Over the past two years, there’s been a huge jump in the number of ransomware attacks targeting North American businesses. While the surge in incidents might suggest hackers have changed their tricks, many threat actors are using the same tactics they always have – namely, peppering victims with malware-laced phishing emails and links, and taking advantage of software/network vulnerabilities.
“As the ransomware attacks exponentially grew, we also had the COVID-19 pandemic,” he said. “So, there were many more people working remotely and accessing corporate environments remotely, either through corporate issued laptops, or their personal laptops. And so, there was a gap in security.
“It [the gap] was probably already there, but now it becomes much more important and creates a much larger attack surface - and obviously, that revolved around how employees remote into the corporate environment, whether through remote desktop protocols, or VPN, however they’re remoting in.
“So, there’s been a significant uptick, aligning with COVID and the work from home environment, where the vulnerabilities within remote desktop protocols have been a significant driver of ransomware events, beyond phishing.”
Another common vulnerability that impacts organizations’ exposure to ransomware and other cyber events is failure to patch. Kang encourages businesses to ensure they have good visibility on what assets and systems are on their corporate network, and to apply patches and software updates when prompted.
“It’s not about any particular control. It’s not just about training your employees, it’s not just about having multifactor authentic authentication (MFA) within your remote desktop environment,” Kang told Insurance Business. “It’s really about how the entire cybersecurity program fits in, and whether it’s risk-based, and whether the companies are investing appropriately in their areas of exposure in a thoughtful, risk management-based way.
“The way that we think about it as we underwrite is that it’s really about basic hygiene. Ransomware, at the end of day, is malware, and it’s getting into your system in traditional and non-traditional ways, so it’s really about: Do you have the basic hygiene in place? And do you have a program that is risk-based and makes sense for the exposures within your organization?”
It’s a trend across the board now that cyber insurers will mandate the implementation of MFA before they provide coverage. Kang described MFA as one of the “minimum controls” that underwriters are looking for, especially in terms of access to the corporate network and remote desktop protocol.
“But MFA’s not always that simple,” he added. “Do you have MFA for different users, depending on their levels of privilege? Do you have MFA in two particular systems? And so, what we look for is a risk-based approach in designing your program. An insured may say: ‘‘We have MFA for entering into the network, but we don’t have it for certain types of users, because for their environment or their business, they don’t think it really increases or decreases their level of exposure.’
“That’s the level of conversations we like to have with our insureds to really understand what controls they have in place, where have they invested, and whether they have adopted an approach that aligns with their philosophy, their culture, and their exposures.”
For the past 10-years, there has been discussion of a ‘zero-trust framework’ or ‘zero-trust architecture’ within the cyber security environment. Zero-trust essentially means that a company will always assume that someone in the network is a bad actor, and they require constant verification and validation to prove otherwise.
According to Kang, one potential silver lining of the recent surge of cyberattacks is that more and more companies are thinking about zero-trust concepts to shore up their cyber risk management.
“The zero-trust concept is really about three things,” he explained. “One is securing access so that nothing and no-one gets access unless it’s been authenticated, authorized or verified, and oftentimes, you have to go to a policy centre to do those verifications. The second thing is really about privilege, so even if you have access, you’re only going to have access to the minimum areas that are required for your particular identity. And then the third thing is really capturing and logging all the traffic within your environment.
“When I say we want insureds to take a risk-based approach to cyber security and we want them to have a program that makes sense for their business, at a high level, we’re really talking about those zero-trust concepts. We want insureds to assume and make sure that their information security programs are leveraging these concepts to not only better secure their environment, but also to make sure if something does happen (and we all know there’s no 100% security, there’s no perfect security) that they are minimizing the impact on their organization.”