An unlikely cybersecurity hero: Your insurance company
In 2021, there were 623 million cyberattacks worldwide. If there’s an opportunity to enter a business’s premises undetected, cybercriminals will find it. In the digital age, no organization is safe from cyberthreats. Size doesn’t matter.
A recent report by cyber insurance provider At-Bay highlights that ransomware is the biggest digital threat to American businesses, responsible for an estimated 60% of all domestic cyber insurance claims in 2020. In the last year, the average ransom payment has nearly doubled, and the average total loss is $1.8 million for a single incident.
Rotem Iram, co-founder and CEO of At-Bay, explained that a major challenge facing business owners is that security governance and government regulations have failed to keep up with the speed of technology adoption and innovation — and their corresponding new risks.
“Software became the single most important driver of productivity and growth for all businesses in a very short amount of time,” he said. “Not surprisingly, cyber risk grew in parallel to the adoption of technology, but unfortunately, the software and security industries failed to adapt to the growing risk.”
“The average organization uses hundreds of different types of software. Just keeping track of all of them, let alone ensuring they are all up to date, is very complicated — especially if you're a smaller company with little resources,” said Iram. “And on the other side, you have well-organized criminal organizations that can employ attacks at scale. It's unrealistic to expect companies to be able to fare well on their own.”
Protocol talked with Iram about the state of cybersecurity, the benefits of cyber insurance, and his hopes for the future of security.
What’s the biggest misconception about cybersecurity among business leaders?
I'll give you a misconception and I'll give you a blind spot. I think the biggest misconception is that most cyberattacks are highly sophisticated. In reality, the most active cybercriminals aren't sophisticated state actors. They’re middle-of-the-road criminals exploiting the same basic technology and configuration issues, over and over. It’s actually quite mundane, but that’s how most of the damage happens.
As for the blind spot, it’s the technologies we depend on to run our businesses. You might be running a server or a VPN that is perfectly safe, and then one morning, due to no fault of your own, it's no longer safe — it's actually incredibly at risk. We come to find the software we depend on is full of holes, like Swiss cheese. It’s incredibly porous and easy to break into. And the company you bought it from has no obligation or liability to make sure the vulnerabilities it created are fixed.
Can you paint a picture of the impact of a security breach?
I’ll give you an example from our own industry: This past July, a large insurance company experienced a ransomware attack. In a basic ransomware attack, the hackers encrypt the victim's data and demand a ransom from the organization to regain access. In this instance, the attackers first siphoned out a few terabytes of data, and then to ratchet up the urgency of their ransom demand, began leaking this stolen data, which included sensitive information such as health care records, employee HR and salary information, and more. Employees became victims of identity theft based on the leaked information. And even once the ransom is resolved, the organization must still manage long-term impacts to their reputation, investor relations, regulatory scrutiny, employee issues, and so much more. They could be dealing with the fallout for years.
How does At-Bay help protect organizations?
Simply put, we help stop ransomware attacks from happening. That’s what really differentiates us from other insurance companies. We don't just provide you with insurance in case you’re attacked; we have a security team that actively monitors your risk throughout the policy year. That team employs very similar tactics to those used by attackers to identify potential targets. We scan every one of our insured companies regularly to see if they have issues that would be easy for an attacker to discover and exploit. When we identify issues, we go even further and work with our insured companies to help address them before they fall victim to an attack.
Theoretically, for every five ransomware attacks that our competitors experience, we help prevent four of them from happening, and we help the fifth recover quickly. In the unfortunate event of an attack, our claims team gets to work immediately, matching the victim with a panel of experts including privacy lawyers, a breach management team, and an incident response firm to get the organization back in business.
What can businesses do to demand change and turn the tides on cybercrime?
Imagine if organized crime groups from abroad physically stormed a town in New Jersey, extorting local businesses, schools, and hospitals en masse. We would be up in arms. Yet, when it happens in cyberspace, we let it go. So far, we have seen that the government — and the media — only really responds to cyber incidents related to critical infrastructure and large enterprises. If you’re a small business, or a college, or a small town, you're not getting help from your government. They have to fend on their own against these attackers.
In every other industry, the government plays a critical role in protecting consumers. For example, you can't choose whether you want to install a seatbelt in a car or not. If you want to sell cars in America, they need to have seatbelts. Technology is not regulated the same way. You're allowed to sell business software that doesn't require multifactor authentication or robust spam filtering. With the amount of our economy now dependent on technology, the lack of government regulation is resulting in major risk to companies, and in the end, our own citizens. In the absence of government action, insurance steps in. It was the insurance companies that first pushed the federal government to mandate them. Similarly, we can push for safety measures in cybersecurity that will have the same kind of impact for technology.
What is your hope for the future?
My hope is that, with the emergence of insurance companies like At-Bay, we now have a real chance to understand what drives cyber risk. One thing that's frustrating about security is you have no idea what matters and how much you should pay for it. Do you need a next-generation firewall? How much should it cost you? $100? $1,000? By looking through the lens of insurance claims, we can identify what matters in security, and then use the insurance policy as a tool to drive adoption of those security controls. At the same time, we can help regulators by giving them the data and insight needed to enact effective policy.
Additionally, we must start demanding more accountability from our software vendors, so they give security the attention it needs.
Ultimately, I want us to reach a point where we are optimistic and excited about technology again and businesses can thrive in a digital world.What’s the biggest misconception about cybersecurity among business leaders?