How At-Bay Helps Policyholders Reduce Ransomware Risk by up to 80%
5 actions you can take to help prevent ransomware
Ransomware attacks are one of the most significant threats to modern businesses. According to Sophos’ The State of Ransomware 2023 report, 66% of businesses were hit by ransomware in 2022.
Despite this frequency, At-Bay customers have been 80% less likely to be a victim of ransomware attacks compared to the industry average.1
This is no accident. As an insurer, we lose money when our policyholders suffer an attack, so we have a strong incentive to mitigate preventable cyber attacks that could result in insurance claims. With visibility into the security posture and claims history of our over 30,000 policyholders, At-Bay has clear evidence of what moves the needle on security (and what doesn’t).
Here are 5 proven strategies for cyber risk reduction that help our policyholders prevent the vast majority of ransomware attacks — and all the financial, legal, and reputational damages that result from them.
To minimize risk from low- and no-skill attackers, it’s crucial to patch vulnerabilities as quickly as possible.
At any given time, there are thousands of active scanners on the public Internet looking for external-facing vulnerabilities to exploit. According to CISA, 13 of the 15 most exploited vulnerabilities in 2021 were found on servers with public IP addresses, and 25% of cyber-related At-Bay claims with an identified cause exploit a software vulnerability for intrusion.2
This exploitation tends to require a low effort from attackers — initiated by botnets or initial-access brokers, with actual intrusion and damage coming after. Attackers typically begin exploiting vulnerabilities within hours of a proof-of-concept exploit becoming available.
Follow these steps to shrink your attack surface:
- Shut down all external services that aren’t business critical, like Remote Desktop Protocol (RDP) and File Transfer Protocol (FTP).
- Place any services with an ongoing business purpose behind a virtual private network (VPN).
- Migrate on-prem services (e.g., Microsoft Exchange) to the cloud where possible.
Remote access tools allow staff to access company resources from outside the office. The use of these tools grew exponentially during the pandemic, and they remain popular as companies increasingly embrace hybrid work policies.
Unfortunately, attackers can take advantage of widely available and legitimate remote access tools (like Splashtop, TeamViewer, RemotePC, and similar) to steal credentials or facilitate ongoing access to an organization’s technology environment. Many attackers favor remote access tools because they aren’t malware and therefore don’t trigger an alert. Nearly a quarter of all attacks reported by At-Bay policyholders use a remote access tool for intrusion.2
Take action to help prevent the usage of legitimate IT tools by attackers:
- Only permit remote access tools that have been explicitly approved to be installed on company devices, and automatically deny all others.
- Configure endpoint protection tools to flag unapproved remote access tools as “potentially unwanted programs” (PUPs).
When you imagine cyber criminals, you may picture them cracking passwords or brute-forcing their way into a company’s network, but this type of activity is easily detected and therefore not common. Instead, many attackers simply buy usernames and passwords on the dark web from initial access brokers who specialize in stealing credentials.
Once an attacker has a username and password, they can enter company accounts and devices through the front door. Stolen credentials are the method of intrusion in 8% of the attacks for which our policyholders file claims.2
Intrusions that leverage stolen credentials are difficult to detect and have a high probability of success owing to the fact that they appear to be normal, authorized network activity. The exception is when multi-factor authentication (MFA) is in use. MFA requires a user to enter their username and password, then authenticate themselves again with a PIN, authenticator app, or biometric marker. Stolen credentials will get attackers through the first round of authentication but not the second, rendering the stolen credentials almost useless.
Here’s how to mitigate the risk of a breach with MFA:
- Ensure that all remote access tools (e.g., VPN, Outlook Web Access, etc.) are secured with MFA.
- Configure MFA solutions to enforce usage by all employees (i.e., disallow opt-out and alternate authentication methods).
Our claims data reveals an alarming pattern: More than 90% of claimants report having backups, but only 22% successfully recover from incidents by using them.3
After a breach, many victims discover their backups failed to work as intended, often because of a misconfiguration, improper deployment, or lack of maintenance. Others see backup servers deliberately targeted and destroyed in a ransomware attack. In either case, the problem is only apparent after the damage is done and the data has disappeared.
To insulate backups from attacks and minimize the consequences of administrative lapses, backups should be offline. Offline backups prevent attackers and malicious software from directly targeting backed-up data or the backup solution itself, ensuring that backups remain viable when they’re needed. Note that offline can also include cloud-based backup solutions where controls prevent contact between the on-prem environment and the backup solution except when absolutely necessary.
How to use offline backups to mitigate the risk of corruption from ransomware:
- Source a modern backup solution with offline or protected cloud-based storage capabilities and leverage professional support to configure it properly.
- Periodically perform test restores of backed-up data to ensure effectiveness and staff proficiency.
The security of an organization’s email infrastructure is a significant determinant of overall risk. In the second half of 2022, 41% of At-Bay’s insurance claims originated from a malicious email.4
On-prem email solutions have a 2.5X higher rate of claims compared to the leading cloud email solution, even with leading email security solutions present. No matter how well an organization maintains its on-prem email server, nothing beats the continuous risk mitigation offered by cloud-based offerings from leading providers like Google and Microsoft.
Improve enterprise email security with these actions:
- Migrate to a cloud-based solution while simultaneously decommissioning on-prem email servers, which experience significantly more security incidents than email servers hosted entirely in the cloud.
- Consider adding an effective email security solution. Mimecast leads our ranking of top-performing email security solutions in 2023.
- Train all employees on the threat of phishing and fraud via email, and re-train periodically.
At-Bay has proven that it’s possible to significantly reduce ransomware risk when businesses make data-driven security decisions — especially when they partner with an InsurSec provider that takes a holistic approach to prevention and protection, helping policyholders remain secure over the life of their policy.
To continue exploring the link between cyber insurance and ransomware risk reduction, download our free report.
About The Author
Adam Tyra is a technology professional with over 18 years of experience in security and deep expertise in cybersecurity operations. He currently serves as At-Bay’s General Manager of Security Services.
Prior to joining At-Bay, Adam was a security leader at Kivu Consulting, TalonX, McKinsey & Company, and EY. Before becoming a consultant, he worked as a software developer, architecting and implementing cybersecurity tools for the U.S. defense and intelligence communities. Adam also served as a cybersecurity officer in the U.S. Army.
1. Frequency Based on Primary and Excess Cyber and Tech Errors & Omissions losses reported and exposure earned through 9/30/2022, evaluated as of 10/1/2022, and 2020-2021 industry analysis.
2. Source: At-Bay claims data 2021-2023.
3. Based on review of nearly half of At-Bay claims involving a DFIR vendor, March 2022 – March 2023, compared with data collected about insureds during underwriting.
4. At-Bay claims data, 2H FY2022. Includes emails containing malicious links or software along with those that enticed a recipient to perform some action which facilitated an incident.