Cyber Resilience in An Imperfect World
A series of sophisticated attacks on technology companies has indicated how exposed end users can be to significant cyber supply chain risks outside of their control.
Regulatory reporting requirements and subsequent publicity around large-scale cyber breaches have served to raise awareness among businesses of the potential scale of online risks. But awareness and preparedness are often at odds when it comes to mitigating and managing a risk as fast-moving as cyber.
According to the latest report from Beazley’s Risk and Resilience series, "New world, new risks: How are businesses’ attitudes to risk & resilience changing?", 34% of business leaders surveyed ranked cyber as their top tech risk, although only 44% feel “very prepared” to anticipate and respond to cyber risk.
At the same time, 31% ranked supply chain as their top boardroom risk concern, whilst only 39% felt “very prepared” to respond to supply chain risk.
Although many organisations have invested heavily in technology to protect their systems and data, the cyber-attack landscape is constantly shifting. Cyber criminals are increasingly well-funded and innovative, making constant vigilance a necessity by potential targets to prevent gaps opening up in their cyber defences.
The unfortunate truth, however, is that their ability to resist cyber-attacks may, to some extent, be out of their hands as supply chains grow longer and more complex.
Cyber Supply Chain Incidents
In the past nine months there have been significant cyber incidents nearly every month, impacting thousands of organisations and disrupting cyber supply chains.
In December last year, it emerged that remote monitoring and management solutions provider SolarWinds had suffered a security breach in its Orion platform which enabled hackers to introduce malware via a software patch distributed to clients that opened up a backdoor into their systems.
In December and January 2021, firewall vendor Accellion released a series of software patches to address vulnerabilities in its products that contained ransomware introduced by hackers, and in March, Microsoft’s Exchange Server email platform was hacked by a hitherto-unknown group dubbed ‘Hafnium’, who leveraged a series of “zero days” (previously unknown vulnerabilities) in Microsoft’s Exchange server software, creating a backdoor into tens of thousands of email systems.
An attack on a single software firm can have a massive impact.
There have been several high-profile incidents since, including the recent attack against software company Kaseya’s remote management software VSA, which was compromised, apparently by ‘ransomware as a service’ provider REvil, affecting a number of IT management firms and the clients that they serve.
In most of the above examples, end users’ cyber security measures have been either compromised or circumvented though failures in outsourced services that are typically outside of the customer’s control. With many of these functions concentrated in a relatively small number of providers, an attack on a single software firm can have a massive impact.
While reimbursement of losses through insurance can only do so much to address the downside of a major cyber-attack, a key benefit of working with specialist cyber insurance providers on these exposures is the value they can bring in terms of risk management and incident response.
An effective incident response solution, such as that available through Beazley’s Breach Response Services, provides access to an outsourced crisis team — lawyers, incident responders, ransomware communicators and negotiators, breach mitigation specialists, credit and identity monitoring services — all of which would be prohibitively expensive for many insureds to replicate internally.
With an effective cyber insurance solution, organisations will be back on their feet sooner, will have a lower exposure to financial loss, and will be better able to mitigate reputational impact through access to advisors on everything from IT issues to public relations.
However, many of these attacks could be avoided, or their impact lessened, by building better cyber resilience.
The first step towards building resilience should be discovering what cyber risks the organisation faces. Many organisations underestimate their reliance on technology - for everything from email servers to finance systems, to online point of sale software and content delivery networks (CDNs).
The trend towards greater use of cloud computing solutions is only going to accelerate as organisations continue to evolve towards a more agile working environment, with more staff working remotely.
But with a greater reliance on a small number of cloud service providers, it is almost impossible to insulate your organisation from cyber-attack. The model of cyber security that is increasingly being viewed as the most practical, therefore, is the notion of ‘zero trust’.
Cyber resilience is about having a layered approach, with good data management, effective security software, zero trust protocols, effective incident response, insurance to cover remediation costs, and better training for employees.
One reason why critical vulnerabilities could be introduced through software like SolarWinds Orion and Kaseya VSA is that they typically request exclusions from security measures like antivirus and firewalls and/or requested elevated privileges within the environment. This then enables attackers to move laterally within an environment with few restrictions.
The zero trust model removes the assumption that all software running within an environment is to be automatically trusted and requires all access to be verified with the default position being to deny.
But neither cyber insurance nor zero trust, or indeed any other security model, alone is going to provide flawless protection against cyber criminals. Cyber resilience is about having a layered approach, with good data management, effective security software, zero trust protocols, effective incident response, insurance to cover remediation costs, and better training for employees.
In an imperfect world, there’s no single solution to countering cyber risk. But with the right mitigation strategy and access to risk financing and response services that will get you operational again in short order, you can at least be prepared for when the worst does happen.