Cyber ​​insurance and penetration testers together for more cyber resilience - Interview in the trade magazine

When cyber insurance companies and penetration testers work together, there is great added value for everyone involved. Our co-founder Immanuel explains why this is the case and how these synergy effects can be used even better in the future this interview with the specialist magazine for risk and capital management AssCompact.

Table of Contents

Current risk situation: This is why cyber insurance makes sense

Cyber ​​security affects all companies – and people!

At the beginning of the interview, Immanuel makes it clear why dealing with cyber security and the corresponding cyber insurance is important for every company: Even if a hacking attack “only” attacks systems, the consequences ultimately affect people.

For example, a successful cyber attack can result in people losing their jobs. In addition, there may be severe restrictions for customers or users. This was shown by the attack on the Chambers of Industry and Commerce (IHK) in September 2022. Immanuel makes it clear that this attack not only affected the internal systems of the IHK: "The training system within the IHK member companies and citizen-oriented IHK services were also completed switched off."

cyber insurance
"Cybersecurity protects jobs.​"
Immanuel Baer Co-Founder Private
Immanuel
Co-Founder | per sec

It is irrelevant whether it is a predominantly digital company or a group. Immanuel makes it clear that a carpentry shop with a web shop can also fall victim to hackers. After all, cybercrime is ultimately a lucrative business that thrives on widespread distribution: "Cybercrime is by far the most effective way to make money. There is no branch of the economy that is scaling so rapidly and has such high sales.” This is shown, for example, by the current one global wave of cyber attacks.

Do you know how well your company is protected against cyber attacks?
Protect yourself and your customers proactively with a professional penetration test!
For the penetration test

The good news

For Immanuel it is clear: “Hacker attacks will have penetrated deep into our society in 2022.” But he also has good news: “In 2023, cyber attacks with fatal consequences will be avoidable.” And: “There is an antidote to all cyberattacks.”

An example: Approximately 75 percent of all cyber attacks start with defective e-mail attachments via the human factor. This danger can be drastically reduced by the so-called sandboxing technology. This is an isolated environment where potentially unsafe software code can be run for testing purposes. If the code is indeed malicious, it can be blocked in this environment without infecting the rest of the network.

Now, at the latest, every company and every authority should proactively deal with the topic of cyber security. In the following sections we explain how professional hackers like Immanuel can help and what role cyber insurance plays.

cyber insurance

That is why it makes sense for cyber insurance companies and penetration testers to work together

Synergy effects for double security

If companies want to protect themselves comprehensively against damage caused by hacking attacks, penetration tests and cyber insurance should go hand in hand. On the one hand, there is always a residual risk, even with supposedly safe systems, which can be covered by insurance policies. On the other hand, a company significantly increases its insurability with cyber if it undergoes a thorough check by professional pentesters, explains Immanuel.

The truth is: Questionnaires say nothing about the actual IT security of a company.

Ultimately, all sides benefit from this “synergy effect”. Because only a real penetration test can provide a realistic picture of a company's cyber security and be the cornerstone for its optimization. Alternatives such as questionnaires are not sufficient for this, as Immanuel clearly explains in the interview: 

"This is the reality": When questionnaires and real hackers meet

Immanuel reports on the case of a client friend: The rating of an insurer using a questionnaire showed that the customer was "safe" enough for cyber risk protection.

But then came the penetration testers from ProSec and had no trouble gaining access to highly sensitive data. Both the insurer and the customer benefit from this reality check – the company can remedy the weak points found and the risk of having to pay in the event of a claim is minimized for the insurer.

So a win-win. 

It is therefore not surprising that insurers fall back on the expertise of cyber security specialists such as ProSec "from a certain protection requirement class". In certain cases, when the policy is signed, insurers even assume the entire costs of our services for the customer, adds Immanuel. This is covered in more detail in the “Bonus Section” at the end of this post.

Insurers also have to take care of their cyber security

The insurers themselves would do well to check their own security through comprehensive penetration tests. After all, there is a lot of sensitive data on their systems, which makes them a very attractive target for ransomware attacks for hackers. Immanuel explains that logic behind:

This is how cyber criminals tick

Most cyber attacks aim to achieve the greatest possible degree of monetization. They usually achieve this through ransomware attacks, in which hackers encrypt data and blackmail the attacked company by threatening to release it. This means of pressure works particularly well with cyber insurers for data protection reasons, which is why they are a popular target for hackers.

Another "bonus" for the attackers is the content of the captured data itself: Here they can find out which other companies have taken out a cyber policy with a ransom payment. These companies, in turn, represent suitable follow-up targets since ransom demands have a high probability of being met.

To Do's: This is what cyber insurance companies and pentesters have to take care of now

From his practice as a professional hacker, Immanuel currently sees these three points as concrete tasks for cyber insurance companies: 

  1. Improving business risk assessment procedures
  2. Sensitize companies to digital resilience (i.e. sustainable IT security).
  3. Promote cyber insurance products actively and informatively

With all of these points, it makes sense for cyber insurance companies and penetration test providers to work together. In the following bonus section, which was not part of the interview with AssCompact, we explain exactly how synergy effects can be used sensibly.
cyber insurance

Bonus Content: What is an Incident Pentest?

Let's say the kid fell down the well and a company was successfully hacked. This is a very stressful situation for everyone involved. The good news: Exactly this situation can be the starting point for a strengthened and sustainably secure IT of this company. What is needed for this is an incident-related pentest.

What is the difference between a proactive pentest and an incident-related pentest?

The difference between a proactive pentest and a pentest in the specific context of a hacking incident is mainly in the scoping: Before each pentest, service providers such as ProSec work with the company to determine the scope and framework conditions for the test. Without a concrete incident, those responsible have to assess which components should be checked particularly thoroughly and which paths attackers would most likely choose.

If there is a real attack, the available information about this attack can be used for scoping. However, the pen test is not reduced to the exact kill chain of this attack: It is also tested extensively here in order to include other attack scenarios.

What is the difference between a forensic investigation and an incident pentest after a hacking incident?

The usual procedure to date after a hacking incident by cyber insurance companies involves a forensic investigation. The aim of this is to investigate the methods used and possible attack paths Perpetrator to determine.

In connection with an attack that has taken place, a pen test also examines how it was probably carried out. However, the goal is different: it is less about identifying the perpetrators and more about identifying the weak points. A good penetration test provider does not stop at the determination, but also supports the elimination of these vulnerabilities afterwards.

The difference can be visualized as follows: After a burglary, investigators look for fingerprints in order to then search a database for suitable entries and, if necessary, identify the perpetrator. Pentesters also look for fingerprints. But they are not concerned with assignment to a specific person. Rather, they are concerned with the question of whether the perpetrators broke in through the front door or a window and how they then moved through the house. Overall, pentesters put on the “attacker glasses” in their work and also include other possible break-in paths in their investigation.

Why is this focus useful? In the case of hacking attacks, the probability of being able to identify individual perpetrators is unfortunately negligible compared to crimes "in the real world". However, the risk of being hacked again after a hacking incident is relatively high. That's why it makes more sense to focus on protecting against future attacks. ProSec guarantees this through a technical workshop, which is carried out after the actual pentest. The pentesters transfer their expertise to the company's IT specialists and support them in correcting the findings.

What is the difference between an automatic vulnerability scan and a "real" pentest?

Cyber ​​insurance companies often rely on questionnaires (which have already been discussed above) and automatic vulnerability scans. The great advantage of such tools is obvious: they are extremely high scalable And deliver fast Results. That is why they are justified and are an important means on the way to more cyber resilience.

The limits of such scans are just as clear: they are only applied externally and remain non-invasive. The gateway remains unnoticed: The Human factor and its susceptibility to social engineering. In addition, it remains unclear how attackers will act after the Exploiting a vulnerability spread in the systems and what damage they can cause there. These questions can only be answered by a comprehensive pen test, which includes social engineering and also the physical security of a company includes.

When do cyber insurance companies pay for an incident-related pentest?

The following example shows how all parties can benefit from an incident-related pentest: A medium-sized logistics company was hacked a few months ago. When processing the incident, the IT service provider recommended that the company consult ProSec as a "specialist". Contrary to what is often assumed, not every IT company is automatically an expert in IT security. This is understandable if you look at the analogy between "general practitioners" and "specialists".

In the example given, we took a close look at the customer's cyber policy. We found that after a hacking incident, measures to Hardening of IT security were covered. This is exactly what our penetration tests and the subsequent technical workshop are aimed at. Therefore, in this case, our service could be covered by the customer's insurance.

Does your cyber insurance pay for an incident-related pentest?
Don't get hacked again!
Contact us now
OTHER CONTRIBUTIONS

Table of Contents