Insurers and businesses must combat ransomware

Padlock Illustration symbolizing security
(Image credit: Shutterstock)

If you told every small and medium size business (SMB) in the UK five years ago, one of their biggest priorities was ensuring they had a comprehensive cybersecurity insurance policy in place, they might have politely asked you to mind your own business.

About the author

Ian McShane is the Field CTO at Arctic Wolf.

Accelerate forward to 2021, and how times have changed. While we already knew the world was going digital, the pandemic has truly pushed this into overdrive, meaning the operations of many businesses are now increasingly living in the virtual cloud. This step change has brought with it a steep rise in ransomware attacks, as bad actors have recognized that security investment has simply not kept pace with investment in technologies that allowed firms to keep operating remotely during the pandemic. This sentiment has been echoed by National Cyber Security Centre (NCSC) CEO, Lindy Cameron, who recently stated ransomware “presents the most immediate danger to the UK”. And she is right - a recent report ranked the UK in the top 10 countries worst affected by ransomware.

Insurance standoff

For insurers, this has presented a potentially expensive headache; policies don’t factor in the ‘whatever amount the hacker demands’ option. So concerned by the recent rise in attacks, many companies are rapidly changing the small prints in their policies, to protect themselves from big payouts. While for SMBs, this is creating a protection minefield. Not only do they not know what they are covered for, but insurers are also regularly moving the goalposts and limiting protection if a particular company falls foul of the UK government’s Security Essential Plus certification. It’s creating a stubborn stand-off. Insurers aren’t willing to take the risk and are limiting their liability, while UK businesses aren’t able to secure the comprehensive protection they so desperately need.

Getting both parties around the table might seem a pipedream currently, but it needs to happen. If both sides of the fence can start to meet each other halfway, then we’ll be in better shape to tackle the ransomware challenge. After all, good things can come from compromise.

Tackling the ransomware problem

Firstly, small and medium sized businesses need to wake-up to the realities of the cybersecurity threat they now face. Changes to the way their company is operating digitally, along with the hybrid working practices they are actively adopting, means the scope of the threats they are now facing have proliferated. It means investment, not in endless amounts of tools, but in their operations and talent, must be prioritized so they are properly equipped to deal with the evolving threat landscape.

IT teams should consider deploying advanced cybersecurity capabilities, such as detection and response to build up their expertise. By prioritizing and embracing security operations where they can make the best of their existing investments instead of the endless cycling through new vendors and new products, they will go a long way toward addressing the rapidly evolving threat landscape in a way that meets the unique needs of their business. There is no “one size fits all” in security, and if an enterprise doesn’t put operational infrastructure in place, then all you have is just more tools, more collectors, more agents, more locations, and more data to filter through, which contributes to even more alert fatigue and will ultimately mean a threat is more likely to slip through the net and not be detected. If businesses start to show they are taking this seriously, then insurers will start to sit up and take notice and will feel more confident offering comprehensive protection.

Meanwhile, insurance providers need to take control of their policies and be clearer with what they offer businesses, by substantially increasing their cybersecurity expertise. With this new and deeper understanding of the cyber threat landscape, they’ll be able to calculate risk for policyholders more precisely - and set evolving cybersecurity standards for businesses to achieve. This will take time - and the insurers who learn fast and partner effectively with security operations experts will be able to edge out the competition. But cyber-insurance isn’t going anywhere. It’s just going to get smarter, stricter, and more effective.

Even looking ahead, when these partnerships are developed, the key will be consistency. Cybercriminals won’t just give up and go home, so it means businesses and insurers will need to continue evolving their knowledge and capabilities together, and sustain their effective relationships in the future. That will mean ongoing investment in the frontiers of security - from vulnerability management, to training, to cloud, and more. Insurers will also need to partner with regulators and the criminal justice system to ensure businesses are protected, and criminals aren’t bankrolled.

If each of these separate constituents can build the appropriate expertise, break down silos, and coordinate effectively, the cyber-insurance and cybersecurity worlds can grow together. We’ll be able to exit this storm better protected, better insured, and with stronger businesses all around. The only losers in the long-run will be the cybercriminals.

To ensure your employees can connect safely and securely to your business networks, we feature the best business VPN.

Ian McShane is the Field CTO at Arctic Wolf. A cybersecurity veteran and long-time Gartner analyst, Ian McShane has more than 20 years’ experience in cybersecurity and operational IT.