What does COVID-19 mean for cyber insurance?By Jacqueline Jayne
By Jacqueline Jayne, Security Awareness Advocate, KnowBe4 APAC
Cyber insurance hasn’t always been a priority for APAC businesses, but thanks to COVID-19 it’s now firmly at the top of the agenda. Or at least it should be, with cyber criminals all over the world exploiting the pandemic to ramp up their attacks. A recent KnowBe4 report found that coronavirus-related phishing attacks have sky-rocketed, with 56% of all attacks relating to COVID-19.
According to VMWare Carbon Black, 53% of incident response professionals experienced an increase in cyberattacks exploiting COVID-19 in 2020 and 93% of all Singapore respondents stated that they had seen an increase in overall cyberattacks as a result of employees working from home.
So, it’s clear cyber insurance is key to an organisation’s risk management strategy. But getting the correct level of cyber insurance in place has become harder in recent months thanks to a new trend in ransomware infections called data exfiltration.
How the threat landscape has changed
Traditional ransomware attacks would involve cyber criminals hacking an organisations and taking data hostage then demanding a ‘ransom’ payment to return it to you. Initially the returns for attackers were high as organisations were caught off guard. But businesses quickly learned to protect themselves with data backups and focus on the ability to restore data quickly in the event of such an event.
Cyber attackers needed to change their modus operandi in order to see the same rewards and in late 2019 we saw the first cases of ransomware combined with data exfiltration. Now the risk includes cyber criminals disclosing data without authorisation and the ability to restore data quickly is no longer adequate protection. Thanks to COVID-19, the associated risk of data disclosure is suddenly even larger with the move to telehealth and online learning providing juicier targets for cyber criminals.
What does this mean for Cyber Insurance Planning?
To protect against the old ransomware attack models, for example, an organisation could budget $1 million to cover recovery and costs such as downtime and digital forensics. However, in a situation where cyber criminals have publicly disclosed stolen data, that protection would not be adequate as costs would be significantly higher.
Businesses need to factor in setting up a call centre and response website, deal with legal issues and potential regulatory fines, hold press conferences and involve public relations firms as well. Even the digital forensics costs would be higher as they not only have to look in to how the attackers got in (hint, it is usually a phishing email or remote access portal) and what malware or back doors they left behind, but now they also have to find out what data was exfiltrated and the extent of customer data impacted.
Previously, if during an old-school ransomware attack no data left the organisation and the business was operational again quickly, there would be no reason to disclose an attack outside of the organisation and such events would often go unreported. Now, if customer data is exfiltrated, businesses are subject to entirely different reporting and notification requirements.
Protecting your organisation
There is no security control in an organisation that is 100% effective all the time. That “silver bullet” just does not exist, yet it is often an excuse to focus on recovery rather than prevention. That is a huge mistake and one that, now that data is being exfiltrated and exposed, is even more costly. A better approach is to stop attacks before they occur.
With many cyber-attacks, and ransomware in particular, the criminals almost always gain access through a phishing email or through a remote access portal (such as Windows Remote Desktop Protocol or RDP) being insecurely exposed to the internet.
So how to do you prevent your employees falling victim to phishing? The most effective way is through user awareness training. With respect to the remote access issue, wherever possible, enable Multi-Factor Authentication (MFA), make sure to log all authentication attempts, lock accounts after multiple attempts and quickly report failures. This will help spot brute force attacks and reduce the chance that the attackers will be able to log in using credential stuffing techniques or common passwords (two behaviours that should also be addressed in training).
Ransomware is not going away any time soon and COVID-19 is making things worse than ever. Organisations would be wise to review current cyber insurance coverage to ensure that it meets the new threats of ransomware attacks. In addition, it makes more sense than ever to tackle preventative measures such as new-school security awareness training and reviewing the configuration and controls around remote access portals to avoid these types of issues in the first place.