Data breaches are on the rise, and in 2018 alone there were 12,449 confirmed breaches. This is a 424% increase over the previous year. A subscription to @haveibeenpwned on Twitter, shows that there is a steady influx of tweets about data breaches multiple times per month. As a result of this pattern, the cyber insurance market has experienced a growth for direct premiums for written and packaged cyber policies. Just in a four year period, from 2015 to 2019, direct premiums written amount to $2 billion , which is more than double than what was written in 2015.
Insurance in a Data Breach World
There is a lot of new ground that insurers are covering in modern world where data breaches are the norm. While this post will not go into details about this, the concept of cyber insurance is that it insures something that is low probability, but has a significant impact. This essentially acts as a risk transfer mechanism. For insurers they take reasonableness into account. When a breach happens, they check whether or not what the organization has done was reasonable relative to an organization of similar revenue or size. However, data breaches are symptoms of persistent security problems, and insurance while necessary, is not the solution.
Top Claims in Cyber Insurance
According to Enterprise Security Weekly, the top two insurance claims in 2016 for cyber insurance are lost laptops, and insider theft of information. To some, this might be a surprise, but this pattern seems to still be the norm as 60% of companies experienced insider attacks in 2018. Insider threats can mean everything from a dissatisfied ex-employee, human error from employees, and internal theft of intellectual property. Every once in a while, someone on a scoping call might ask why we can’t just magically hack our way into their internal network or down play the risk of a high severity finding on an internal network. What people often do not realize is how quickly an external adversary becomes an internal threat through the means of social engineering and phishing.
The Need for an Internal Penetration Test
Internal penetration testing is important because it assess an organization’s security posture by identifying how far an attacker can laterally move through a network, and what kind of data can be exfiltrated once an external breach has occurred. It is best to think of security as a layered approach. Many will dedicate effort to secure their external perimeter and their authentication into the network, however, internal network security may not get the same treatment. Moreover, does the report at the end of the assessment highlight the underlying problems, or do they simply identity issues?
Take this example: an end product penetration test report may be based off of a checklist with patching and security configuration issues such as TLSv1.0 in use, self-signed certificates on internal web applications, and missing latest third-party software patches. While, most firms would highlight this organization as a low to medium risk level, it implies that as long as these vulnerabilities are fixed, the organization maintains a secure posture.
Often times, this is the result from an end product penetration test report. It hardly reflects what a real attacker might do.
Security Maturity Assessment
In order to highlight and address potentially systematic issues for why these security vulnerabilities occur in the first place, we often offer our penetration testing services along with a security maturity assessment. Perhaps, the reason for TLSv1.0 versions in use or missing the latest third-party software patches are due to the fact there are no formalized patch management program, inaccurate asset management, or issues with their Ansible playbooks or their Puppet configurations. A penetration test along with a security maturity assessment can provide insights to implement cultural and program level changes so that the assessment provides value to decision makers within the company.
These services that we provide help organizations identify and prioritize areas of weakness and help keep organizations stay ahead of the attacks. We try to provide value to decision makers and assess systematic issues across their organization to show the underlying reasons for vulnerabilities in one’s environment. Please contact us today or schedule a meeting with us if you are looking to elevate your organization’s security posture in a world where it has seen too many data breaches.