{"id":59751,"date":"2022-03-01T11:00:00","date_gmt":"2022-03-01T16:00:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=59751"},"modified":"2023-08-30T08:55:22","modified_gmt":"2023-08-30T12:55:22","slug":"legacy-servers-are-a-cyber-insurance-preexisting-condition","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/legacy-servers-are-a-cyber-insurance-preexisting-condition","title":{"rendered":"Legacy Servers Are a Cyber Insurance Pre-existing Condition"},"content":{"rendered":"\n
Ransomware is a multi-billion dollar<\/a> a year racket and attacks against small and medium-sized enterprises (SMEs) are on the rise<\/a>, costing companies between $25,600 to $200,000<\/a> on average. The insurance industry is stepping in with cyber insurance policies<\/a> tailored to help SMEs recover; but, as with any plan, there\u2019s an underwriting process to avoid adverse selection. Insurance companies aren\u2019t in business to just give money away and don\u2019t want too many \u201csick\u201d clients.<\/p>\n\n\n\n Insurers determine whether an SME is worth the risk by assessing where there are sufficient security controls and patching strategies in place. They\u2019ve recently keyed in on several high-profile software vulnerabilities related to Microsoft Exchange Server, for example. Exchange\u2019s presence, and the absence of critical security updates for it, are being used as criteria to refuse coverage<\/a>.<\/p>\n\n\n\n The assessment of risk doesn\u2019t begin or end with Exchange. A client asked me to help her fill out an application for cyber insurance that services the legal industry and questions ranged from the usage of technical controls such as multi-factor authentication (MFA)<\/a> and email security to least privilege computing. However, several legacy products and solutions were also explicitly called out:<\/p>\n\n\n\n Don\u2019t just take our word for it \u2026 here it is, in black and white:<\/p>\n\n\n\n Many IT admins would publicly roll their eyes at the notion that any SME would be using unsupported software, but those of us who have been out in the field know what\u2019s hidden underneath the covers. Why else would insurers be asking? If administrative overhead is inherent to operate legacy, on-premise infrastructure in any organization, and if doing the same old thing is a \u201cpre-existing condition,\u201d why not change? Simply put, many companies feel they don\u2019t have the resources in their budget to update old server racks or to locate and hire qualified people to do this. <\/p>\n\n\n\n To that I say, it all boils down to this question: Is it worth the risk to maintain all of that legacy, or is it possible to think differently, accomplish more, and become a (insurer-friendly) security and compliance hero?<\/p>\n\n\n\n Migrating to a cloud service is risk transference, and we\u2019d argue it\u2019s an effective way to reduce vulnerabilities that cyber insurers would approve of. You\u2019re placing trust in a SaaS provider to have a mature secure development lifecycle (SDLC), a security operations center (SOC), and a team that has experience and technical certifications that an SME couldn\u2019t afford to implement.<\/p>\n\n\n\n IT admins can use JumpCloud for their identity and access management (IAM) infrastructure, with confidence. JumpCloud has completed a SOC Type 2 examination for its directory platform and follows these security best practices<\/a>. You can read more about why you should trust us here<\/a>.<\/p>\n\n\n\n In all fairness, Microsoft has also invested heavily in security (I had the pleasure of working with some terrific people on its security team). However, as noted by Fortune<\/a>, Microsoft can\u2019t be both the firefighter and<\/em> the arsonist. Its legacy on-premise products are a wellspring of security vulnerabilities and products that are beyond end-of-life are compromised and insecure.<\/p>\n\n\n\n That\u2019s true even for server products that are within the support lifecycle. For instance, I had to decommission a domain controller (DC) that had been running Remote Desktop Protocol and was open to the web. That meant rebuilding the DC and deploying a dedicated server for RDP. There were several hidden costs to this endeavor, like ensuring that the server rack and our server virtualization suite (and staff who had to be certified to use it) were capable of handling those changes. Costs add up, quickly.<\/p>\n\n\n\n Today\u2019s IT environments require a Zero Trust security<\/a> posture and many industries are governed by regulations and compliance policies, or soon will be, that have specific requirements that must be met. This calls for systems that are up to the challenge, but manageable enough, so that SMEs don\u2019t have to buy a fully loaded Porsche for a cruise down Main Street.<\/p>\n\n\n\n JumpCloud is designed to support the requirements of SMEs to manage the user lifecycle across all devices<\/a>, regardless of the OS, and to connect to more things securely<\/em>. Zero Trust IAM and compliance features such as patch management tools<\/a> are exactly<\/em> what cyber insurers are looking for. <\/p>\n\n\n\n\n\n
Risk Transference <\/h2>\n\n\n\n