How Proactive Mitigation Helps SMBs Reduce Cyber Exposure
Businesses purchase cyber insurance to help protect themselves from the impacts of a cyber incident. At its core, the policy is a promise to cover financial losses and other costs, but most businesses would strongly prefer to avoid an incident in the first place.
Yet, cyber risk is never stagnant — and Active Insurance is unlike other cyber insurance products.
Coalition isn’t just gambling on your cyber risk: We’re making an investment in all of our policyholders, actively working to make you stronger and more secure. That’s why we partner with businesses throughout the policy period to proactively prevent threats from turning into full-blown attacks before it’s too late.
When we identify a serious threat, we notify policyholders with security alerts. These security alerts can take different forms. Some alerts are in response to newly published CVEs impacting a certain type of technology, while others are based on weaknesses that Coalition has detected within a specific policyholder’s tech stack.
However, not all businesses take action on these security alerts. Many security and IT professionals face competing priorities and an endless deluge of tasks that can complicate the decision-making process when triaging security alerts.
We understand how resource constraints and alert fatigue can get in the way of effective risk management. That’s why Coalition prioritizes security alerts for the vulnerabilities and security exposures that are most likely to be exploited and result in a loss.
Proactive vs. reactive security alerts
Generally speaking, security alerts fall into one of two categories: proactive and reactive.
Most security and IT professionals are familiar with reactive security alerts, which are commonly associated with recently published CVEs that are being actively exploited in the wild. Policyholders are often quick to prioritize these types of security alerts because they know other businesses have already been exploited.
Conversely, proactive security alerts are sometimes overlooked or deprioritized, wrongly assumed to be safe when no active vulnerabilities have been reported by the application or operating system providers, nor internal/external threat monitoring solutions.
For example, exposed Remote Access solutions and on-premises Microsoft Exchange servers in their current detected state are correlated with breach methods that do not rely on common weaknesses or vulnerabilities in the software. Rather they're based on successful, monetized attack methods that are employed by threat actors and producing real loss to businesses around the globe, which is why we classify them as a critical risk.
Proactive security alerts are sometimes overlooked or deprioritized, wrongly assumed to be safe when no active vulnerabilities have been reported by the application or operating system providers, nor internal/external threat monitoring solutions.
We don’t take the decision to send a security alert lightly, either. Our alerts are based on the continuous work of Coalition Security Labs, our in-house threat research team, and years of cyber insurance claims data. Coalition employs a team of cybersecurity experts whose job is dedicated to helping your business better understand these risks, explain the potential impacts, and recommend tailored solutions to help mitigate your exposure.
Coalition never wants businesses to be fearful of security alerts, but we do need them to be taken seriously.
What can happen when security alerts go unaddressed
During a recent ransomware event, a policyholder missed an opportunity to take action on a security alert and learned the hard way that experiencing a cyber incident is much more painful than proactive risk mitigation.
While investigating the matter, Coalition Incident Response (CIR)* determined a threat actor had gained access to the business’ network via Remote Desktop Web Access (RDWeb). Bypassing security controls, the threat actor gained network access and connected to the company’s internal infrastructure, allowing them to exfiltrate data and demand $2 million in Bitcoin for its safe return.
The business had previously purchased a premium security package from a new managed service provider (MSP), in which the MSP assumed responsibility for not only managing the business’ infrastructure from an IT perspective, but also monitoring its endpoint detection and response (EDR) alerts and performing weekly audits of its logs from different infrastructures.
After reviewing the business’ network logs and completing a full forensic investigation, CIR discovered Coalition had sent 12 security alerts regarding exposed RDWeb over an eight-month period. The EDR tool had also detected suspicious network activity, but all of it went unaddressed for the better part of a year.
Ultimately, CIR negotiated down the ransom payment to $500,000. Although the negotiation was successful, the incident was attributable to multiple failures that occurred months prior.
How critical failures led to a ransomware event
Undoubtedly, more than one action (or inaction) led to this ransomware event. The set-it-and-forget-it approach to insurance may have been the standard for the last 200 years, but digital threats require a modern “always-on” mindset.
Let’s look at how critical failures led to the ransomware event depicted above:
Failure 1: Network logs were not regularly audited
Had the MSP conducted weekly audits, it would’ve noticed suspicious traffic and multiple failed attempts to access RDWeb months before the actual ransomware event. Furthermore, the MSP was likely the reason RDWeb was left open in the first place.
Failure 2: The EDR solution didn’t have proper permissions
Although the EDR tool was correctly configured to detect suspicious activity, it didn’t have permission to escalate or react to alerts. Instead, alerts were routed to the MSP and went unaddressed, resulting in encryption.
Failure 3: Security alerts went unaddressed for months
Although the business received a dozen security alerts from Coalition, they chose to prioritize other matters, including other security issues to which we alerted them. It can be easy to downplay proactive risk mitigation when a threat doesn’t feel imminent, but we know first-hand that exposed RDWeb is more likely to result in a cyber incident.
For Active Insurance to be as effective as possible, we need active participation from our policyholders. Embracing this partnership (and all of the resources at Coalition’s disposal) can help businesses get ahead of worst-case scenario incidents.
So who should receive security alerts?
The size and makeup of a business often dictate who makes cybersecurity decisions. Small businesses often outsource security and IT support to MSPs or other third parties, while larger businesses are more likely to have internal teams and resources.
When Coalition deems a vulnerability to be a serious threat, we send a security alert to all impacted policyholders by email and directly within Coalition Control®, our cyber risk management platform. Regardless of size or outfit, we strongly recommend that you designate at least one in-house team member to receive security alerts. At a minimum, this ensures that core members of the business are informed about new and emerging threats.
For Active Insurance to be as effective as possible, we need active participation from our policyholders. Embracing this partnership can help businesses get ahead of worst-case scenario incidents.
We also encourage you to invite your security or IT teams to Control. Granting access to your technical experts is beneficial because your business may need to take direct action to resolve security issues. Many policyholders prefer having their dedicated security contact in-house; others delegate this role to MSPs.
There’s no limit to how many people you can sign up to receive security alerts. If it means heightened awareness about a business’ security posture, we’d much rather everyone in your organization receive security alerts as opposed to nobody.
Unfortunately, we’ve seen instances of policyholders providing email addresses for accounts that are not checked consistently. In these cases, security alerts can pile up and go unaddressed, leading to ransomware attacks, business interruption, and financial loss.
Active Insurance requires active policyholder participation
We know every business runs differently. That’s why Coalition embraces a true partnership with each and every policyholder, whether it involves third-party help from a security vendor, integration with specific security tools, or other business-specific needs.
What matters most is that security alerts are being received and actioned. If we’re sending the alert, it’s important! Active Insurance is designed to provide support if an incident occurs, but we want to help you mitigate risk before the stress of extended downtime, reputational damage, or potential lawsuits — and that often starts with responding to security alerts.
The Coalition Security Support Center is committed to safeguarding businesses by providing proactive, tailored solutions that mitigate risks and enhance security resilience. If you ever receive a security alert and need help, we encourage you to email us directly at securitysupport@coalitioninc.com or submit a request directly in Control.
