Availability & ‘cyber insurance’ essential for business planning

Gregg Petersen, Regional Sales Vice President, MEA, Veeam Software says it’s not about being hack-proof; that is virtually impossible. Rather, you should make your security as robust as possible and ensure your backups are not solely located on your network, to eliminate the possibility of attack or corruption.

There is no question that ransomware attacks are becoming increasingly prevalent. In fact, some have proposed that 2017 is the Year of Ransomware. In May last year, the WannaCry attack led to the infection of more than 230,000 computers and more recently in June, the Petya outbreak led to a second global spread of ransomware. These attacks didn’t just hit individual users, they affected some of the biggest organizations in the world, and showed an increased level of threat sophistication and maturity. What became clear to many recently is that while traditional methods of data protection are essential, they are no longer sufficient.

As the attacks or ‘threat landscape’ continues to evolve at a frightening pace, it’s clear that many organizations are failing to learn about what they’re up against from both data protection and cybersecurity perspective. Sure, organizations today know that they need to have strategies in place to protect their business from being disrupted by cybercriminals, but do they have the ability to get up and running quickly after an attack or breach?

With businesses putting more data and services online, so business models rely on connectivity and enhanced IT services to meet growing consumer demands for flexibility, ease of access and convenience, here-in lies the double-edged sword. It is this connectivity desire, to be ‘always-on’, which introduces more vulnerabilities and ‘threat surfaces’ from an increasing number of third-party sources.

Cyber insurance explained

Traditional data protection strategies have centered around the three foundational components of IT:  people, process and technology.

Data protection with people begins with education and a continuous focus on making employees aware of the most recent threats in the industry. While this is critical, it is impossible to achieve full organizational protection in this way. It only takes one weak link, or one unknown threat, before the data is compromised. Focusing on process is also essential. As many have pointed out, recent ransomware attacks would have been mitigated if patches had been applied on a timely basis. And finally, traditional data protection employs technology for network and endpoint protection such as firewalls and anti-virus. All these protections are essential and should not be ignored.  Clearly however, they are not sufficient as evidenced by the explosive growth of cyber insurance.

Cyber insurance is not entirely new, but it has been growing (unsurprisingly) at a similar pace with malware and ransomware. In 2015, PwC set the cyber insurance market at $2.5B with a projected market size of $7.5B in 2020. Allied Market Research has cyber insurance premiums hitting $14B by 2022 — an impressive 28% compound annual growth rate. No matter how significant the cyber insurance market growth, recent incidents have proven that the adverse effect of malware on government agencies, and businesses have made this a board-level topic with a demand for better protection.

Costs of ransomware are not just connected with the ransom demand itself, far from it in fact as the amounts requested are often below $1000, but tangible internal costs such as incident response, forensics, customer call center support increases, legal engagement and public relations. External costs and insurance coverage are associated with the liability of failing to keep the data secure.

Mitigating the ransomware risk with process and technology

However, there is another fundamental insurance component that many have ignored — data backup with air-gapped protection – the process of isolating a backup from the live network. In fact, the very first recommendation that is provided by the US FBI in its guide, ‘Ransomware Prevention and Response for CEOs’, is to ensure that critical data is backed up and stored offline, and that restoration of this data is regularly validated. Here at Veeam, we agree with this principle. In fact, backup and validation of data restore is the cyber insurance that provides the most immediate and tangible benefit to the enterprise when compromised. Our customers have recognized the value of this insurance and we now have 250,000 customers (and growing) that are leveraging these capabilities.

With proper technology and process in place, recovery time objectives (RTOs) can be minimized for critical systems, with the added benefit of leveraging the data to set up virtual labs where forensics can be applied to the incident. This insurance not only provides Availability for the business, but confidence for the board that they are better prepared.

A second, real and tangible benefit is that employing a viable availability solution can reduce the cyber insurance premiums that are paid by the enterprise. While annual costs for cyber insurance ranges from $1,000s to $100,000+ depending on the revenues, industry and company size, one of the factors that determines the premiums are the existing protections that are implemented, just as is the case with house or car insurance. Ensuring your business has a comprehensive availability solution can potentially reduce the costs (and premiums) associated with first-party coverage.

New technologies, same problems?

With the growing opportunity for more sophisticated uses of data and Internet of Things technologies, artificial intelligence, biometric systems, Industry 4.0 manufacturing robotics, connected cars, and smart buildings, businesses must be aware of how threats, such as ransomware, will evolve in the near future, progressing from the PC to also impact their wider business operations.

When assessing your current data protection situation, it is important to remember you shouldn’t strive to make yourself hack-proof. The speed at which attacks are changing means this is virtually impossible. Rather, you should make your security as robust as possible and ensure your backups are not solely located on your network, to eliminate the possibility of attack or corruption. With respect to ransomware, it is common for attackers to look at smaller or midsize businesses for a way into bigger enterprises, so don’t be the weakest part of your supply chain, and scrutinise the structure of your partners.

Like many professionals in the technology industry, I see no abatement in the immediate future for malware and ransomware, and we recommend you look for partner who can help your organization implement data insurance through backups with offline storage and regular validation of restore, should the worst happen.  This level of data protection is essential to not only provide the executive team and board with confidence that they are better prepared for this new business environment, but it also provides confidence for the industry and your end users that their digital life is protected and always available.

Therefore, a combined approach of having your processes in place, making yourself a less attractive target through routinely carrying out updates and backups, and having a data protection insurance policy — inclusive of a cyber insurance plan and an Availability solution in place — is smart business when planning for the future.