Strengthening Password Security may Lower Cyber Insurance Premiums

The global cyber insurance market is expected to reach over $20 billion by 2025. However, many organizations are finding it harder (and more expensive) than ever to get insured against their nightmare breach scenarios. Premiums have risen sharply in recent years, thanks to an increase in demand as well as the volume and sophistication of cyber threats.

Insurers want to limit their exposure to large scale attacks and are far less likely to take on risky clients. This means organizations are finding coverage to be far more expensive – if they can get it at all.

According to a study by Blackberry, only 20% of US organizations have coverage in excess of $600,000. When the average data breach is estimated to cost $4.35 million, that leaves many in a precarious position if disaster were to strike.

Why cyber insurers are raising premiums

Cyber insurers have been spooked by the rise in cybercrime and associated payouts. The US Treasury revealed that ransomware payouts alone totaled more in 2021 than the entire previous decade combined.

On top of that, they’re concerned about fallout from the Russia-Ukraine conflict.  A major UK bank Lloyds of London put a policy in place excluding nation state cyberattacks from their cyber insurance policies.

Insurers are increasingly selective about who they partner with. A home insurer is going to be highly cautious about insuring a house in a notorious tornado path or a floodplain. Likewise, cyber insurers won’t insure organizations against cyberattacks if a serious breach looks like a matter of ‘when’ rather than ‘if’.

Organizations are rigorously assessed on an individual basis, as every risk profile is different. Underwriters want to see evidence that cyber risk is managed, effective processes are established, and employees are targeted with security training and awareness.

If the risk is deemed too high, they’ll charge high premiums or won’t insure the business at all.

Where do passwords fit in with cyber insurance?

When insurers assess an organization’s cybersecurity posture, password security is a key element considered. Credential theft is big business for cybercriminals.

Once passwords are breached, they can be sold on the Crime-as-a-Service marketplace for profit. Stolen passwords are often the starting point for more damaging scenarios such as ransomware attacks.

Specops research shows that in an analysis of 800 million breached passwords, 83% of compromised passwords satisfy the password length and complexity requirements of regulatory password standards. This data shows this all-too-common problem.

Passwords have been a headache for IT security teams for decades. But they’re here to stay. Biometrics offer an alternative, although they’re impossible to change if compromised while it’s quick and easy to change a password to something uniquely different.

The key is having visibility over which passwords have been compromised in a breach and the control to change them. As shown by our data, security awareness and training aimed at employees can only do so much.

Can strong password security lower premiums?

In short, yes. Data from a LastPass survey shows 83% of businesses reported having to prove to their insurance provider that they have multi-factor authentication or password management in order to qualify for coverage or receive a lower premium rate.

Insurers will also assess whether policies are in place to ensure employees use complex passwords and rotate them accordingly. Outdated processes like managing passwords in a spreadsheet would be a major red flag to insurers. Whereas having a discovery tool in place for Active Directory accounts and passwords shows they have visibility over compromised passwords and who needs to change them.

As Darren James, Product Specialist at Specops Software, says, “We see that hackers are getting around any complexity or length requirements by going after passwords they know might be reused on your network.

A long or complex password is no stronger than “password” if it is already compromised, which is why it’s so important for organizations to protect against the reuse of compromised passwords.”

How to start strengthening your password security

The first steps to increase the overall password security in your Active Directory environment are to begin blocking weak and compromised passwords and enforcing a stronger password policy.

Enforce compliance requirements, create custom dictionaries, and help users create stronger passwords with dynamic end user feedback with a software tool such as Specops Password Policy with Breached Password Protection.

You can block over 3 billion known compromised passwords while extending the functionality of Group Policy, and simplifying the management of fine-grained password policies. 

Specops Password Policy enables organizations to block usernames, display names, specific words, consecutive characters, incremental passwords, and reuse a part of the current passwords all while proving to insurers that you are enforcing effective password security in your organization.

Sponsored and written by Specops Software.