Using a Security Operations Centre as a Service to Find the Dangers Lurking in the Deep. By Jonathan Sharrock
This article was written for and published in Edition One 2022 Across Borders magazine, p. 47.
Cybercriminals have capitalised on this; last year saw supply chain attacks quadruple. From the Colonial gas pipeline attack in the US to the Kayesa Software attack which affected global services including grocery stores in Sweden and schools in New Zealand.
2021 was the year of Ransomware – increasing threefold from the year before. It is also becoming a fast-growing business, being offered as a Software as a Service (SaaS) by many infamous groups such as Darkside and REvil. These groups are also acting as Access Brokers, selling security credentials to bidders on the dark web.
2022 must-see companies face these developments head on, with a clear plan to assess their risks and fortify their defences.
Cyber risk is dependent on three things: threat, vulnerability, and consequence.
Threat is the danger an organisation is exposed to. They can be data breaches, business interruptions, asset misappropriations, and extortion. The most likely threat, and the extent of the attack, will depend on the business sector, the cybercriminal or their client, and the motivation behind their attack.
Vulnerability is the weakness of an organisation’s defences; this is not just technical defence but also the vulnerability of employers to blackmail or the complexity of supply chains. In 2022, 60% of security incidents are predicted to involve supply chain issues, specifically with third parties. Thus, companies relying heavily on external suppliers will be at greater risk.
Consequence is how damaging an attack could be: the level of debilitation if operations were to halt, the importance of confidence, and the backlash if data were to be lost or made public. Consequence is difficult to predict.
Cyber risk is managed through strong and proactive cybersecurity, by having a tight and well-practised incident response procedure, and by having comprehensive cyber insurance. Whilst cyber insurance is important, strong cybersecurity should come first. To get the most out of insurance, businesses must have mitigations in place. You need to demonstrate that you have understood and taken measures to reduce risk and respond effectively to an attack.
We should therefore expect insurance policies to be updated, with more exemptions and exclusion clauses, effectively reducing your coverage
You must be self-aware and ask the right questions, and you need to have some answers.
Insurance providers will try to shift responsibility and reduce their payout rate. Already premiums are increasing – in some cases by 40-50% – to meet the rising frequency of ransomware. But more significantly, insurance providers are reassessing outdated policies not designed for the vast modern cyber threat landscape. This was demonstrated recently when pharmaceutical company Merck won a case against its insurance provider who had previously refused to pay out after the NotPetya ransomware attack of 2017. The provider claimed the attack was subject to an ‘Acts of War’ exclusion due to Russian-Ukrainian hostility at the time, but since this exclusion did not explicitly mention cyber incidents and did not specify overtly state-backed acts, it was found not to apply.
We should therefore expect insurance policies to be updated, with more exemptions and exclusion clauses, effectively reducing your coverage.
If there are any holes in your network security, for example unsupported legacy operating systems, or systems not updated with the most recent security patches this could void your insurance. If you show cybersecurity negligence, for instance by not updating antivirus software or not regularly backing up data, then this could void your insurance.
It is therefore vital that businesses learn how to guarantee their insurance policies will hold up. A great resource is the ASD Essential 8, a checklist of essential measures set out by the Australian Cybersecurity Centre. Cybersecurity specialists Cyber Citadel have also provided a wealth of information on security as well as the threat landscape on their YouTube channel.
To some extent, the insurers can’t be blamed for reinforcing their policies. The Department for Financial Services in New York recently warned providers that companies are relying on insurance to cover their digital assets rather than implement good cybersecurity practices, thus passing the responsibility of cybercrime back to the insurer.
This must be turned around. The good news is that improving cybersecurity reduces the number of claims, which brings down premiums, but also means that claims are more likely to be accepted.
Improving cybersecurity is good for everyone. But how do you know if you’re doing enough?
Organisations should carry out a Security Posture Review. This includes vulnerability and penetration testing and incident response planning, and should assess current security protocols against regional and industry-specific standards. You should also compare your security protocols against the terms of coverage in your insurance.
In addition, the best approach going forward is continuous network monitoring. Whilst this method was once considered a huge financial and time investment, and unfeasible for many smaller sized businesses, continuous monitoring is now available as a subscription-based Security-Operations-Centre-as-a-service (SOC-as-a-service) from specialist cybersecurity providers like Cyber Citadel (see Aegis SOC-as-a-service).
Using such a service, which includes a Security Posture Review and Red Teaming, will provide you with the gold standard for assessing and monitoring your network. And if you need to make an insurance claim, you can guarantee you will have everything necessary to demonstrate your due diligence when it comes to cybersecurity.
Full article published in Freight and Trade Alliance’s Edition One 2022 Across Borders magazine, p. 47.
 European Agency for Cybersecurity (ENISA)