Marsh is the world’s largest insurance broker and risk advisor. In this week’s Reimagining Cyber podcast episode, “Under the Hood of Cyber Insurance,” Dan Bowden, CISO at Marsh, gives us an under-the-hood view of how insurance companies mitigate cyber risk, thinks they look for, and how they support their clients.
Don’t Leave the Key Under the Mat
Bowden’s experience spans decades from IT infrastructure to CISO responsibilities and includes stints at the U.S. Airforce, University of Utah, and now, Marsh. He brings a unique perspective to the world of insurance and cyber warfare. Cyber criminals are getting savvier and savvier. It’s up to companies to take necessary steps to make themselves less of a target. Tools like multi-factor authentication (MFA) provide multiple levels of protection against hackers. Bowden likens not having MFA to leaving a key under a doormat.
“I watched a family member do this the other day. [She] walked out of her apartment, locked the door, and threw the key under the mat. And, if you don't have MFA, that's what your external portals are. You throw the key under the mat, and somebody who wants to get in, they're going to figure out a password, just as easily as a determined burglar will think to look under the mat” he says.
Once they’re in they’re in. Hackers will use that one entry point as a jumping off point to others within your system. Even though you think a particular portal may “lead to nowhere important”, those services are maintained with enterprise management tools that may have accounts or services an advanced adversary can figure out how to use for getting to the next landing point.
Manage Your Vulnerabilities
Insurance organizations assess risks by looking at the basics, threats and vulnerabilities. Managing vulnerabilities are often difficult (but necessary) for organizations to track. Where vulnerabilities are very difficult to directly patch, can the exploit path between a threat and the vulnerability be blocked? Can the efficacy of that solution be proven and tested? Developing these capabilities is crucial – simply rolling out patches isn’t always that simple, or the cyber world would be a much safer place
Here Phishy, Phishy
Phishing attacks, even in this day and age, are one of the top ways cybercriminals attack organizations.
“Instead of trying to beat you at one point of attack against your controls head on, they can spray a phishing attack across hundreds or 1000s of members of your workforce.”
Raising awareness and providing workforce training are key, says Bowden. Insurance companies can assess an organization for gaps in this area and see where organizations might struggle. Improving protection against hackers by using tools like MFA can improve an organizations likelihood of getting insured.
Nailing down good configurations for DMARC, DKIM and SPF are a great security posture improvement for preventing email spoofing and protecting your brand.
Attack surface management companies will pull all the possible open-source information you can imagine about your company, your competitors and your vendors. History of breaches, curated internet facing asset configurations and security posture are all accessible to anyone willing to pay for a subscription. There is a wide range of utility for this information. From a cyber insurance perspective, some carriers may analyze your organization’s history for internet facing asset configuration, breach history, and overall security posture. This allows insurance carriers to assess the risk of an organization, or for you to assess your own posture as well as that of your vendors.
“If I've only got so much money to spend, should I spend on A or should I spend on B? I think that's what we're going to try to help them figure out is, based on your circumstance, the kind of organization you are, the threats that tend to come your way, we would recommend, the best place to invest.”
The importance of Cyber Insurance
While cyber insurance may seem like a nice-to-have, in this current cyber landscape, it’s critical for organizations. When insurance companies that cover floods, earthquakes, and other natural disasters are faced with extraordinary circumstances, often the federal government will declare it a disaster and organizations like FEMA will step in to support them.
“There isn’t a cyber-FEMA,” Bowden cautions.
Cyber insurance is critical as we look to the future of the cyber landscape.
Do you have cyber insurance? Are there any other insights you’d share?
You can find the latest episode of Reimagining Cyber on Apple, Spotify, SoundCloud, Google, Stitcher, Buzzsprout. Give it a listen, and let me know what you think. Log in or register to comment below.
CyberRes is a Micro Focus line of business focused on helping companies protect, detect, and evolve their security framework and helping organizations become more cyber resilient. To learn more, visit CyberRes.com.