My prediction for 2021, is if legislation does not come in with as much force as possible then the costs of an average Ransomware attack will just escalate and insurance companies will be most pleased, whilist everyone else suffers:
@nospaceahI agree, in principle except where the notification has already gone out to the Cybersecurity Insurance company, and they have taken over negotiations with the offender(s).
They may automatically pay out on the first offensive, and then raise the premiums, if the organisation does not put in place necessary security controls and update their incident response plans etc.
The cost as you state for recovery is likely to far higher per incident, and they may not actually recover brand, reputation or even trust from their clients - or cause client churn to occur,
The costs are likely to be both tangible and intangible ones, which may take some time to assess in all likelihood.
I agree, one of the things I wish insurance companies would to when adding a new customer is doing a cis csc 20 audit or require the customer to get one. I think a ton of your small & medium businesses would benefit from this and the customer could have a tangible way to see them reducing their risk or at least see where they need to allocate resources. Probably two or three years ago I knew insurance providers calculating the risk of cyber insurance purely on their external facing vulnerabilities which blows my mind. I think if a company implements cis top 20 CSC they significantly reduce their risk and also the cost of an attack.
So after reading the article, whilst I agree that encryption is one prevention method, the author does not take into account systems that cannot be encrypted. Unfortunately they are still around and larger companies are resistant to full scale changes. I am not sure there is an average cost to a ransomware attack or that anyone has sat down and done the math and it may not be possible as each incident is different.
One organization that I worked in had a database of choice that would handle encryption easily however the (we'll call them) query tools could not handle encrypted data (obviously the decision to buy that database was made without Security's input). So some of the most confidential information that the company had was unencrypted.
I have had discussions with many folks on cyber insurance and many corporations take a pass on it, as they do not see themselves as targets. Are they making a mistake? I think so but then I am not the one that will be fired.
As to the Insurance department stepping in, I use a model of working with HR, Legal, Insurance, Corporate Communications and if they exist Psychical Security. I try to have regular meetings to ensure that we are all on the same page and if a breach happens, all know when to "release the hounds". This model keeps everyone in the know and no guns are fired until the appropriate time.
Maybe I over simplified but ..........
@dcontesti Well there are other methods 1) SDN WANs 2) Micro-segmentation using some principles from Zero Trust Security Architecture 3) Obviously Backups 4) Incident Response playbooks 5) Tell the Cyber Insurance not to immediately intervene, until you tell to do so.
Examples using within the Financial Sector is Microsoft Windows Server 2003 - which they still use for legacy systems, keep them well contained and separated from any other systems.