An interesting statement from Zurich Insurance, one of the major players:
What do you think?
What about the Small, Medium and Enterprise organisations, how would they cope?
They can cope by asking their insurers what to do.
For regular businesses which don't have any specific need or mandate for protection, there's not a lot of guidance from anyone other than underwriters. I know, I lived this life for years.
Other insurers have made similar statements or are otherwise getting out of insuring against certain security incidents (largely ransomware). It's a good caution to read the fine print when you're renewing policies.
I don't blame insurers. If we were to analogize information security to fire prevention, every time there is a house fire, we learn something. We build better, ban certain materials, pass regulations requiring detectors and sprinklers, etc. With information technology, the response tends to be the equivalent of encouraging people to store gas in their homes and play with matches.
As the threats have expanded, we've lowered the walls. Devices on home networks have increased ten-fold, every one of them a potential avenue of compromise. There is no such thing as the corporate network anymore - it's all the Internet/cloud. Then there is the thing in our hand, which has more computing power and connectivity than what sat in our server rooms 20 years ago. By the time some 20-something hits the workforce, they already had a good 8-10 years of habits with technology, and a good number of them are bad habits.
Some days it does feel like watching kids play with matches in a room full of gas cans. And when a spark does start a fire, we tend not to focus on the root cause but instead try to alter the nature of fire (technology) so that it can fly haphazardly about in a room full of flammable materials.
Exactly, @JoePete. Industry wants the benefits of technology, but none of the discipline the technology requires for its preservation, protection, or continuity.
I wrote a post-mortem presentation for senior leaders at a previous employer. There had been a ransomware attack (spoiler alert: the bad actors may have encrypted our infrastructure, but insurance paid for remediation, backups were used to restore ALL data, and the miscreants didn't get a penny). In the post-mortem I noted the attack (phishing email, users with too much privilege, a public-facing RDP server), and described what it would take to reduce our attack surface, and improve our data health and resilience.
I didn't ask for much in the presentation, either. The response had already improved our infrastructure, it rapidly mitigated our patch status, increased our defense in depth, and we were already planning to make the backups more redundant -- because we knew what the saving grace was. I just wanted a mandate from the executives, now that we knew what was at risk. IT needed visibility, and it finally had some. I went the meeting expecting their due care and due diligence.
There are eight executives with the company. Only three came to the presentation. "It looks like we have hurdles to clear, and thanks for putting this together. I sure am glad we had insurance," and with that, the meeting ended.
As mentioned earlier, in the absence of any other authority, compliance goes a long way. Insurance companies are literally experts in stanching losses. They are fully aware of NIST. They could easily demand minimal compliance with the CSF (or hell, the SANS Top 18 if they really want to phone it in!) to ensure demonstrable compliance with such standards.