Security Alerts: How insurers notify businesses of cyber risk
An efficient incident notification system can mean the difference between avoiding a breach altogether or having to file a claim.
Businesses purchase cyber insurance for protection from the impacts of a cyber incident. At its core, a policy promises to cover financial losses and other costs if and when an event occurs.
But businesses need more than that. They need an insurance provider that will invest in them and actively work to make them stronger and more secure.
Actively working alongside businesses can take different forms. But at the very least, providing an always-on notification system — security alerts — can mean the difference between avoiding an incident altogether and having to file a claim.
Understanding security alerts
Generally speaking, security alerts can take different forms, reactive and proactive. Some alerts are in response to newly published Common Vulnerabilities and Exposures (CVEs) that may impact a specific technology. Most IT security professionals are familiar with this because it often pertains to newly published vulnerabilities that attackers are actively exploiting in the wild: threat actors have already taken advantage of a vulnerability, and others are suffering for it. If a policyholder receives a reactive security alert, it should signal them they are at high risk for an attack.
Proactive security alerts, on the other hand, are less common and sometimes viewed as less of a priority because they don’t have an active CVE or Common Weakness Enumeration (CWE). Proactive security alerts notify businesses of risky technologies or system configurations that are ripe for an attack approach. While these vulnerabilities are just that — vulnerabilities — and have strong signals of being exploited, they should be handled with the same level of criticality. Why? Because, just as often, these system weaknesses are exploited, and businesses find themselves victims of an attack.
Who should receive security alerts?
The size and makeup of a business often dictate who makes cybersecurity decisions. Small businesses often outsource security and IT support to MSPs or other third parties, while larger businesses are more likely to have internal teams and resources.
No matter the scenario, it is recommended that businesses designate at least one in-house team member to receive alerts. This ensures that someone at the core of a company is informed on new and emerging threats that could impact the business.
Signing up a technical expert is even better, as a business may need to take immediate action to resolve security issues, but having a representative on the receiving end of any security alert is best.
There’s no limit to how many people can receive security alerts. If it means heightened awareness about a business’ security posture, it would be better for everyone in the organization to receive security alerts than nobody at all.
What can happen when security alerts go unaddressed?
Not all businesses take action on security alerts. Many teams face competing priorities and an endless deluge of tasks that can complicate the decision-making process when triaging these alerts. Resource constraints and alert fatigue can negatively affect risk management. With this in mind, insurance providers only notify businesses of the most critical risks. Businesses shouldn’t fear security alerts, but they must take them seriously.
During a recent ransomware event, a Coalition policyholder missed an opportunity to act on a security alert and learned the hard way that experiencing a cyber incident is much more painful than proactive risk mitigation.
While investigating the matter, Coalition Incident Response (CIR) determined a threat actor had gained access to the business’ network via Remote Desktop Web Access (RDWeb). The threat actor bypassed security controls, gained network access, and connected to the company’s internal infrastructure, allowing them to exfiltrate data and demand $2 million for its safe return.
The business had previously purchased a premium security package from a new managed service provider (MSP), in which the MSP assumed responsibility for not only managing the business’ infrastructure from an IT perspective, but also monitoring its endpoint detection and response (EDR) alerts and performing weekly audits of its logs from different infrastructures.
After reviewing the business’ network logs and completing a full forensic investigation, CIR discovered Coalition had sent 12 security alerts regarding exposed RDWeb over eight months. The EDR tool had also detected suspicious activity, but it went unaddressed for over a year.
Ultimately, CIR negotiated the ransom payment, in this case, down to $500,000. Although the negotiation was successful, the incident was attributable to multiple failures that occurred months prior, including the company failing to respond to the security alerts received.
Active insurance requires active policyholder participation.
Every business runs differently. What matters most is that security alerts are being received and actioned. If a business is receiving an alert, then consider the alert important!
Insurance is designed to provide support if an incident occurs, but responding to security alerts can help mitigate risk before the stress of extended downtime, reputational damage, or potential lawsuits becomes a reality.
Ryan Gregory is Security Support Center Lead at Coalition. Any opinions expressed here are the author’s own. The original version of this article first published in the Coalition blog and is republished with permission. It may not be reproduced.
Related: