What do you need to do to raise your cyber resilience?
All types of organisations, from global companies to small and midsize businesses, use technology to do business and therefore face some level of cyber risk. You only need to reflect on the recent experiences of Medibank and Optus in Australia to see why cyber insurance is critical (although Medibank, an insurance company, did admit subsequently it did not have cyber insurance).
With the changing tone of Government cybersecurity policy in Australia, it is clear that the ability to compensate customers following breach if a lax cybersecurity approach is identified, will likely become a requirement.
And with notifiable breaches on the rise across all types of businesses in Australia - 497 in the second half of 2022 alone and an increased rate of 26% more than the first half of 2022, no organisation is immune to the threat of a breach.
As technology becomes more complex and sophisticated, so do the threats. This is why organisations are increasingly turning to cyber insurance to manage and mitigate their risk.
Cyber insurance security requirements are getting tighter
Insurance companies are tired of paying out for breaches that could have been prevented and incidents that could have been contained. They recognise there are a lot of vulnerabilities for businesses, and in collaboration with vendors and service providers, are mandating best-of-breed security tools that can offer meaningful risk mitigation.
For example, multi-factor authentication (MFA) has gone from a nice-to-have to a critical requirement, with businesses unlikely to be eligible for cyber insurance coverage without it. Then we started to see insurers mandate detection and response tools such as Endpoint Detection Response (EDR) and Managed Detection Response (MDR).
Now, with the understanding that breaches are inevitable, insurers are also starting to mandate Zero Trust Segmentation (ZTS) – a technology that divides enterprise networks, data centres, and cloud environments. Our endpoint estates into multiple segments or subnets with Zero Trust principles governing movement between zones. Unlike prevention and detection technologies, ZTS stops the spread of breaches by shutting
down pathways for lateral movement and only allowing wanted and necessary communication.
Why businesses need Zero Trust Segmentation
When you look at the total cost of most breaches — outside of DFIR (Digital Forensics and Incident Response) and paying the ransom itself — the most expensive part is recovery.
The reason we're seeing insurance companies and regulators push for segmentation, even downmarket into small and midsize businesses, is because preventing an attack from spreading to just a few devices instead of all of them decreases the cost of recovery dramatically. That's why you see updated underwriting packages from carriers where segmentation is now required for critical assets or endpoints (which are typically the starting point of many breaches).
Fortunately, recovery costs can be controlled in a major way if you are doing ZTS and preventing breach spread. A recent attack emulation performed by Bishop Fox found that ZTS not only stopped attacks more quickly and improved detection time – it prevented the attacker from breaking out of the initial compromise point; thus, the damage to the company was greatly reduced, and recovery from the attack was
much faster.
ZTS doesn't rely on detection like other tools, and if traffic can't reach your critical assets, it can't infect them, no matter what attack technique is used.
The future of insurance includes security tools and service providers
Cyber threats are showing no signs of slowing down. Long-term, we can expect to see insurance companies acting more like regulators. They will continue to get stricter in the disclosure requirements and what companies must have in their security stack.
The future of cyber insurance is a tight-knit collaboration that combines security vendors, service providers, and insurance companies. Trusted service providers can help alert IT leaders to develop good security hygiene proactively and equip organisations with a security stack that makes a meaningful impact.
ZTS is proactive security that reduces cyber insurance costs
Cyber insurance should be a key piece of your risk strategy, but it can't be the only piece. For example, if you own property, would you only buy fire insurance, not smoke alarms and fire mitigation controls? Hopefully not — but even if you did, you would expect to pay a higher premium, given that you haven't deployed controls that reduce your fire risk. So, when should ZTS become a part of your organisation's security strategy?
If you already have MFA and EDR/MDR products, then ZTS should be your next priority — if it hasn't been mandated already. Not only will you be ahead of the curve before your next cyber insurance policy renewal, but you will be able to strengthen your existing detection tools' effectiveness by lessening their dwell time weakness while also significantly increasing your response capabilities.