• United States



Contributing Writer

What your cyber insurance application form can tell you about ransomware readiness

May 11, 20225 mins
Network SecurityRansomware

The annual cyber insurance application form shows what the carriers think you should be doing to best prevent and recover from ransomware attacks. Pay attention.

ransomware attack
Credit: undefined undefined / Getty Images

It’s that time that I fill out the annual cyber insurance policy application. Each year it gives me an insight into what insurance vendors are using to rate the risks and threats to our business and what they are stressing I should have as best practices. Not having them in place could affect insurance rates and whether I qualify for cyber insurance at all.

This year was interesting because it asked for specific ransomware prevention techniques and protections. Here are the questions that stood out.

Is two-factor authentication in place?

My insurance vendor asked if I had two factor authentication (2FA) in place protecting remote network access. They are reacting to the reality that both virtual private networks (VPNs) and Remote Desktop Protocol (RDP) provide effective access for attackers as well as users. We sometimes leave behind remote access to get into physical and virtual servers, but attackers target these remote access tools to gain network access.

Configure Group Policy Objects that link to all domain controller organizational units (OUs) in a forest to allow RDP connections only from authorized users and systems like jump servers. Remote access for servers should be specifically set up as securely as possible.  

These days, our credentials are our boundaries. Having tools that validate credentials and provide additional protection is key to ensuring that attackers can’t gain access. Conditional access allows you to set up protections based on what the user is doing and mandates additional actions should the user be logging in to a specific role or from an unusual location.

I mandate 2FA for administrative roles but make it optional for uses logging in from previously vetted devices. Additional vetting is in place should the user log in from an unusual location. I recommend designing conditional access so that it balances the need of authentication prompts in a manner that asks for 2FA when the user is behaving in a manner that places the network at risk.

The cyber insurance policy application also asked if I mandated two factor authentication for protecting email. Implied in that question is whether I have blocked older, less secure email protocols such as POP. The best way to protect email is to ensure that you have a platform that supports modern authentication protocols and the ability to add 2FA.

Have you deployed endpoint detection and response tools?

The cyber security insurance application asked whether I had deployed an endpoint detection and response (EDR) tool. Until recently, EDR has been a bit elusive to small- to medium-sized businesses (SMBs). Now in addition to EDR solutions as Crowdstrike, Cylance and Carbon Black, the new kid on the block of EDR solutions is the most affordable for SMBs: Microsoft Defender for Business.  

If you have Microsoft 365 Business Premium, Defender for Business is already included in the monthly cost of the product. If you want to purchase it separately, it is priced at $3 per user for those businesses under 300 users. SMBs often don’t have the resources to investigate a security incident. Yet we are increasingly tasked by regulators and industries to identify when we have had a breach.

EDR products automate many of the investigation techniques and allow a firm to determine if they have lateral movement issues or a malicious PowerShell script has been used to take control of systems. They also answer the question of how the attacker got into the network and what they used to do so. With these tools you can better understand how the attackers accessed your system and thus can protect yourself from the next attack.

What email filtering solutions do you use?

The cyber insurance application asked if I used an email filtering solution to prevent phishing or ransomware attacks. Many attacks come through email and uses Office macros to gain access to a system or use zero days in Office suites to gain more access to a workstation. In my firm I find that the phishing protection “learns,” and while it may let an initial attack email in the door, by the time the attackers start sending attack emails to all the other users in the office, it has learned what is and is not malicious and starts blocking it soon after the attack emails start being sent.

Do you use a data backup solution for all critical data?

Backup was stressed in the cyber insurance application, but not just any backup. It wanted to know if I prepared a backup daily, weekly or monthly, and then if I prepared the backup locally, over the network, or via a tape backup. It also asked whether I had an offsite backup, a cloud backup, or any other type of backup.

It asked if my data backup solution segregated or disconnected from the network in such a way to reduce or eliminate the risk of the backup being compromised in a malware or ransomware attack that spreads throughout the network. Having a backup process that can withstand a ransomware attack is key to ensuring that your firm and your firm’s assets can recover quickly from an attack. I’ve too often seen where firms cannot easily recover because the backup and restoration process may take weeks to recover and not just days.

Bottom line, review your cyber insurance policy and its related questionnaire. Ask whether you are doing everything you can to protect your firm and tailoring your actions to align with what your insurance provider has deemed as a best practice.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author