Security talks to Chris Hass, former Department of Defense cybersecurity analyst, about why companies shouldn't rely on cyber insurance and what can be done to prepare instead. 



Security: What is your background and current role? What are some of the responsibilities in your role?


Hass: My background and experience span across both public and private sectors. Before joining Automox, I spent my time reverse-engineering malware and leading threat research teams at BlackBerry Cylance, built threat intel pipelines to track malicious actors at LogRhythm, and hacked on web applications for the National Security Agency.


Given those previous roles, I have an in-depth understanding of today’s threat landscape and like to constantly keep up with industry news and trends. As the Director of Information Security and Research at Automox, I lead all Security and IT operations, where we consistently embrace the convergence of the two. 


Security: In your experience, are companies relying on ransomware insurance instead of improving resilience to these types of attacks?


Hass: With the immense increase in attacks including on major institutions such as the Colonial Pipeline over the last year, many companies came to recognize the importance of improving their cyber hygiene to be more resilient and effective at preventing breaches. However, unfortunately, the majority still relies on expensive cyber insurance that may not even pay out in the end. While I can see why some companies would make this decision, especially in the SMB and startup industries where staffing a security team might not be possible, ransomware insurance on its own is not a productive approach to the cybersecurity challenges faced by almost every industry today. 


Security: Is ransomware insurance bad for cybersecurity? Should companies rely on this insurance? Why, or why not? 


Hass: Ransomware insurance is not necessarily bad, but there are hidden risks involved companies need to be aware of. For example, many carriers have a negligence or “failure to follow” exclusion in their policies, which means that they don’t cover claims if the company failed to maintain minimum or adequate security standards. Such an exclusion clause can state: “Failure to ensure that the computer system is reasonably protected by security practices and systems maintenance procedures that are equal or greater to those disclosed in the proposal.”


Cyber insurance is only a palliative approach and still leaves companies exposed to hackers. When you rely on ransomware policies to pay out, you even give in to bad actors, and they become more emboldened, putting a larger target on your back as a result.


Instead of relying solely on insurance, diversify your cybersecurity investments and secure your IT infrastructure to prevent attacks in the first place. First, invest in tools that allow you to proactively and efficiently harden your infrastructure, and second, consider insurance as a complementary strategy if it makes sense for your business.


Security: Should cyber/ransomware insurance be used as a component in a larger risk management strategy? If so, what should this strategy consist of? 


Hass: Strategies will vary based on your company, resources, and what you have in place today. Generally, not everyone needs ransomware insurance, and it should only serve as a component of larger risk management and cybersecurity strategy. Insurance can only help to offset the damages from a ransomware attack as it does not assist in identifying how a company was attacked or in removing the infection from your systems.


If you are already paying for cyber insurance, it is critical to complement it with tools and platforms that allow your IT and security teams to get ahead of hackers and respond to vulnerabilities in real time. 


Creating processes for patching vulnerabilities can lower the odds or prevent an attack from happening in the first place. Unpatched or misconfigured operating systems and software on an endpoint such as a server, computer, workstation, or mobile device are often the most exploited weaknesses in a cyberattack. We follow and recommend a 24/72 rule where zero-day vulnerabilities should be patched within 24 hours and critical vulnerabilities within 72 hours. Providing your teams with tools that can help automate these patch management tasks can help address critical high-risk vulnerabilities such as zero-day exploits immediately. By automating manual processes and tasks, IT teams can remediate vulnerabilities up to 30 times faster, more efficiently, and with higher accuracy.


Speed is one of your greatest competitive advantages in protecting against cyberattacks, but it can be difficult to achieve with the rise of distributed workforces. This makes cloud-native solutions increasingly important as it allows for better scalability for businesses of all sizes. Trading legacy, on-premises solutions for cloud-native automated ones will allow you to gain visibility to each remote device and minimize your organization’s risk and exposure, which ultimately delivers better security outcomes.


In addition to implementing the right tools and technologies, companies should also invest in training and educating employees on the best cybersecurity practices. Proper passwords, two-factor authentication and knowing how to recognize phishing attempts are essential to ensuring that cybercriminals do not exploit unprepared employees.