From insurance to defense: Creating a cybersecurity framework for ransomware resilience
This post first appeared on the Keepit blog.
As organizations continue to adapt to an increasingly digital world, the risks we face from cyberattacks grow more complex and, unfortunately, more frequent. The rise of ransomware (and ransom payments) has become a significant threat to organizations of all sizes, demanding more robust defenses and comprehensive strategies to mitigate the associated risks.
Cyber insurance has emerged as one key tool in this fight, but it’s only part of a larger, multifaceted approach to cyber resilience. In this blog, I’ll explore the critical role of cyber insurance, alongside essential cybersecurity strategies, and how building your cybersecurity maturity framework — based on the controls required by insurers — helps ensure resilience.
The growing ransomware threat
Ransomware has evolved from opportunistic attacks to a sophisticated, well-organized criminal enterprise. According to ESG research, 89% of enterprises consider ransomware one of the top five threats to their business viability. This figure is alarming but not surprising. Surprisingly, 11% of organizations still don’t see ransomware as a top threat, despite its rapid growth and severity.
Serious incidents, like ransomware, are no longer a question of “if” but “when.” Attackers continually refine their methods, targeting vulnerable organizations by exploiting gaps in security and even indirectly attacking through trusted third parties. As organizations expand their digital operations, they increase their exposure to these threats.
Many organizations assume they’re too small or insignificant to be targeted, but that assumption can be a dangerous one. Even companies that aren’t directly targeted are at risk. Cybercriminals no longer discriminate based on size or industry; they look for weaknesses and exploit them wherever they find them. Ransomware as a service (RaaS) has lowered the barrier to entry so much that even those lacking technical skills can “pay to play.” Read our blog about RaaS.
Understanding cyber insurance in a ransomware landscape
While cyber insurance can provide financial protection against the fallout of ransomware, it’s important to understand that it’s not a silver bullet. Insurance alone won’t save your business from downtime, data loss, or reputation damage. As we’ve seen with other types of insurance, such as property or health insurance, simply holding a policy doesn’t mean you’re immune to risks.
While cyber insurance is designed to mitigate financial risks, insurers are becoming increasingly discerning, often requiring businesses to demonstrate adequate cybersecurity controls before providing coverage. Gone are the days when businesses could simply “purchase” cyber insurance without robust cyber hygiene in place. Today’s insurers require businesses to have key controls such as multi-factor authentication (MFA), incident response plans, and regular vulnerability assessments.
Moreover, insurance alone doesn’t address the critical issue of data recovery. While an insurance payout can help with financial recovery, it can’t restore lost data or rebuild your reputation. This is where a comprehensive cybersecurity strategy comes in — one that encompasses both proactive and reactive measures, involving components like third-party data recovery software.
The role of insurability controls
To be insurable, organizations must meet certain cybersecurity criteria — what I like to call “insurability controls.” These controls aren’t just a checklist to meet insurance requirements; they’re also essential elements of a comprehensive cybersecurity maturity framework. Key among them are:
- Multi-factor authentication (MFA): A foundational requirement for accessing sensitive data and systems.
- Endpoint detection and response (EDR): Modern cyber insurance often mandates advanced detection and response capabilities to quickly identify and mitigate threats.
- Backup and recovery systems: These systems are the last line of defense in ransomware attacks. Ensuring backups are immutable, tested regularly, and stored offsite (air gapped) can be the difference between full recovery and total disaster.
At Keepit, we emphasize the importance of ensuring your backups are not only frequent but also resilient. Regularly testing the recovery process is essential. Many organizations overlook this crucial step, only to discover their backups are either corrupt or ineffective when they need them most. Practicing recovery ensures you’ll be able to bring your systems back online with minimal impact in the event of an attack.
Defense in depth: Beyond cyber insurance
Insurance is a vital part of your risk management strategy, but it needs to be layered with other defenses. A “defense in depth” approach means deploying multiple layers of security controls throughout your organization, ensuring that even if one layer is compromised, others can still protect your critical data and operations. This includes:
- Employee training and awareness: Your staff is often the weakest link in your security chain. Ensuring they’re aware of phishing attacks and social engineering tactics is critical. Regular phishing campaigns and security awareness training should be a cornerstone of your strategy.
- Third-party risk management: Often, cyberattacks originate not from within your organization but through trusted third parties. It’s essential to vet your partners and ensure they adhere to the same security standards you do — and consider their sub-processors.
- Incident response and retainers: Having a well-developed incident response plan is crucial, but so is having a retainer with a third-party provider who can immediately step in to help in the event of an attack. This adds an additional layer of protection and ensures a faster response time.
- Data governance and classification: Understanding what data you hold, where it resides, and how critical it is to your operations will help you protect your most valuable assets. Ensure that you’ve got policies in place for classifying and safeguarding sensitive data. If you don’t know what to protect, how will you protect it?
Data governance: Identifying and protecting the crown jewels
At the heart of any effective cybersecurity strategy is robust data governance. Understanding what data you have, where it resides, and how it is classified is critical to protecting your organization’s most valuable assets. Many organizations fail at the first step of cybersecurity — data identification — because they haven’t fully mapped out their data environment. The NIST cybersecurity framework puts understanding and assessing cybersecurity posture as step one.
Effective data governance ensures that critical data is classified correctly, protected adequately, and monitored continuously. If your organization hasn’t yet mapped out its data environment, now is the time to start.
Engaging the board and leadership in cybersecurity strategy
One of the most challenging aspects of building a resilient cybersecurity program is obtaining buy-in from the executive team and board of directors. As CISO, it’s my responsibility to communicate the risks in terms that resonate with leadership: operational continuity, financial impact, and reputational risk.
Framing security investments as business-critical decisions helps drive the necessary financial and strategic support for comprehensive cybersecurity measures. It’s essential to engage the board by linking cyber resilience directly to business outcomes — such as maintaining customer trust, complying with regulations, and ensuring business continuity in the face of ransomware threats.
For many organizations, cybersecurity is still seen as an IT problem. But in reality, it’s a business risk that requires input from every level of the organization. Encouraging open dialogue between IT, security, and the board ensures that security measures are not only implemented but actively supported across the organization.
Conclusion
Cyber insurance plays an important role in mitigating the financial impact of ransomware attacks, but it’s by no means a complete solution — and insurers have many more requirements before any coverage is offered. Businesses must embrace a comprehensive, defense-in-depth approach that includes insurability controls, regular testing of backup and recovery systems, and ongoing communication with both employees and executives.
As ransomware continues to evolve, so too must our defenses. By building a cybersecurity maturity framework based on insurability controls, regular testing, and proactive measures, businesses can ensure that they not only meet insurance requirements but also create a truly resilient organization. Only by preparing for the inevitable can we ensure that our businesses not only survive but thrive in the face of cyberthreats.