Companies that take out a cybersecurity insurance policy may be inadvertently making themselves a bigger target, a cybersecurity expert warns.
Fleming Shi, CTO and founding engineer of Barracuda Networks, said in the case of ransomware, for example, attackers are looking for targets who have insurance because they view them as easier to extort a payment from.
Insurance may also be pushing up the size of ransom payments. Speaking with Which-50 during a recent visit to Sydney, Shi noted that the average US ransom payment in mid-2018 was roughly an average of $4,000. At the end of 2019 that number jumped to $41,000.
“I believe cyber insurance could be good and bad, we buy insurance for our house, for our cars, for things we don’t plan for, and then insurance comes in and solves the problem.”
“But in the scenario when the attackers know you have insurance, they are looking for a larger payday,” Shi said.
While ransomware is not new, the attacks are getting more sophisticated and more common. Attackers have moved on from targeting consumers to encrypting the systems of small-to-mid-sized businesses and city councils, halting their operations until they can restore their systems or pay the bitcoin ransom.
“[Attackers] have moved around to find the optimal way to get the biggest payday for their efforts.”
The emergence of ransomware-as-a-service has also lowered the barrier of entry for criminals. “You don’t have to be a sophisticated hacker now to have a campaign. All you have to do is have bad intent,” Shi said.
Shi noted that the cybersecurity insurance market is nascent and people are still figuring out how to buy policies and how to offer them. But the most important factor is to keep the information private.
“I think it’s really important to conceal the information about your insurance. This is really, really private information. It should not be shared publicly about how much insurance you have.”
For example including information about cyber insurance in FCC filings, is like “leaving your wallet open.”
Attackers could also discover a company has cybersecurity insurance through social engineering. That means any company considering buying cyber insurance should also conduct employee training to reinforce that the information should never be disclosed.
For example, attackers could target someone in the office who has just paid for cyber insurance or seen the paperwork for it. Information about the existence and scope of the coverage could be uncovered by stealing credentials to take over the account and monitor the conversations of the CFO or head of procurement.
According to Shi, “Everyone who is considering cyber insurance needs to train their employees not to answer any emails or phone calls asking ‘do you have cyber insurance?'”
“All this insurance information should be hidden.”