I've ventured into new territory lately: cyber-insurance. Here's why.
Hotel chains. Zoo gift shops. Amusement parks. Our own U.S. government's Office of Personnel Management. Security breaches continue to abound, apparently undiminished. And they are all over the news, which is causing me no end of headaches at work (especially with the overly dramatic coverage the network news provides). Just today, Trump Properties announced a security breach that compromised credit card numbers, with a particularly telling statement: "Like virtually every other company these days, we have been alerted to potential suspicious credit card activity and are in the midst of a thorough investigation." "Like virtually every other company" -- except mine, as long as I can prevent us from being a victim like all the others.
Every time one of these breaches hits the news, I get interrogated by my company's board and senior management. What are we doing to protect ourselves? Are we doing enough to avoid being a victim? And lately, I've been getting asked, "If the U.S. government can't protect itself, how can we hope to?"
Leaving aside for the moment that all these victims (including the government) have not done all they can to protect themselves, these questions are not easy to answer. First of all, the senior executives at my company are not particularly tech-savvy. After I get about three words into my explanation of our technology defenses, their eyes glaze over and they lose interest. And the answer is complicated. I have many layers of technologies and process in place to defend my company's network, along with sophisticated intrusion detection that should alert me if anybody does get past our defenses. It's hard to boil all those down into a 30-second elevator summary.
I'm also having difficulty answering the question "Are we doing enough?" I talk about the SANS Top 20 risks and controls, which are an excellent starting point. I have done extensive risk assessments, both internal and external, and have security controls in place for all the risks that have been identified. I've even made a list of "everything" that security practitioners can do. But again, the eyes glaze over the minute I start talking.
Plus, there's the truth of the matter: Nobody can really do enough to stop 100% of all technology threats. And nobody wants to hear that.
We are barraged with constant updates from Adobe to fix serious vulnerabilities in its Flash Player software that runs on practically every computer, everywhere. Microsoft releases security patches every month, which we have to deploy quickly without missing any systems. We are bombarded with phishing emails, and our employees can't seem to avoid malicious websites. How can we hope to stay on top of all that, before the hackers take advantage of something we missed, or haven't gotten to yet?
Which is why we are considering cyber-insurance. This was an idea first advanced by my company's board of directors. It didn't make sense to me at first, because I think we really are doing everything reasonable to prevent an attacker from breaking into our network, so why pay for coverage for something I don't think is going to happen? But then again, as I said, nothing can be 100% secure. So the more I think about it, the more insurance to cover the costs of a security breach seems to make sense (assuming that the coverage is legitimate, and broad enough to cover the real-world attack scenarios we may experience, and the insurance company won't try to weasel out of paying if we do get breached). The coverage can pay for the costs of investigating, reporting and remediating the breach.
However, not surprisingly, the policies I looked at varied widely on these factors. I looked at several policies that were pathetically weak, directly excluding most of the real-world threats we are concerned about, and placing unreasonable limits on others, while providing coverage for the less likely scenarios. But there were a couple that do cover things I think are possible -- such as hackers exploiting improperly configured servers, networks or firewalls to gain access to our network, or clueless employees that get their computers infected with malware through opening email attachments or visiting malicious websites, resulting in an intrusion or data theft. Those better policies cover the costs of forensic investigation, notifications and cleanup.
So now my opinion on the value of cyber-insurance has done a 180. What at first I thought was pointless may in fact turn out to be a reasonable value. I'll continue reviewing and discussing these policies with the management at my company, but I think we will decide to get the coverage.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Click here for more security articles.