Why IT departments must get in step with cyber-insurance providers
The recent TalkTalk hack is a CEO’s nightmare come true, involving everything from calls for the CEO to resign to massive drops in the share price, with significant reputational damage thrown in for good measure. The reverberations of that attack are no doubt now being felt around the country as other CEOs desperately seek reassurances from their staff regarding the robustness of their company’s cyber defences. What it will also – no doubt – stimulate will be telephone calls to those insurance companies that offer cyber-insurance policies as some CEOs will judge that now would be a good time to start sharing some risk.
[easy-tweet tweet=”CEOs are desperately seeking reassurances from their staff regarding their company’s cyber defences” via=”no” usehashtags=”no”]
Their IT departments will play a role in that process. But according to a research* that my company (Wallix) recently carried out, the chances are that that role will be a lesser one rather than a greater one and that these IT departments are missing out on an opportunity to significantly raise their profile internally.
Paying an insurance company to share some business risk makes good commercial sense. It’s what the Lloyds insurance market has done for centuries and it’s what they are now doing in offering cyber-insurance policies. In fact, so swiftly has the market grown that global gross written premiums quadrupled in just two years, from $850 million in 2012 to $2.5 billion in 2014.
the CEO can sleep more easily at night
At first glance, once that cyber-insurance premium has been paid and the policy put in place, the CEO can sleep more easily at night, knowing that his or her company is covered. The reality, of course, could be very different and they could still wake up to find that the insurance company won’t be paying out. Here’s why.
The ideal form of cyber risk management is a careful balance between appropriate internal IT security measures and the transfer of risk to the insurance company. But those security measures must be enforced, be enforceable and be working. We found two specific areas where this may not be the case, with the in-house IT departments potentially putting their own companies in jeopardy.
The first area concerned making security updates. Nearly half of the respondents who took part in a survey that we carried out as part of our research, thought it would be either quite difficult (43%) or very difficult (10%) to ’identify whether…security software fails to make critical updates’. In the event of a cyber-attack triggering a claim on the policy, this is one of the first areas that the insurance company will look at and, in those circumstances, it seems that our unlucky 43% would have some explaining to do.
The second area concerned the IT departments’ – some might say – laissez-faire attitude toward staff access.
50% of the sample felt that it would be either ‘difficult’ or ‘very difficult’ to identify whether any ex-employees still had access via accounts to resources on their network. The same percentage (50%) thought the same about ex-third party providers accessing their network and an even bigger proportion (55%) thought the same about ex-contractors accessing their networks.
Former staff represent the greatest threat to cyber security
Of these three groups, former staff represent the greatest threat. Research shows that 88% of cyber-attacks carried out by insiders came from permanent staff; 7% from contractors and only 5% for agency contractors. So not knowing which of your former employees still had access to your network seemed a mighty big security lapse to us, and one that the cyber insurance company would want to bring to the attention of senior management too when turning down the insurance claim.
And let’s be clear. Although the vast majority of press coverage about cyber-attacks implies that they are being carried out by outsiders, the reality is that the majority of attacks are actually being carried out by insiders (55%).
[easy-tweet tweet=”The reality is that the majority (55%) of attacks are actually being carried out by insiders” user=”comparethecloud”]
[quote_box_center]So what can IT department do about this state of affairs? Our recommendations are as follows:
- If your company is considering taking out a cyber-insurance policy, get involved in the decision making process. (This seems obvious, but nearly a fifth (14%) of our respondents didn’t know that their company was considering buying one!)
- Make sure that you have a clear understanding about the limitations of your existing technology and how that may affect your cover
- Make sure that your regular and automated security activities (updates, patches, signatures, etc) are working.
- Maximise your own visibility. If you suffer a breach, the insurance company will want to attribute the source and the more data you have the easier your job will be
- Know your access control weaknesses. Most cyber insurance policies assume you have complete control and that you have visibility of every user who has access to your infrastructure
According to some research carried out by the Ponemon Institute on behalf of Raytheon earlier this year their respondents felt that cybersecurity will become a source of competitive advantage for firms within three years. In other words, those companies operating with the highest levels of IT security in place will gain market share at the expense of others with poorer defences.
[easy-tweet tweet=”#cybersecurity will become a source of competitive advantage for firms within three years” via=”no” usehashtags=”no”]
The role of the in-house IT department in this ‘cyber security arms race’ (as Dido Harding, the embattled CEO of TalkTalk called it) will become increasingly significant and will offer significant career opportunities, but only if those working in or managing those departments project themselves forward more forcefully.
*You can read more about our research by reading our report (‘We May Not Have It Covered’).