Are cybercriminals counting on the victim’s simple cost-to-benefit decision to have their cyber-insurer pay the ransom? And, if so, are they targeting companies with cyberinsurance?

We’ve discussed the rising uptick of ransomware attacks in frequency, sophistication, and effectiveness here on this blog. But an article popped up recently proposing the question of whether the presence of cyberinsurance is a factor in the rise in attacks. It’s a reasonable assumption – organizations that have an insurance policy protecting them against ransomware attacks would find it far easier to pull the trigger on paying the ransom. A ransom costing several hundred thousand dollars may only cost a small fraction of that in a deductible payment by the victim organization.

While not every cyberinsurance policy pays out – as in the $100 million on-going fight between Mondelez, the owner of brands such as Oreos and Nabisco, and Zurich Insurance group which doesn’t appear to have been settled – organizations with proper riders for ransomware certainly have a much easier decision of whether to pay.

So, then the question becomes, are cybercriminals targeting companies with cyberinsurance? It may seem far-fetched, but, think about it: hackers could target insurers, gain access to an application with customer policy data, export it and… instant target list.

At the same time, cybercriminals can simply look at the headlines for verticals of business that pay the ransom and make some assumptions. Take the rash of recent attacks on state and local government – seems like targeting to me. It could be an assumption of low degrees of security in place, or does it have to do with cyberinsurance?

The right answer is don’t wait to find out.

Even an organization with the least amount of security in place can still put up a good fight with continual Security Awareness Training, which educates users about how they are a necessary part of an attack by clicking on malicious content. Ransomware attacks can increase all they want. But if users are taught how to spot malicious content in email and on the web and never engage with it, your organization is safer from the threat of ransomware.

This article originally appeared on KnowBe4.

About the Author

Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4 Inc, a provider of the most popular Security Awareness Training and Simulated Phishing platform. A serial entrepreneur and data security expert with more than 30 years in the IT industry, Sjouwerman is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.” Along with his CEO duties, Stu is Editor-in-Chief of Cyberheist News, an e-zine tailored to deliver IT security news, technical updates, and social engineering alerts. Stu is a four-time Inc 500 award winner and EY Entrepreneur of the Year finalist.