Cyber hygiene controls critical as cyber threats intensify

Cyberattacks continue to increase, fueled by more sophisticated and persistent attackers. Ransomware attacks alone have increased by a staggering 148% and multimillion-dollar ransom payment demands are no longer a rarity. And unlike in past years where certain industries, such as healthcare, were more likely to be targeted, companies in all sectors are at risk.

As cyberattacks and related claims have skyrocketed, insurers are taking a much more cautious stance — tightening their underwriting controls, carefully scrutinizing all cyber insurance applications, and asking more questions than ever before about applicants’ cyber operating environment.

Controls are key

Even companies with no cyber claims history face an arduous renewal process. And those that do not satisfy insurers’ expectations are often facing the prospect of non-renewal or are unable to get their preferred coverage, with limitations becoming more common especially in relation to ransomware.

Insurers are greatly focusing on the controls organizations have in place to become cyber resilient. While these controls have been established best practices for several years, some organizations are still struggling to adopt them — most often because they have not been able to justify the cost or did not understand or see the need for controls. Although cyber resilience controls were previously required in regulated industries, they were often more about checking a box than enhancing security.

But with their insurability — and potentially also their financial stability — at stake, organizations across the board need to make a concerted effort to adopt controls that mitigate ransomware risks and improve their cybersecurity posture and resilience.

5 controls to adopt now

There are 12 main areas that organizations should focus on (see figure above). However, as a starting point, they should prioritize the following five cyber hygiene controls to have the most impact on insurability, mitigation, and resilience:

1. Multifactor authentication (MFA). Hackers today have access to technology able to break user passwords, even ones considered strong — especially when users reuse passwords across multiple sites, which occurs frequently. Organizations should bolster their security through MFA, which requires at least two pieces of evidence (factors) to prove the user’s identity. Usually, the two factors are something you know and something you have. For example, a time-sensitive pin code delivered either through an app or via text message is often a second factor on top of the user’s password. Although no cybersecurity tools are perfect, MFA provides a substantial barrier to entry.
2. Endpoint detection and response (EDR). It’s important for companies to have up-to-date information about the security posture of any devices employees use to receive corporate information, whether it’s a laptop, desktop, or mobile device. Widely available software gathers critical information, such as the location of the device, the last time it was updated, current software version, and any attempts to download new software. EDR offers continuous monitoring and more advanced detection and automated response capabilities. The monitoring software will watch for any suspicious or irregular activities. EDR also facilitates rapid incident response across an organization’s environment.
3. Secured, encrypted, and tested backups. Increased ransomware activity underscores the need for organizations to have a robust backup strategy for their critical data and applications. Backup intervals will depend on how often the data changes, but most organizations run periodic full backups — for example weekly or multiple times per month — and more regular incremental backups daily or every few days. Backups should be encrypted so that they cannot be tampered with. It is a best practice to logically separate backups from the network to ensure they’re not easily accessible to any threat actors. Immutable backups, which lock up previous versions of your backup to prevent it from being altered or deleted, offer a similar layer of security. The IT / IS department should establish a data restoration testing schedule during which backups are restored to ensure that they are working as intended.
4. Privileged access management (PAM). Users should be required to use higher security login credentials to access administrator or privileged accounts. And, special users — such as IT, network, or database administrators — should only be allowed to carry out specific tasks through their privileged access. Users with privileged or administrator accounts should be required to log out of their privileged accounts to conduct any non-privileged tasks. That means that a system administrator that logged in through his or her privileged account to change security settings should log out after that task is completed and be required to use ‘standard user’ credentials to check email or browse the web, even if these are work-related tasks. Many organizations implement privileged access management solutions to automate privileged credential management and session management.
5. Email filtering and web security. Email and web browsing platforms are full of pitfalls and need to be controlled to avoid threat actors gaining an initial foothold into your network. Email filtering seeks to identify any messages that include links or attachments. Advanced systems will screen links and attachments to identify any potential malware or other malicious content. Flagged attachments can be opened in a “sandbox” to be thoroughly checked for malware. Organizations should block access to any web pages that are deemed inappropriate and those that may contain malware. These security controls should be active at all times, whether a user is working at the office or remotely, to prevent exposure to websites where bad actors may be seeking to take advantage of unsuspecting web browsing activity.

In a more difficult insurance market, having the necessary controls in place can help you achieve your risk transfer goals. And, the right cyber hygiene controls will provide organizations with a higher level of security, a better ability to identify threats, and ideally allow you to recover more quickly from an attack.

For more information, contact your Marsh representative.