Cyber insurance – Why it matters for the Cloud

By Chris Pace, Head of Product Marketing at Wallix UK.

  • 9 years ago Posted in

An unfortunate consequence of Talk Talk’s high profile hack will be to further reinforce the perception that the majority of cyber-attacks are carried out by outsiders. The reality is that 55% of cyber-attacks are committed by insiders. And yet organisations are only slowly waking up to the fact that this is an area where they remain poorly equipped, both from a technology perspective, but also from a procedural one. My company recently carried out some research* into this area and uncovered some statistics which could give senior IT management cause for concern.

Let’s consider the facts first. According to a recent CPNI Insider Data Collection study (April 2013), 82% of those cyber-attacks carried out by insiders were male. 88% of these attacks were by permanent staff, with a further 7% by contractors and only 5% by agency personnel of one sort or another. So if we know who is most likely to do it, why do we seem to have so many problems stopping them?

One answer could be in the level of investment that IT departments are prepared to make in this area. According to a paper written by the SANS Institute (entitled ‘Insider Threats and the Need for Fast and Directed Response’), nearly half of the respondents (44%) spent 10% or less of their IT budgets on preventing or detecting insider attacks. So under-investment is definitely a contributory factor.

Another one is poor quality processes and procedures. Our research highlighted three specific areas here. 50% of the respondents that took part in our survey felt that it would be either ‘difficult’ or ‘very difficult’ to identify whether any ex-employees still had access via accounts to resources on their network. The same percentage (50%) thought the same about ex-third party providers accessing their network and an even bigger proportion (55%) thought the same about ex-contractors accessing their networks.

This is highly significant. For an internal cyber-crime to take place, the criminal must have three things; the means, motive and opportunity. Allowing ex-employees unfettered access to the network automatically gives them two of those things (the means and the opportunity) so increasing the chances of a cyber-attack happening.

This will become increasingly problematic if the UK workforce continues to head in its current direction. The UK freelancers association, IPSE, estimates that by the end of 2014 there were 1.88 million ‘independent professionals’ working in the UK, a jump of 35% from 2008. One of the biggest growth areas was in IT and it is now rare, especially in London, to find an IT department that is not reliant on contract staff.

Transferring some of this business risk by purchasing insurance cover might seem good commercial sense. The Lloyd’s insurance market has been doing just that for centuries and it’s what they are now doing in offering cyber insurance policies. In fact, the uptake of this kind of policy has been so swift that global gross written premiums quadrupled in just two years, from $850 million in 2012 to $2.5 billion in 2014.

However, while paying for a cyber insurance policy might make the CEO sleep more easily at night, the reality is that the company may very well still not be covered, and IT teams are still putting their own companies in jeopardy. The ideal risk management scenario would be one where a fine balance is struck between appropriate IT security measures and the transfer of risk to the insurance company. But, quite simply, those security measures must be enforced, enforceable and working. One area where this isn’t the case is when it comes to understanding who has access to what on the system, be they employees or contractors, past or present.

However, another worrying area is to do with security updates. Nearly half the respondents from the survey thought it would be quite difficult (43%) of very difficult (10%) to ‘identify whether…security software fails to critical updates”.

In all the cyber cover policies I’ve looked at, these two areas are considered fairly basic requirements.

So what can cloud service providers to about this state of affairs? One of the first things is to check if there is a cyber insurance policy or if the company is thinking of getting one. Sounds obvious, but nearly one fifth (14%) of our survey respondents didn’t know if their company was considering buying one. Here is an opportunity to demonstrate expertise at the compliance challenges involved in cyber cover. Next, I’ve outlined four steps to follow to shore up defences and ensure cyber cover compliance.

Audit

Having a clear understanding of the limits of the existing service provision, and how it may affect insurance cover. Carefully examine all the areas covered by the policy and how they map on to the skills and technologies already in place.

Check, check, check

Keeping on top of regular and automated security activities should be standard. Make sure these are working.

 

Visibility

If there is a breach, the insurance company will want to attribute the source and the more data that can be provided, the easier that job will be. Maximising visibility not only provides an audit trail after the event, it may also act as an early warning of unauthroised activity.

Access

Understand the access control weaknesses. Cyber policies assume there is complete control and that there is visibility of every user accessing the infrastructure. In reality, companies have either no idea or still operate anonymous, shared privileged accounts, which cannot be easily traced to any one individual in the case of a breach.

According to research conducted by the Ponemon Insitute on behalf of Raytheon earlier this year, the respondents felt that cybersecurity will become a source of competitive advantage for firms within three years.  In other words, those operating with the highest leels of IT security in place will gain market share at the expense of others with poor defences.  To borrow words of the embattled CEO of TalkTalk, the “cyber security arms race” is gearing up. It will offer significant growth opportunities.

*You can read more about our research by reading our report (‘We May Not Have It Covered’).

To contact the author email him at cpace@wallix.com

 

By Barry O'Donnelll, Chief Operating Officer at TSG.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Milou Lammers, Director of Compliance, iland.
By Brett Beranek, Vice-President & General Manager, Security & Biometrics Line of Business at...
By Michael Queenan, co-founder and CEO of Nephos Technologies.
By Tawnya Lancaster, Lead Product Marketing Manager, AT&T Cybersecurity.
Why businesses need a bigger boat for tackling IaC security By Robert Haynes, SCA & Open Source...
Cybersecurity continues to be a major challenge for companies, with as many as four in ten...