The worst-case scenario has happened: your organization has been breached by a threat actor. Credentials have been stolen, lateral movement has been made, and your IT department is warning of an imminent ransomware attack — are you prepared?
In today’s age of rising cybercrime, driven by nefarious tactics such as ransomware-as-a-service and business email compromise (BEC), a breach becomes a matter of when, not if.
It’s imperative, then, that organizations take a proactive approach to their cybersecurity. That means employing two tools that can mean the difference between an averted crisis or a costly attack: an incident response plan and cyber insurance.
These two tools go hand in hand, and while obtaining and keeping cyber insurance has become more complicated in recent years — coverage can vary, control requirements and rates are changing, and organizations are still selecting plans that don’t cover enough — a strong incident response plan will not only help your organization respond to a breach but make the cyber insurance process much easier.
What Is Cyber Insurance?
Cyber insurance is a policy organizations take out in case of a cyber breach. It covers certain liabilities and a percentage of the costs associated with the breach. This kind of insurance is relatively new and continues to evolve. Over the past several years, we’ve observed updated application requirements, changing premiums, and overall clarity on the different levels of coverage available.
While cyber insurance is becoming a risk management essential, a recent report states that 48% of organizations expect their insurance to cover 80-100% of data breach costs, meaning they may be relying too much on insurance and not enough on other security measures.
What Is Incident Response?
Incident response is a set of processes and tools used to identify, contain, and remediate cyber attacks, and to restore the organization to pre-incident operations.
An incident response plan is designed to document and implement those processes and tools before, during, and after an incident. Cyber insurance should be part of an incident response plan, and incident response is often provided by a third-party provider, a solution, a retainer, or a combination of the three.
Security Controls and Cyber Insurance
For organizations to obtain cyber insurance, they need to employ certain security controls. Those controls are not just for arbitrary compliance, however. They help protect against incidents and can assist in the case of a breach or potential incident.
Common security controls required or requested to obtain favorable cyber insurance terms include:
1. Vulnerability Scanning
Vulnerabilities are a major cause of breaches, and many could be prevented with proper patching. Employing vulnerability scanning (preferably on a continuous basis) is the easiest way to identify and mitigate vulnerability-based risks.
2. 24×7 Monitoring
It’s no surprise that many cyber attacks happen during nights and weekends, when many offices are empty or minimally staffed. Having 24×7 monitoring can alert your team to threats as they arise, allowing you to implement incident response plans, or other measures, to stop them in their tracks.
3. Endpoint Detection
Endpoints can prove problematic for IT teams, as even the definition of what one is varies, but having a tool that records activity and triggers alerts from the endpoint can make a major difference when threats occur.
4. Employee Security Training
Social engineering is a common tactic — and a successful one. Using security awareness training to teach users how to properly defend against these kinds of attacks can prevent credential theft and other kinds of breaches.
5. Phishing Simulations
Like security awareness training, exposing users to tactics threat actors use in simulations can help them understand what to look for, and how to respond, in a safe environment.
6. Log Retention
Log retention should not only be a regular practice, but a major part of an incident response plan, as it can help investigators understand how a breach occurred and what was lost or damaged. It can also help your security or triage team respond to a threat in real time.
7. Email Protections
With BEC attacks rising at an alarming rate, your organization’s email accounts can never be too secure. A threat actor gaining access to email accounts can lead to fraud, privilege access escalation, or further credential and data theft.
8. Identity and Access Management
This is the management of users and their access, in order to limit their movement, and verify their identities. This kind of management can alert organizations to unusual log in attempts, odd access, or MFA-fatigue attacks.
9. Asset Inventory
Knowing what’s in your security environment is the first step to both protecting it and monitoring access and activity within it. Without this knowledge, it can be impossible to track a threat actor in an environment or utilize proper incident response.
A Critical Step: Developing An Incident Response Plan
Having the nine items above managed and accounted for is crucial when an incident response plan comes into play. But an incident response plan is more than bulleted items on a piece of paper. It needs to be a living document that can be tested and adjusted based on changing security and business needs. Some incident response plan components include:
- Formulating a strategy for how to respond to early stages of an incident
- Identifying stakeholders and their roles
- Appointing a response team
- Conducting tabletop exercises to test the strategy
- Testing backup and recovery systems
- Implementing readiness technologies (like the ones mentioned above)
Not only does this plan reduce risk and increase response, but according to the IBM Cost of a Data Breach Report 2023, proper incident response planning and testing can reduce IR costs by as much as $1.49 million in the event of an incident.
How Incident Response and Cyber Insurance Work Together
When it comes to an organization’s risk, there’s a lot of overlap between risk mitigation and risk transfer. Consider revising to: Incident Response planning and cyber insurance go together when organizations seek to reduce their risk before, during and after a breach.
Having an incident response plan can stop a threat from becoming a major incident. Having cyber insurance can transfer a portion of risk to the insurer and help your organization recover faster, especially from a business and financial perspective. And the effective security controls required for cyber insurance and an incident response plan can prevent a threat from happening in the first place. You can’t rely on just one.
Learn more about Incident Response planning with Arctic Wolf’s Incident Response.
Better understand cyber insurance with The Global State of Cyber Insurance.