a part of an organizations security strategy, but continuous maintenance and continuity measures can ensure that the data can be used in the event of an attack.   To minimize the risk of falling victim to such attacks, it’s important to follow best practices for data backup:  

  • Maintain at least three copies of your data.
  • Store these backups on two different types of media (USB drive, network-attached storage, magnetic tape)
  • Ensure one of these backups is off-site or stored in the cloud.
  • Regularly test backup and restoration procedures to ensure they work.
  • Ensure backup systems are not permanently connected to the devices or networks they are backing up.

Be on heightened alert with on-prem

Small and medium-sized businesses (SMBs) often run a good portion of their IT stack on premise (physically located within their own facilities rather than being hosted on a cloud platform), particularly for email.   These on-prem services paint a big target on your organization, as attackers gravitate toward internet-connected servers that they know house highly sensitive data. At-Bays claims data shows that ~41% of attacks used a malicious email as their method of intrusion, and on-prem email solutions have a 2.5X higher rate of claims compared to the leading cloud email solution.   Protecting on-premise infrastructure involves a multi-layered approach. It’s not just about protecting against external threats, but also about preparing to respond and recover quickly in the event of a breach. If your organization must rely on on-premise infrastructure, they should consider the following security measures:  

  • Network Segmentation: dividing your network into smaller parts, which can limit an attacker’s ability to move laterally within your network.
  • Endpoint Security: Protect all endpoints (computers, mobile devices etc.) with appropriate security tools, such as endpoint detection and response (EDR) or managed detection and response (MDR) solutions.
  • Firewalls and IDS/IPS: Use firewalls to block unauthorized access to your network, and Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) to detect or prevent attacks on your network.
  • Patch Management: Regularly apply patches and updates to all software and hardware components (see A Plan for Patching above).

Keep it Simple

Each device connected to (and individual using) your network, no matter how insignificant, could be a potential weak point for cyber threats. This reinforces the importance of widespread and ongoing cyber hygiene practices.   While a cyber insurance policy should serve as a key part of your overall security strategy, it should not be viewed as a get out of jail free card. Investing in best practices can save your organization significant expenses in the long run by raising the bar for malicious actors and minimizing the impact a cyber attack could have on your organizations operations.


[1] Source: At-Bay claims data[2] Ibid.[3] Ibid.

 

Meet the Author

Larry Crocker, At Bay

Larry Crocker is the Head of Digital Forensics and Incident Response for At-Bay, responsible for pre and post breach remediation, digital forensics investigations, and insider threat and threat hunting services. Crocker has a wealth of experience in cyber, having previously worked as the VP of Incident Response, Counter Extortion, and Threat Intelligence at Kivu Consulting, and as the Global Director of Incident Response at Dell SecureWorks. Prior to this, Crocker worked in law enforcement investigating internet crimes against children and electronic crimes.
 
 
News Type

PLUS Blog

Business Line

Cyber Liability

Topic

Professional Liability (PL) Insurance

Contribute to

PLUS Blog

Contribute your thoughts to the PLUS Membership consisting of 38,000+ Professional Liability Practitioners.

Related Podcasts

Related Articles

March 19, 2024

Exploring Insights from the PLUS Symposium Series 2024

The Professional Liability Underwriting Society (PLUS) recently convened its much-anticipated Symposium Series…

Empty conference room with large whiteboard and projectors
February 20, 2024

Cyber University Spring 2024: Expanding Knowledge

Last week, PLUS celebrated another successful Cyber University with sessions taking place…

Man sitting in front of computer writing in notebook
February 15, 2024

Cyber and Class Actions Litigations are on the Rise Webinar Recap

The PLUS Cyber Symposium webinar, Cyber and Class Actions Litigations are on…