Cyber Security and Risk Mitigation
Security leaders should be exercising every available option to upgrade their security posture, and cyber insurance policies could make or break the resiliency for many organizations across nearly all industries — K-12 education, retail, healthcare, manufacturing and more.
Just last month, thousands of organizations were shut out of their digital environment for hours as a defective software update from security company CrowdStrike took down computers running Microsoft Windows all over the world. The system outage that resulted is one of the largest ever and laid bare just how fragile the global IT infrastructure is even without any attacks from threat actors. But the threat landscape has also never been more fraught, with ransom demands rising 20% year-over-year as bad actors seek larger payouts from their targets.
For leaders who want to ensure they’re prepared, the time to act is now. High-risk industries need help, and effectively aligning their security investments with a cyber insurance policy is a strong foundation in building resilience. Cyber insurance acts as a safeguard and lifeline if a business is hit by an attack or, in cases like the CrowdStrike and Microsoft Windows event, a significant IT outage, although not all policies will cover non-attack incidents. Essentially, whether an impacted organization has a cyber policy may be the difference between paying millions out-of-pocket to an attacker or resuming business as usual overnight.
But the attackers themselves have expanded their list of targets while also exploring other ways to extort their victims, like creative Business Email Compromise (BEC) attacks.
These types of attacks are essentially a type of email-borne phishing fraud in which an attacker attempts to trick members of an organization into transferring funds, sensitive data, or something else of value, like their credentials. Some 70% of organizations surveyed in the 2024 Arctic Wolf Trends report reported that they were the targets of an attempted BEC attack within the last 12 months. The FBI’s most recent Internet Crime Report estimates the losses caused by BEC at $2.7 billion in 2022. This is 80 times greater than those caused by ransomware attacks.
Cybersecurity is about risk mitigation, and more active attackers means a higher risk for all industries, especially those who have been most impacted by attacks this year, including finance, manufacturing, government and the education and nonprofit sectors, according to Arctic Wolf Labs.
Insurers have also responded to the evolving threat landscape and stepped up their requirements for policyholders. However, there are several steps that businesses in any industry can take to set themselves up for the most favorable terms on their next cyber insurance policy, according to insurance underwriters.
First, implementing the essential basics of cybersecurity like strong Identity Access Management tools — Multi-factor authentication, Virtual Private Networks and strong password requirements, and log retention — will go a long way toward ensuring that a business is looked upon favorably by an insurer.
Second, Managed Detection and Response (MDR) and
24/7 monitoring are considered the most important controls that some insurance carriers look for due to its combination of threat detection and human-led response that improves threat detection accuracy, enhances remediation response and ultimately reduces incident severity. MDR also provides in-house IT teams with the opportunity to work with expert security teams around the clock, enhancing their protection in ways that would otherwise be impossible for resource-constrained organizations.
Additionally, organizations that demonstrate a strong “security culture” with regular security awareness training, patching and rewarding a “see something, say something” attitude may further separate themselves as favorable risks.
As public and private entities alike continue to build their cyber resiliency, we encourage them to work with a trusted insurance broker to effectively evaluate their cyber security and insurance portfolio. With proper guidance and implementation of security controls, organizations can maximize their risk management benefits and have confidence in the face of an ever-changing threat landscape.