Improving Cyber Insurance Coverage with Microsoft Security

By Microsoft Security

No matter the industry or company size, businesses of all types must be vigilant when guarding against potential cybersecurity attacks. But enterprise cybersecurity is a team sport involving multiple players—encompassing everything from technology vendors to cyber insurance providers and cyber defense platforms. Organizations must pay attention to the nuances around remediation in addition to the more commonly talked about strategies around prevention and detection if they want to form a truly well-rounded cybersecurity defense.

To that end, Microsoft partnered with BlueVoyant and Chubb to host a webinar, “How enabling Microsoft security features can help obtain favorable cyber insurance coverage.” Keep reading for our top takeaways from the event, and click here to watch the full webinar recording.

How to optimize your cyber insurance coverage

While all businesses run the inherent risk of cyber attacks, the scale of your operations and type of industry you operate in will impact the type of threat you experience and, consequently, the rate you will pay for cyber insurance. If organizations want to ensure they’re getting the best cyber insurance rate possible, it’s important that they understand their risk profiles in relation to the most common threats facing their industry, as well as the protections they already have in place. Having a solid grasp on your risk profile allows you to better protect against your most likely threats by putting the right strategies in place to mitigate risk.

Small businesses, for example, are more likely to be hacked by outside actors than larger businesses. In part, this is because threat actors have scaled their operations to more quickly and easily identify vulnerable targets. Small businesses are often less likely than their larger counterparts to have basic cyber hygiene practices enabled like multi-factor authentication (MFA) and least-privileged access that can protect against 98% of online attacks.

Large businesses, on the other hand, are disproportionately at risk from insider attacks simply due to the size of their attack surface. These kinds of threats can take the shape of phishing attacks, email compromises, stolen credentials, and more.

Another tool that companies can use to improve their cyber insurance rates is the insurance underwriting application itself. Insurers use this document to determine whether or not to extend coverage to an organization and what an appropriate rate might be. However, companies can use the application as a blueprint that outlines which steps they should take to most effectively protect themselves. Think of the underwriting application as a self-assessment tool. It’s the job of cyber insurers to minimize risk to their customers wherever possible, so it stands to reason that they want their customers to have the best protections available. Similar services, including Microsoft’s Zero Trust maturity assessment quiz or built-in tools like Microsoft Secure Score, exist in the marketplace.

What happens when there is a breach?

Despite the best preparations, cyber-attacks may be inevitable. That’s why it’s important to have specific remediation policies like cyber insurance in place to mitigate the effect of potential future breaches. So, in the event of an attack, how should organizations respond?

Most cyber insurers and technology platforms offer some form of incident response support. Breached clients can call their insurance provider for assistance in the event of an attack. But ultimately, the best defense is a good offense. For organizations with the resources to do so, it’s important to consistently test your defenses for vulnerabilities. At Microsoft, we’re constantly running red team assessments and penetration testing to keep our security team’s skills sharp and tabletop exercises to ensure relevant people across the organization know what to do in case of a breach. This also helps us unearth and address weaknesses before they can be discovered by malicious threat actors. For smaller operations, the goal should be to make yourself a more difficult target than similar companies in your space. Best practices like strong identification management and implementing a Zero Trust architecture can drastically reduce the risk of a breach.

Companies must also consider how much time and resources they’re willing to invest in cybersecurity. If no amount of preparation can guarantee 100% effective protection, what degree of risk is your organization willing to tolerate and at what cost? Microsoft’s product suite offers several foundational security hygiene features to ensure a base level of protection. The Microsoft Security team also releases regular blog posts and reports to help businesses stay educated on new and emerging threat vectors.

How does vulnerability management work in the new world of cybersecurity?

Much like risk profiles, vulnerability management can change based on the size of your company and the space you work in. For small businesses, it’s about making yourself a difficult target by conducting regular security scans and enabling basic security hygiene features to ensure a base level of protection. Larger entities also need to worry about external threats, but they also have the added responsibility of monitoring internal threats as well. Ultimately, it comes down to understanding your attack surface and spending the time to identify where you are most vulnerable. If you want to optimize your coverage, insurance providers will want to see that you’re taking proactive steps to guard against potential threats.

Vulnerability management has also evolved alongside the growth of technology. In the past, cybersecurity was focused on perimeter defense—locking down network ports and devices. Today, the growth of remote work and the expansion of attack surfaces have created a much stronger focus on identity management. Employees can take their work identity—and by extension, their network access credentials—with them wherever they go. So it’s important companies use tactics like verifying explicitly, employing least-privileged access, and always assuming breach to guard against modern threat vectors. Following these security hygiene practices can help ensure that you’re getting a competitive insurance rate.

Finally, companies should treat any cyber insurance communications and policy documents as highly sensitive information. If threat actors know how much coverage your company has, they’re able to use this information to demand the highest possible ransom payment in exchange for restoring services or releasing data. Companies should not only safeguard their policy documents but also protect any email communications or applications that disclose sensitive information about their insurance policy.

While cybersecurity can seem overwhelming, there is a wealth of resources that businesses can turn to when looking for better ways to protect themselves. From prevention and detection processes to ensuring coverage with things like cyber insurance, organizations can better mitigate the effects of a cybersecurity attack. Check out Microsoft Security for more information on the latest threats, and be sure to watch the webinar on how enabling Microsoft security features can help obtain favorable cyber insurance coverage.