The scale, frequency and magnitude of cyber-crime is truly alarming and getting worse. Recent highly publicised attacks have served to push the issue much further up the management agenda to the extent that only the foolhardy would now argue that cyber-security is not a board level issue.
Cyber Insurance in Businesses taken More Seriously?
Which is good news in that – hopefully – the appropriate decisions are now being taken more quickly and the appropriate level of resources is now being allocated. New processes and procedures may also now be put in place and, more likely than not, some form of cyber insurance is now being taken out.
All of this preventative activity and newfound awareness regarding IT security should leave the in-house IT department feeling pretty relieved. But be warned, they’d be wise not to and, more disturbingly, they themselves may now be putting their own company at risk. So how could this state of affairs arise and what steps should be taken to prevent it happening?
Security Threats in Businesses have Numerous Entry Points
Mitigating business risk by transferring some of it to a third party in exchange for a premium makes good commercial sense and has been ever since the Lloyds coffee house owners of the 17th Century changed their business focus. Not surprisingly, given the scale of the problem - the recent Information Security Breaches Survey suggests that 74% of small businesses and 90% of large ones suffered a cyber breach in the past year - the cyber insurance industry is growing fast (global gross written premiums grew from $850 million in 2012 to $2.5 billion in 2014).
These insurance providers employ experts who can assess and price all manner of business risks, but it is fair to say that, as cybercrime is relatively new, their experience of it is necessarily limited. The result is some pretty steep premiums and, more importantly, some very stringent conditions surrounding these policies which may spell trouble for the in-house IT team.
Three Areas that could Cause your IT Department Trouble
We recently conducted some research into this area and came across three areas that, in the event of a breach, could leave the IT department with a serious amount of explaining to do.
- One of the questions we asked our survey respondents was when ‘considering purchasing cyber-insurance do you anticipate that this will require a change to your existing IT security policy?’ Most (41%) felt they would not, whilst 32% said they didn’t know, thereby putting the majority of of our respondents directly on a collision course with the insurance company. This finding alarmed us and here’s why. This stance assumes that the company’s IT security policy is already of a sufficiently high standard so as satisfy an insurance company. But cyber insurance policies are still relatively new, ergo, insurance companies have set the bar very high. We think that it’s essential that the IT Department understands precisely what the policy conditions are and then audits its current IT security policy so as to determine if it would pass the fitness test.
- The second element that worried us was the insufficient amount of attention being paid to security updates. Nearly half our respondents thought it would be either quite difficult (43%) or very difficult (10%) to ’identify whether…security software fails to make critical updates’. In the event of a cyber-attack triggering a claim on the policy, this is one of the first areas that the insurance company will look at and, in those circumstances, it seems that our unlucky 43% would have some explaining to do.
- The third area of our research concerned the IT Departments’ - some might say - lackadaisical attitude toward staff access. 50% of the sample felt that it would be either ‘difficult’ or ‘very difficult’ to identify whether any ex-employees still had access via accounts to resources on their network. The same percentage (50%) thought the same about ex-third party providers accessing their network and an even bigger proportion (55%) thought the same about ex-contractors accessing their networks. Of these three groups, former staff represent the greatest threat. Research shows that 88% of insider attacks came from permanent staff; 7% from contractors and only 5% for agency contractors. So not knowing which of your former employees still had access to your network seemed a mighty big security lapse to us, and one that the cyber insurance company would want to bring to the attention of senior management too when turning down the insurance claim.
What can IT Departments do about this ?
So what can IT Departments do about this state of affairs? Our recommendations are as follows:
- If your company is considering taking out a cyber-insurance policy, get involved in the decision making process. (This seems obvious, but nearly a fifth (14%) of our respondents didn’t know that their company was considering buying one!)
- Make sure that you have a clear understanding about the limitations of your existing technology and how that may affect your cover
- Make sure that your regular and automated security activities (updates, patches, signatures, etc) are working.
- Maximise your own visibility. If you suffer a breach, the insurance company will want to attribute the source and the more data you have the easier your job will be.
- Know your access control weaknesses. Most cyber insurance policies assume you have complete control and that you have visibility of every user who has access to your infrastructure
The insurance industry is catching on to cyber insurance fast. And why not? National governments are even threatening to make it compulsory, thereby accelerating its take up. Like their counterparts which offer residential customers reduced premiums if they can prove that they have invested in upgrading their household security systems, so these insurance companies will ‘reward’ those organisations whose IT Departments can prove that they have taken the equivalent security steps within their organisations.
And as the highest chance of a cyber-attack will likely come from an employee, then that’s where these new security policies should start too.
To learn more about this topic, download our free white paper below.