Four ways to lower cyber insurance premiums

Cyber attacks are growing in frequency and so are the costs associated with them. According to the 2022 Cost of a data breach report by IBM and the Ponemon Institute, 83% of organisations experienced more than one data breach in 2022, with the average cost now at AU$6.66 million. This is driving demand for cybersecurity insurance, but the escalating cost and regularity of cyber attacks have caused insurers to increase premiums.

According to Veeam’s 2023 Ransomware Trends Report, cyber insurance is becoming very expensive and there is now concern that common threats like ransomware will increasingly be excluded. 74% of organisations with cyber insurance reported increased premiums, while 21% said ransomware is now excluded from policy cover.

Cyber insurance is intended to cover financial loss suffered due to a cyber attack. As insurers attempt to better quantify and control loss, an organisation’s security posture is increasingly put under scrutiny. Those that rely solely on traditional passwords and legacy multi-factor authentication (MFA) tools may be ineligible for cyber insurance.

Here are four recommended cybersecurity strategies organisations should implement to help lower their cyber risk profile and therefore lower their cyber insurance premiums.

1. Adopt the Essential Eight

‍The eight mitigation strategies set out in the Essential Eight are designed to minimise the potential impact of cybersecurity incidents and to improve cybersecurity maturity. The Essential Eight assists security leaders with self-assessing the maturity of their organisation’s security infrastructure using a Maturity Model with three maturity levels for each of the eight mitigation strategies.

No single mitigation strategy is guaranteed to prevent all cybersecurity incidents, so organisations of all sizes are recommended to implement the eight essential mitigation strategies as a baseline. Unfortunately, complacency is their enemy, because organisations will adopt one mitigation strategy and stop there without pursuing the other strategies.

2. Implement modern, phishing-resistant MFA

MFA is now a mandatory security requirement for most cyber insurance providers. This security control was mandated because 81% of breaches are caused by stolen or weak passwords, proving that static credentials are no longer secure. Since most cybercriminals depend on stolen user credentials to access a private network, modern phishing-resistant MFA tools like security keys prevent these attempts to compromise an organisation’s network.

Security keys leverage FIDO2 (WebAuthn) to facilitate strong MFA that is phishing-resistant by design. FIDO2 protects against the most common MFA theft schemes, like push bombing, fake login portals and social engineering. By leveraging security keys with FIDO2 authentication, enterprises can roll out easy-to-use, strong phishing-resistant MFA.

Phishing-resistant or passwordless MFA uses a more secure method to verify authorised connection requests without requiring a password, either using biometrics like fingerprints or decentralised PINs, which are not shared secrets; therefore, they provide a more secure alternative for login when the Internet is unavailable.

However, when choosing an MFA solution, they are not all created equal and there are legacy MFA methods that are not phishing-resistant. These include receiving a one-time passcode (OTP) via text message or email or using mobile-based authenticators; both are highly susceptible to phishing attacks and account takeovers. They do not offer phishing-resistant MFA-like hardware-based authentication methods like FIDO2-backed security keys. In fact, phishing resistant MFA is required as part of the maturity level three, the highest level of maturity in the Essential Eight Maturity Models.

Contact centre specialist and Yubico client Afni reduced cyber insurance premiums by 30% after adopting security keys. The move means the company is seen as taking security seriously and being transparent about its own security practices, which has helped establish it as a trustworthy supply chain partner.

3. Implement a zero trust architecture

Having a zero trust architecture demonstrates a proactive defence mindset. With zero trust, a user’s identity and permission settings are continuously verified even after network access is granted, especially when they attempt to access highly sensitive assets.

According to IBM’s report, organisations that do not employ a zero trust approach to security typically pay an average of AU$1.53 million more in breach costs than those that do.

For organisations with a remote workforce (and many organisations have one nowadays), cyber insurers will look for evidence of endpoint protection. This is best implemented through a zero trust strategy, which will present cyber insurance applications favourably.

4. Deliver cybersecurity awareness training

Employees fall victim to cybercriminal deception because they don’t know how to recognise a cyber attack or are too scared to admit they may have shared something they should not have. Cybersecurity awareness training, coupled with a regular simulated phishing attack schedule, will keep staff vigilant to common cyberthreats.

Humans will always be the weakest link in every cybersecurity strategy. The value of a costly cybersecurity investment is instantly invalidated if an employee can be tricked into handing over their credentials. Cyber insurers understand how susceptible staff are to getting swindled by cyber attackers, so they’ll be delighted to find evidence of a cybersecurity awareness training policy.

The best way to reinforce the cyber awareness training employees receive is to reward their success instead of punishing employees when they make a mistake. Organisations must explore their lived culture, purpose and values and how they impact their employees’ engagement with cyber risk.

As cyber attacks continue to rise in frequency and cost, organisations must take proactive steps to mitigate their cyber risk, which will help to lower their cyber insurance premiums. Implementing modern, phishing-resistant MFA is one of the most uncomplicated and effective controls an organisation can implement to reduce the reliance on the user’s vigilance and prevent cybercriminals from gaining unauthorised access. Organisations that implement the right tools and strategies will not only significantly reduce their cyber risk but can also lower their cyber insurance premiums.

Image credit: iStock.com/alexsl