Cybercrime has been made headlines regularly. Recent studies suggest that Australia experienced more than 67,500 cybercrime incidents in FY20/21 alone. This translated to a $33 billion loss, and a 13% increase from the previous financial year, not far off from the United States, which reported 125,000 cyberattacks in 2020. This proliferation of cyberattacks highlights the need for improved cyber-readiness among Australian businesses. CTRL Group draw on the CTRL Team’s experience from managing cyber incidents, to discuss why bolstering one’s cyber readiness trumps the haste to take out (inadequate) cyber insurance. First, you have to be cyber ready.
Cyber Insurance Accessibility Drops while Cyberattacks Rise
The influx of cyberattacks is heavily felt among Australian businesses. Subsequently, insurance companies are tightening their terms – the limits of liability are reduced while the premium increased. This leaves many organisations to either forfeit cyber insurance entirely or to purchase insufficient covers against the costs that may incur in the case of a cyber-attack.
In October, a report from the government-funded Cyber Security Cooperative Research Centre (CSCRC) called for insurance companies to stop offering cover that includes compensation for making ransom or extortion payments, following reports from overseas that cybercriminals target insured businesses and ask for a ransom fee in the exact amount covered by the insurance. This may lead to a government ban on such covers in the future and provide more incentive to Australian businesses to better protect themselves to avoid falling victim to a ransomware attack.
“If you’re not ready, you’re unlikely to be covered.”
Moreover, the insurers’ qualification process prior to offering coverage has also been fine-tuned, requiring in-depth information about an organisation’s cyber posture and its means of protection. For instance, cyber insurers are re-evaluating their rates to cover the surge of loss ratio caused by increasingly sophisticated cyberattacks. For that reason, organisations with low cyber readiness have a challenging time getting affordable coverage, if any at all.
Needless to say, this seismic change has left some industry players with profitability problems. In fact, organisations that take no steps to improve their cyber readiness and do not have cyber insurance will most likely not be able to recover from a successful cyber-attack. Therefore, with or without cyber insurance, building organisational cyber readiness should be the top priority for any business, complementing their business continuity plans (BCP) or disaster recovery plans (DRPs).
Be Ready before a Cyber Incident
During a cyber incident, a real battle is waged against a rival counterpart. When the opponent is active, it responds and changes its actions according to the defensive steps taken. The rate of information arrival from all fronts must be expedited, along with the coordination between all relevant personnel and the compartmentalisation of information systems to prevent further breaches. The success in recovering from an incident, therefore, lies in the real-time process and event management.
The actions taken and the decisions made have an acute impact on the extent of the crisis. In fact, the multiplicity of actions required to be carried out urgently requires the maximum collection of information and decision-making in a fleeting time, while relying on missing or partial information. This relies on experience, cyber capabilities and security posture that are yet to exist, or are needing to be strengthened in most Australian businesses.
Many Layers to Cyber Readiness
Across the incidents that CTRL Group helped remediate, it is evident that cyber-attack recovery is a novel concept to many executives and business owners as they encounter first-hand during an attack against the organisation they safeguard.
Dealing with cyber attackers has various elements, such as understanding their motives, creating a separate communication channel, building a “trust” relationship with them and even the technical aspect of being able to perform a Bitcoin payment. These differ greatly from the ‘regular’ challenges of the business world.
Without an adequate level of cyber readiness and advanced tabletop exercises, most organisations will find themselves lacking the toolset for them to set tasks and priorities; examine the effectiveness of actions performed and grasp the extent of inputs invested and their necessities.
How to become cyber ready?
Performing a tabletop exercise that simulates a real-life cyber incident is crucial to one’s cyber readiness. While the internal Cyber Response Team is invited to discuss the emergency event, security experts like CTRL Group will benchmark the process against industry best practices. These findings will be written in a coherent work plan, highlighting gaps in existing practices and respective areas of improvement. This is a simple yet highly effective exercise to train personnel should a cyber-attack take place.
Some organisations also opt to conduct penetration tests and security scanning regularly alongside other activities to improve their cyber readiness. Inevitably, organisations that partake in such activities are better equipped to contain, halt and recover from cyber incidents in much less time, exerting much less effort and resulting in significantly less damage to their finances and reputation.