Cybersecurity Insurance Rates Rise | CISA | Microsoft Updates | The Cyber Review

July 8, 2021
Written by Farah

Cybersecurity insurance rates likely to rise amid escalating ransomware attacks

Source: Canadian Press

Companies looking to purchase insurance against cyberattacks in which their data is held for ransom will soon find it more expensive and difficult to obtain, a cybersecurity expert says.

Brent Arnold, a partner at law firm Gowlings WLG in Toronto, says the U.S. insurance industry has already tightened its requirements for providing coverage for criminal ransomware attacks.

The cyber insurance industry has become a prime target for criminals seeking its customers' identities and scope of coverage. Knowing what victims can afford to pay can give them an edge in ransom negotiations.

Arnold says he hasn't seen any examples of Canadian insurance companies that have been hit by cyber attacks, but he expects higher rates and stricter conditions for clients who want cyber insurance, following a trend that's already emerged in the United States.

An index from the Marsh McLennan insurance group registered a 35 per cent year-over-year increase in U.S. rates in the first quarter of this year, following a 17 per cent increase in the previous quarter.

The U.S. cyber insurance industry is now teetering on the edge of profitability, upended by a more than 400 per cent rise last year in ransomware cases and skyrocketing extortion demands. As a percentage of premiums collected, cyber insurance payouts now top 70 per cent, the break-even point.

Survey Finds Users Clueless About Cybersecurity Risks

Armis surveyed 2,000 end users in the U.S. and found the cybersecurity incidents happening and the dangers to critical infrastructure, utilities and food supplies aren’t sinking in with the public, despite making news headlines.

More than 20 per cent of those surveyed hadn’t even heard of the Colonial Pipeline attack and 45 per cent had no awareness about the attempt to breach systems to poison Florida’s water supply. Respondents also didn’t really think there would be any long-term supply-chain consequences of the JBS Foods or Colonial Pipeline attacks, according to Armis.

Not only are users unaware of the major incidents that occured, they are also bringing their poor cybersecurity habits with them as offices start to open back up as they are clueless about the cybersecurity risks. This is why companies must keep cybersecurity at the top of mind as offices start to open back up.

Armis found 71 percent of workers returning to the office plan to bring their work from home devices back into the office, while 54 percent don’t think there’s any risk associated with doing so.

Armis commissioned a Forrester report that found that 63 percent of healthcare delivery businesses were breached due to an unmanaged internet of everything (IoT) device in the last two years. However, more than 60 percent of healthcare employees surveyed didn’t think their personal devices posed any risk at all, and more than a quarter of organizations have no policies in place outlining appropriate use of personal devices for business.

Surprisingly, 82 per cent of those surveyed who plan to bring their personal devices back to work are IT professionals and in charge of cybersecurity.

Companies must set a cybersecurity strategy with priorities during this critical returning to work period, track behaviours, and identify threats immediately.

Microsoft urges users to update PCs in security warning

Microsoft announced that Windows users should install updates after a cybersecurity company accidentally published a guide on how to exploit vulnerabilities in the service.

The firm eventually deleted the post, but screenshots of it were posted other places online, prompting Microsoft to warn customers that hackers could use the vulnerability to install programs, as well as view or delete data.

The company said the security update “should be applied immediately to fully protect your systems.”

Microsoft has faced a wave of scrutiny over reported security issues, including last year when the National Security Agency told the tech giant that a flaw in its Windows system could allow hackers to pose as software companies.

In March, Microsoft announced that it had found new vulnerabilities in its Exchange Server program, adding at the time that it had assessed with “high confidence” that a hacking group known as HAFNIUM, a Chinese state-sponsored group, was exploiting the vulnerabilities.

Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said late last month that roughly 140,000 organizations were left vulnerable to attack by HAFNIUM and other groups, though she said Microsoft quickly released a patch that reduced this number to less than 10 within a week.

While the U.S. has not formally attributed the exploitation, Neuberger said the Biden administration was looking to do so “in the coming weeks.”

CISA Starts Cataloging Bad Practices in Cybersecurity

The Cybersecurity and Infrastructure Security Agency (CISA) released a list of two bad practices to help critical infrastructure providers prioritize their cybersecurity responsibilities.

The bad practices are using unsupported or “end-of-life” software, and using known/fixed/default passwords and credentials.

CISA created a web page for cataloging the bad practices which the agency will keep updating based on feedback from risk managers and cybersecurity professionals. The list should be used to put cybersecurity plans into action and a resource to use for companies.

“There is certainly no lack of standards, practices, control catalogs, and guidelines available to improve an organization’s cybersecurity. While this body of guidance is invaluable, the sheer breadth of recommendations can often be daunting for leaders and risk managers,” Goldstein wrote. “The principle of ‘focus on the critical few’ is a fundamental element of risk management. Based on the understanding that organizations have limited resources to identify and mitigate all risks it should also be an essential element of every organization's strategic approach to security. Addressing bad practices is not a substitute for implementing best practices, but it provides a rubric for prioritization and a helpful answer to the question of ‘what to do first.’”