According to Lloyd’s of London, a massive global cyberattack could result in economic losses as high as $53 billion.
Given that, it’s no surprise that an increasing number of businesses are adding cybersecurity coverage to their liability insurance. But as businesses rush to insure, what exactly these policies cover, as well as the cost of premiums, is coming under scrutiny. A key question is whether or not non-malicious human activity is covered.
On one hand, cybersecurity policies that do not cover human error — which would include falling victim to sophisticated phishing schemes, visiting Trojan-infected sites, or even deferring patches or updates — would be of far more limited value.
That’s because, according to Verizon, 81 percent of breaches are due to compromised credentials. And credentials are often compromised due to human error, such as poor password behavior. Think about it, they’re your credentials and only you know them, so if someone else gets a hold of them, you’ve probably erred.
On the other hand, insurance companies offering cybersecurity policies that do cover human error might find themselves in a world of hurt after one successful malware attack makes its $53 billion journey across the globe.
That’s a huge number that could question the very solvency of insurance companies after a single attack. And while I hope such attacks will be rare, WannaCry’s breakneck success — infecting 230,000 computers in 150 countries on day one, with damages pegged by Lloyd’s at a cool $8 billion — suggests otherwise.
So, where does that leave us? The level of security of user credentials across an organization will likely figure heavily into premium costs, and perhaps even be a deciding factor in culpability arguments in the near future.
A good security posture including securing credentials is the key to lower premiums.
Today, insurance companies offering cybersecurity policies go to varying degrees to ensure businesses are taking adequate steps to secure their data before they write (and price) policies. They are leveraging security experts such as Verizon to perform rigorous evaluations of a company’s security policies prior to determining the premium cost. And the strict protection of user credentials is a key component, as those organizations with least privilege are the ones with the least exposure to a destructive breach.
Businesses will lean heavily towards policies that do insure against human error, and considering the above numbers, they should be ready to pay hefty premiums. But much like your home insurance premiums are reduced when you install fire and burglar alarms, companies that take exceptional measures to protect themselves will see monthly premiums that reflect their efforts.
Insurance carriers are rewarding customers who have implemented a comprehensive set of tools, policies and best practices aimed at ensuring data is protected to the greatest degree possible, centering on the protection of user credentials with cheaper insurance premiums.
Even more important is the implementation of least-access policies across the organization. When every user is restricted in terms of the permissions they have on systems, what systems they can access and the data they can access, hackers that use compromised credentials to break into company networks would similarly be limited in the amount of damage they can do. Insurers have found least access privilege reduces the attack surface, so the customer is less of a risk for them and that is why their insurance premiums are lower than others.
It’s always difficult to calculate the value of security because it tends to revolve around what could happen — the costs associated with recovery, down-time, lost productivity and the loss in brand value. But that is changing. Implementing the right technologies will have a direct impact on premiums and save real dollars every month. It might be time to pull out those ROI calculators and reexamine the potential cost savings associated with least access privilege and securing your employees’ credentials because to err is human.
This article first published on The Last Watchdog here.
What are the right solutions and technologies to implement to protect against a breach? Find out more here.