Cyber insurance: here to stay, whether we like it or not

Cyber insurance: here to stay, whether we like it or not

Cyber insurance has been a big talking point in infosec circles for many months now. We’ve mentioned it in passing ourselves a few times, usually in relation to ransomware attacks.

This isn’t surprising; ransomware may not be the threat that brought cyber insurance to life, but it absolutely helped to supercharge it. Depending on where in the world you reside, the actual act of wrapping insurance around computer security can be quite a technical challenge.

Not a month goes by where a business or city council isn’t making headlines alongside big payouts from insurance providers. Generally, the reception to insurance and ransomware isn’t massively positive. This is because of the oft-suggested possibility that it encourages ransomware.

However, eliminating cyber insurance as an option altogether could also bring about disastrous results for organizations.

They’ll keep coming back for more

It was bad enough when victims handed over cash to attackers, because people were putting themselves out of pocket to recover files. With advice from law enforcement occasionally becoming a little confusing, insurance suddenly pops up and makes the whole process a little more official, a little more formal.

At this point, it doesn’t really seem to matter much if the victims pay up off their own back, if they hand over a ransom then reclaim money from insurers, or if the insurer is simply on hand to cover recovery and cleanup costs. The bottom line is, it’s hard to argue that this doesn’t just keep the attacks coming. And with bigger payouts promised by providers, it seems the next logical step would be cybercriminals upping their ransoms, too.

Did they only ask for a few hundred dollars last time? Too bad, they’ve seen the adverts promising up to $50,000 to victims. If companies are happy to hand over that kind of money, then why not ramp up the ransom in corresponding fashion? The attackers have got little to lose, except the take spent on targeting more potential victims.

All the same: It’s possible that just maybe we’re being a little too hard on insurers.

Evening the odds?

We really can’t throw the insurance-shaped baby out with the bathwater. There are a number of fairly standard pieces of infosec wisdom that indicate the ransomware problem—nay, the entire cybercrime economy—is benefiting from multiple gaps in organizations’ security. You’ll hear some of these talking points weaved into conference presentations, or on blogs, including our own.

These gaps include lack of training, lean IT and security staff, lack of incident response plans, the need for layered defense, ineffective backup systems, and much more. While individuals and organizations will naturally differ on the fine points, the broad strokes usually end up aligning much of the time.

However, when you actually sit down and take in all these points as a whole, it does seem that cyber insurance is one possible natural response to fill the gaps left by the areas these common talking points focus on.

Taking the long road

By and large, there’s a long way to go where security is concerned—especially in the workplace, and with so many attacks currently focusing almost exclusively on businesses. No matter how good the network admin thinks their systems are locked down, there’s going to be a large variation in technical skillsets in any workplace.

Lots of employees probably aren’t that great with computers. It’s still not unusual to encounter workers who can only use the computer in front of them to perform the specific task required for their job, and nothing else. Factor in phishing as a common attack vector, and the gaps in an organization’s security posture widen into canyons.

It’s training time

The employees we speak of likely do not go on Reddit, or read The Register, or this blog, or any other security resources. Is it reasonable to expect someone crunching out 40+ hours a week in a high-pressure environment like a call center to also jam their way through dozens of infosec resources in a constant battle of playing keep-up?

Of course not, which is why businesses should be training their staff effectively in security practices. Except, we know a lot of the time that doesn’t happen either. Without the necessary budget available—or even someone on hand who knows about cybersecurity policy, assuming the business can afford them—you’re not going to see a lot of infosec brown bag lunch sessions.

You probably will see a lot of people being told to read the Internet AUP on their Intranet, but that’s about it. Large organizations can often afford the luxury of dedicated trainers who keep providing sessions outside the initial week-long orientation, but that’s often all that’s available.

Humorously, one of the few businesses I’ve come across that could afford a rotating set of permanent training staff all day long for employees was an insurance company.

Training: time, money, and effort

Even if a subject matter expert can afford some sort of training, it takes a sizable amount of hard work to constantly source information on new threats and how to mitigate them. While a lot of threats are quite mundane and fairly old, they still work, which is why they keep coming back.

Additionally, there really are attacks out there which fall under the “pretty smart and quite sophisticated” banner from time to time. Sometimes a new threat is pretty much old hat after a month, such is the pace now. All these factors can ultimately lead to battle fatigue of the most serious kind: simply giving up.

An eventual admission of defeat is usually accompanied by training which quickly goes out of date. At that point, we’re back to square one: no training and no chance of keeping up with the Malware Joneses.

A wafer thin layer of security

This is the part where we’d turn to our ultra secure, layered slice of unbreachable defense—except for many businesses, it simply doesn’t exist. In fact, we argue 100 percent preventative security is a myth altogether. But smart and effective security solutions are out there for organizations. The problem is many either don’t have the budget for them, don’t understand how to use complex programs, or don’t even realize they exist.

Home users probably have it worse, as we’ve gone from “actual organization with maybe someone trained in this charged with holding things together” to “random home user who wasn’t sure which security tool to buy, so they bought nothing instead.”

While it’s possible ransomware authors may use the thought of vulnerable home users plus big insurance payouts to shift attacks back from business to consumer, these things tend to swing back and forth more often than not. It’d be more surprising if attackers’ attention didn’t eventually return to consumers anyway.

Back it up a little

At last, we turn to our old friend the backup. One of ransomware’s greatest enemies, yet (again) not as well and widely-deployed as it could be. Many people’s first experience with backing up files is sadly the point where they’ve already lost everything.

External storage can be expensive depending on budget requirements. Cloud storage is a more secure solution, but it has its drawbacks as well. Businesses have a lot more cash available in this respect, but a sensible and orderly backup plan is often replaced by “massive pile of random files in duplicate folders, and what even is all of this stuff anyway?”

It’s also quite likely that however expensive insurance is, making backups will be cheaper for most consumers and small businesses. If the insurance policy insists on you making backups in order to be covered, it’s arguable that you’re then paying for something you’re already negating by backing up.

This is a bit of a simplistic view though, as backing up files doesn’t prevent the infection of endpoints. So, if systems go offline or if the organization cares to clear the infection from the network, they still might need insurance coverage for cleanup and recovery.

All those wonderful backups aren’t much use if the malware authors do more to the network than “simply” lock up some desktops and plaster a few ransom notes all over the place. Coming back from a ransom outbreak is no mean feat, and many organizations would probably be quite grateful for the assistance when disaster strikes.

On the flip side, if backups aren’t required by the insurance firm then one could ask how seriously is the insurance firm taking the threat. Are they interested in encouraging a minimum baseline for what people should be doing, or are they simply resigned to handing over wads of cash forevermore?

Staking a claim

With all this in mind, is it any wonder that insurance is now a growing market? Are we able to criticize this growing aspect of security with a straight face, when the truth of the matter is the dam is not only breaking in several places but has pretty much collapsed entirely for some folks?

Criticizing someone for paying the ransom when it’s their only way to get their baby photos back, or stop a business from going under and ruining lives is a tough call. So, too, is out-and-out condemning a newish form of business model, which for some people may be their only realistic hope to get back on track.

Perhaps the security industry needs to start looking at how insurance can more effectively bridge the gap between offering victims a hand and needlessly encouraging massive payouts, which may serve to encourage ransomware authors—and other forms of attack.

One thing’s for certain: Cyber insurance isn’t going away. So it’s up to all of us to figure out the best way to make it work for everybody.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.