A few years back, when cyber insurance policies were a new thing, it was a bit like the “wild west”, with no insurer truly having a grasp on how the insured organization’s state of cybersecurity readiness played a role in whether an attack would occur and, therefore, a claim being made. But today’s insurers have taken steps to better understand where the sources of risk (that could cause them to need to payout on a claim) are– with many of those risks coming from within your own environment.
Because of this, in the last year, we saw massive increases in cyber insurance premiums rise for policies covering cyberattacks, but most cyber insurers expect this trend to continue with 74% of them saying that an inability to accurately understand a customer’s security posture is having an impact on policy prices.
The severity and sophistication of attacks have resulted in underwriters more deeply scrutinizing an organization’s security posture to determine how much risk the organization itself adds to the equation. Some of the more common aspects of your cybersecurity that fall under scrutiny include specific technologies underwriters want to see in place.
A recent article written by insurance brokerage firm Woodruff Sawyer lists six key security controls they continually see as being critical to insurers when they are considering whether to insure your organization. Using the context of the security controls mentioned in that article, I want to cover three ways Remote Access can actually harm your chances of obtaining cyber insurance:
- Remote Access Could Bypass Multi-Factor Authentication (MFA) – MFA is a key component cyber insurers want to see implemented. Most organizations that have MFA in place tend not to have it in place organization-wide, regardless of user, location, or method of connection. Remote Access is one of those methodologies that seem to fall behind when MFA is implemented. But let me be clear – on its own merit to help protect your organization, you need to have every last user across any method of connection using MFA, period. Then as you add in the need for cyber insurance, the more broadly your MFA is implemented, the lower your risk profile will appear to your cyber insurer. So, this applies to your use of Remote Access; anytime a user connects, there must be MFA in place as part of their authentication.
- Remote Access Could Provide Access Despite Network Segmentation – One of the six key security controls is the segmenting of networks, subnets, etc. to help minimize the ability to laterally move during a cyberattack. Many organizations solely focus on productivity when implementing remote access, which may actually provide cross-segment access that could facilitate lateral movement. It’s important to think about any segmentation policies you have in place and ensure that any remote access solution you have in place adheres to the intent of those policies.
- RDP-based Remote Access Isn’t Inherently Secure – Cyber insurers have a decent grasp on the general state of the use of RDP, stating “Organizations are encouraged to turn off RDP unless absolutely necessary. If RDP is needed at any point, the connection should be secured by a combination of a VPN and multi-factor authentication.” It’s not that RDP is bad; it’s that most implementations aren’t secure. It is possible to implement Remote Desktop Services (which exists separately from the built-in RDP access to Windows’ endpoints) but this requires additional work to install and configure. Additionally, RDP inherently doesn’t help address the security needed for specific types of connection scenarios – for example, even the Woodruff Sawyer folks see the need to augment an inbound RDP connection with a VPN. Your remote access needs to offer multiple methods of securing the authentication, connection, and even the level of access granted via the remote session to create its own defense-in-depth strategy to minimize the possibility that someone can misuse your remote access in all of its possible scenarios within your organization.
It’s important to know that insurers have different requirements that define what security measures, solutions, policies, etc. need to be in place in order to obtain coverage. So, both the referenced article and the recommendations above are – by no means – a comprehensive explanation of what your remote access, in essence, shouldn’t be doing in order to get coverage. Instead, think of the three ways listed above as guidance around what you don’t want your remote access to be doing – both from a “we want to get a cyber insurance policy” standpoint, as well as “don’t you want your environment to be secure anyways?” standpoint.