According to a recent survey, nearly half of the IT professionals polled thought there was ‘insufficient need’ to invest in cyber-insurance, whilst just over one third did not believe that their company would need to change its IT security policy when taking out cyber-insurance.
These are the main findings to emerge from a recent survey on cyber-insurance carried out amongst IT professionals in the UK and France by Wallix, a software company providing cyber-security and governance solutions for information systems access.
[easy-tweet tweet=”47% thought that there was ‘insufficient need’ to invest in cyber-insurance” user=”comparethecloud” hashtags=”cybersecurity”]
According to the 2014 Information Security Breaches Survey, 81% of large businesses and 60% of small businesses suffered a breach in the last year with the average cost of breaches to business nearly doubling since last year. As cyber-insurance begins to be seen as a way to effectively cover costs and repair damage associated with a breach, Wallix’s survey reveals IT departments are slow to react to the change.
[easy-tweet tweet=”35% of UK respondents didn’t know which department would lead the purchasing decision for cyber-insurance” via=”no” usehashtags=”no”]
41% of respondents did not believe a change in IT policy would be necessary when taking out cyber insurance and half of the respondents thought it would be difficult to identify whether ex-employees, ex-third party providers or ex-contractors still had access to resources on their network. An audit trail that proves access rights are being managed appropriately, e.g. are revoked when an employee leaves the firm, is considered necessary to validate most cyber-insurance policies.
[easy-tweet tweet=”41% did not believe that their company would need to change its #ITsecurity policy when taking out cyber-insurance” via=”no” usehashtags=”no”]
The breakdown is as follows: half of them thought it would be either ‘difficult’ or ‘very difficult’ to identify whether any ex-third party providers still had access to resources on their network; 40% thought it would be difficult to identify whether any ex-employees still had access and, again, 55% (made up of 45% answering ‘difficult’ and 10% answering ‘very difficult’) would appear to have problems spotting any ex-contractors.
Headquartered in France, Wallix conducted the survey in both the UK and France. Although there was a great deal of uniformity in the responses to most answers there was some divergence between the two countries in two question areas: which internal department led the organisation’s purchase decision (according to the French sample, nearly a third thought the Finance Department led on this whilst in the UK the Finance Department did not feature at all) and in their confidence with their systems’ abilities to make critical updates and in their treatment of third party providers The majority of the French sample were very confident, their British counterparts much less so.
For the British sample, ‘Identity and Access’ emerged as one of the top three cyber security challenges, alongside ‘meeting compliance’ and ‘working with third parties’.
Commenting on the findings, the report’s author, Chris Pace, the company’s Head of Product Marketing at Wallix UK, who commissioned the survey, said, “Cyber-insurance is rapidly coming of age and both the Government and the UK insurance industry have taken big steps to ensure that the UK leads the world in this field. But the IT industry needs to raise its game.
Our survey indicates that there is a degree of complacency within many organisations’ IT departments and this needs to be eradicated if companies are not to be put at risk. We are frankly alarmed that the IT department does not feel the need to change the security policy when cyber insurance policies clearly indicate that businesses must have complete control and visibility of every user who accesses their infrastructure. And yet according to our survey this clearly isn’t happening. Hopefully our report will act as a wake-up call to those IT departments.”
The survey findings have been incorporated into a report entitled ‘We may not have it covered: Do IT teams understand the impact of investing in cyber-insurance?’ The report is available to download from the Wallix website here.
The online survey took place during July and August of this year. The sample was drawn from Information Technology professionals.
Based on the survey, the company has recommended five steps that it feels companies will need to follow so as to get the best from their cyber insurance policy. These are:
1. Get involved. It’s vital the IT department is part of any process to invest in cyber insurance.
2. Know your limits. Make sure you have a clear understanding of the technology limitations that could affect your cover.
3. Belt and braces. Your regular and automated security activities (updates, patching, signatures etc) must be working. They could be the difference between an insurance payout or the spiraling costs and damage limitation resulting from a breach.
4. Maximise your visibility. If you do suffer a breach there’s a possibility that your insurance company will want to attribute its source; the more data you have the easier that job will be.
5. Know your access control weaknesses. Many cyber-insurance policy terms make an assumption that businesses have complete control and visibility of every user who accesses your infrastructure. Start by ensuring you have effective management of privileged user access.