We know ransomware is rampant. It is also becoming more sophisticated and increasingly a front for state and organized crime actors to profit from.
While many companies have shored up their security measures and training, security insurance has always been their fallback plan if everything else fails. Not anymore.
According to a recent Security Magazine article, https://www.securitymagazine.com/articles/99390-ransomware-is-being-excluded-from-cyber-insurance-policies#:
Citing a Veeam survey https://www.veeam.com/ransomware-trends-report-2023?ad=in-text-link, 21% of companies saw their cyber insurance policies specifically exclude ransomware, 74% saw premiums rise, 43% saw deductibles increase, and 10% saw benefits reduced.
“Outside of natural disasters taking out a whole company and its infrastructure, ransomware is likely the largest monetary impact on a company today. Excluding ransomware from security insurance can put the company out of business as much as the ransomware attack itself,” writes Object First’s technical director Anthony Cusimano and its chief executive officer David Bennet in a joint email interview.
Insurers wizen up
The security insurance is not the last line of defense. “Currently, security insurance isn’t being used to address ransomware itself, but instead to cover the cost of paying the attacker’s demands,” Cusimano and Bennet clarify.
However, with the rise of ransomware and the increase in state-sponsored attacks, many companies have no choice but to pay or risk losing their business (and, in the case of healthcare, impact lives).
So why are insurance providers reducing or removing ransomware? Part of the reason, Cusimano and Bennet point out, is that the providers are beginning to get a better understanding of the security landscape.
“Over the last five years, the rise of ransomware has shifted not only an organization’s risk profile as the insurance underwriters didn’t understand the potential future impact of the costs of ransomware but also in the estimated payouts. In many insurance policies, it’s all about risk mitigation, but as an underwriter, unless one can accurately assess the risk or implement requirements to mitigate the threat, it becomes a financial business risk for the insurance industry,” both write.
Security gets real
So, where does this leave companies?
Cusimano and Bennet believe companies have no choice but to ensure that threat prevention basics are covered and not simply rely on an insurance cover to bail you out. It includes looking at the endpoint, network edge, ARM solutions, etc., that may need to be updated as companies rapidly modernize their infrastructure and integrate with others.
“It is also important to ensure that you have a disaster recovery plan in place that includes a multi-level backup solution (3-2-1-1-0) and an immutable copy. From there, ensure your organization completes backup testing and disaster recovery testing on a weekly and monthly basis to get ahead of any potential issues,” write Cusimano and Bennet.
Once these are implemented, companies keep copies of all the backup tests to prove they have a lower risk factor to an insurance company.
“Make sure to test everything. Insurance is often viewed as the ‘if all else fails solution,’ but buying it does not mean you are suddenly bulletproof. Cyber insurance also doesn’t include the time lost spent in recovery, “which can take up to three months in truly bad scenarios,” Cusimano and Bennet write. “Testing realistic recovery scenarios is the best way to really ensure one can recover with any modicum of success and timeliness before the attack happens,” they add.
The allure of immutability
One such scenario is protecting the backup copy, which ransomware actors are now targeting to increase their chances for payback.
This is giving way to renewed interest in immutable backups, like Object First’s Ootbi.
“Immutability is a must-have for any type of backup storage because it is time-based, not key-based like encryption. This means that there is truly no way outside of destruction of the physical hardware to alter or remove the backup data once it is written into a device that has object lock or immutability enabled,” explains Cusimano and Bennet.
They also suggest going further with air-gapped immutable backup. “3-2-1-1-0 is the new normal for all backup admins as it provides air-gapped, cloud copy, tape, meaning the more you have, the more likely you are able to succeed in thwarting attacks on your systems,” they add.
However, immutability does not mean unhackable. Rather, immutable backups prevent modification and changes to the data and its structure.
“Remember, immutability is time-based. When you enable object lock on an S3 target and set a period for an object to be immutable, it’s written in stone and will stay there for as long as the time that has been set. Unlike encryption which only requires a key to decrypt and access, the data with immutable storage remains readable but unchangeable in an immutable state. You can truly maximize this strategy by encrypting backup data before writing it to immutable storage; that way, it’s unreadable (unless you have the key) and unalterable,” write Cusimano and Bennet.
More insecurity awaits
Cusimano and Bennet reason that it’s time for companies to get their security in order, especially with AI on the near horizon.
“We, the ‘IT industry,’ will keep creating ways to stop cyber threats, and the bad guys will keep trying to break it. Whenever something gains widespread usage, it inevitably becomes a prime target. As AI solutions continue to emerge on all fronts, the rate of both preventing and breaching them will keep escalating, leading to an increase in the number of attacks,” they warn.
Winston Thomas is the editor-in-chief of CDOTrends and DigitalWorkforceTrends. He’s a singularity believer, a blockchain enthusiast, and believes we already live in a metaverse. You can reach him at [email protected].
Image credit: iStockphoto/Anton Vierietin