back to article Higher risks and premiums are creating critical gap in cyber insurance

Many organizations are increasingly unprepared to deal with the skyrocketing costs of a ransomware attacks, at a time when the number of incidents and the payments demanded by cybercriminals are rising rapidly. A report by security software and services provider BlackBerry and Corvus Insurance this week found that only 19 …

  1. DS999 Silver badge

    In the long run

    Ransomware might turn out to be a good thing, by forcing companies to finally treat security seriously and implement policies known to really make a difference like 2FA and zero trust, rather than sending yet another company wide email to be wary of opening unknown attachments and phishing, and making them undergo yet another Powerpoint based multiple choice corporate security "training".

    1. Anonymous Coward
      Anonymous Coward

      Re: In the long run

      I'm pretty sure the insurance policies dictate a certain number of mind-numbing powerpoint presentations and badly written phishing emails.

      As an aside, how to you square 'zero trust' with 'identity federation'?

  2. Pirate Dave Silver badge
    Pirate

    When we renewed our cyber insurance back in June, we were required to implement 2FA for all of our O365 accounts, our VPN, and our AS/400. Last year, they had only required 2FA for our Admin accounts in O365. In previous years, there hadn't really been any such requirements, other than checking the right boxes and using the right words in the yearly 8-page cyber-security audit.

    The Director is the one who deals directly with this, not me, but I definitely got the feeling that the cyber-insurance provider is no longer playing the odds on "they might not be hit by cyber crooks", and is instead working from the position of "they're going to be hit, we must force them to minimize their vulnerability surface to lower our payout rate".

    They were a bit unrealistic in their implementation timeline requirements - we were told of the 2FA requirement in late May, with them expecting full compliance by June 30. We didn't hit that day, nor the July 30 extension. In fact, we are just now finishing up enabling it for the O365 accounts. We were going to go with RSA's Authorization Manager, but the lead times for their Professional Services group are rather long. As an interim, we enabled MFA in O365 for each account, and used another vendor for the AS/400 requirement (and they got their stuff installed and working inside of a week, but sadly, their product is AS/400-only with no hope of crossover to cover O365 and VPN).

    1. Anonymous Coward
      Anonymous Coward

      Serously? No 2fa on a vpn? I've had 2fa on my vpns for more than a decade, in fact, some of them have 3fa (username/password/totp/certificate) and i'm considering adding ip address restrictions making it 4fa.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like