Protega Blog

What is the true cost of a Cyber Breach? Find out what our Regional Sales Manager, Tim Newland, has to say on the topic

Terry Swan - Friday, December 09, 2016




Written by our Regional Sales Manager, Tim Newland, and published in the Australian Security Magazine


What IS the true cost of a Cyber Breach? Having worked in the technology sector for many years, and more recently specialising in the cyber security space, I often read articles around ‘the true cost of a cyber security breach’.

As a security champion and seasoned consultant to both the government and private sector, I feel as if I should be promoting fear mongering and jumping on the band wagon, applying scare tactics and enforcing this style of selling for financial gain. However I feel uncomfortable with throwing unsubstantiated numbers around and generalising on events that we know very little or nothing about, especially when it comes to private businesses being compromised.

Having read numerous articles there seems to be a massive variance here without anyone actually having solid statistics, cross-referenced against all the scenarios. Granted AHPRA & AGO would have some statistics, but this would only be relevant to a handful of larger organisations that responded to the surveys or have in fact had a reported breach. Again, this doesn’t support the multiple articles substantiating breach costs of A$100k and others suggesting costs up to US$7m. Albeit these articles apply to varying organisations based in different locations on a global scale that will be governed by different compliance laws. In essence, the cost of the breach depends on the sector, what has been taken, reputational damage and what the penalties are around this, not excluding the response time needed and other mitigating factors.

I find it hard to make a generalist statement that a breach would cost upward of “x” amount of millions of dollars, these figures would seem to apply to less than 10% of the corporate market (large corporates). The remaining companies wouldn’t be able to afford a breach at that kind of cost, it would fold the company and I don’t hear a lot about companies going out of business due to a breach (not to say there hasn’t been any).
So, removing all the noise and the fear mongering from the equation, there is no simple answer to this. It is hard to track as the majority of private sector companies are not regulated here in Australia. Perhaps when the mandatory breach notification laws are passed and we have more information we can accurately make decisions on the actual cost of a breach within specific industry sectors, types of breaches and the knock-on effects this has had to companies. Then, and only then, can we advertise and label a breach with a specific price tag in mind.

Some Managed Security Service Providers (MSSP) may have some statistics and information surrounding breaches, especially if they have a large volume of customers. Although the large volume of customers would still only apply to a small percentage of the market, again, these would be speculative numbers that would generally not be released due to sensitive information and confidentiality issues, nor would it give them the ability to make mass generalisations on the cost of an average breach.

The point here is to not ignore the fear mongering but to take it with a pinch of salt. Do not be complacent and think it will never happen to you because the fact of the matter is, it probably will. Various hacker groups look for SMB companies to test their malware before they hit the large corporates so if anything, this makes the SMB sector a far greater target than the larger institutions.

Ensure you are having regular security health checks and test your critical infrastructure, make sure you have end point protection, Next Gen Firewalls and a solid Incident Response Plan in place to deal with the technology aspect and possibility a breach. I’d also recommend you have regular and appropriate staff training in place to deal with the human element.

Partner with a security consultancy that takes the time to understand the risks faced by your business and has a great view of your particular industry vertical. Make sure they will be able to identify what specific risks to that particular industry are applicable and understand if there are specific events that have affected organisations in your competitive landscape allowing you to mitigate the risks and bolster your defences where needed, rather than throwing budget into areas that you feel you have to because you have succumbed to the fear mongering!

Mitigating the risk can often be a complex process, some quick wins to be thinking about: Patching applications, restricting admin privileges, application whitelisting and regular re-enforcement of training to your staff to prevent Phishing attacks – which has proven to be the main instigator of successful cyber-attacks. Be prepared, have a plan and stay ahead of the bad guys as much as you can but don’t be blind-sided by tactical fear mongering and crafty marketing.


Obstinately clinging to iconic obsolescence

Terry Swan - Friday, November 11, 2016

Protega have been published!


Our Director, James Wootton, has had the following article published in the Australian Security Magazine. Enjoy reading it!

James Wootton

As those around me in the Protega office will tell you, combine information security and a certain clichéd icon or photo-stock image and it’s a recipe that is guaranteed to get me to turn the rage on – The padlock! Put the words cyber and padlock together and google will churn out around 364,000 results. Everything from the purchase of padlocks to ransomware; to convincing you a solution is secure because of its presence, something a depressingly small number of us know is simply not the case!

I wandered down to my local convenience store, handed over my $8 and purchased a stock brass-bodied padlock. This is one that the public clearly believe does the job because the lady behind the counter told me, it was a ‘good seller’.

It looks the part. A solid brass bodied, steel shackled device, oozing safety and confidence; it says it will protect your cherished items! Except a mere 5 seconds later, with only a lock pick and no torsion bar, the lock turned out to be much as expected; all brass, no protection!

But, in the same way your life is shattered the day you discover there is no Santa Claus, every competent locksmith will tell you that the vast majority of padlocks are nothing more than the illusion of security and should be treated with equal scepticism.

I assert that Padlocks are therefore the worst possible analogy and pictorially, the worst possible distortion of acceptable standards for information security.

Let me humour/frighten you with a physical-world analogy, where we recognised decades ago that in the ‘normal’ world, threat prevention and keeping the bad guys out requires a defence-in-depth risk mitigation strategy. A (hopefully) appropriate combination of guards, guns, dogs, walls, gates, locks, alarms, lights, cctv monitoring and insurance(!) will be involved, dependent upon the appetite for perceived risk, versus constraints. Sorry for anyone being taught to suck eggs, but let me explain by picking a risk scenario very real to all of us.

Consider the risks to your family and valuable belongings (assets) In your home. You definitely considered how to keep your family safe, right? You probably considered theft of your assets next, let’s face it, no one wants to lose their 6ct diamond necklace or 1968 ‘Bullitt’ Mustang! To a greater or lesser extent, you probably considered other threats such as Fire and Storm damage. Thinking about the counter measures that are deployed to mitigate these risks, can be an interesting exercise. Try thinking about the controls deployed in the negative, what haven’t you addressed (gap):

  • Locks – Chosen by Previous occupier, seemed ok when you made the risk assessment, but who has all the keys and are the locks any good?
  • Working Fire alarm?
  • Working Smoke alarms?
  • Secure safe for high value assets?
  • Secure Doors?
  • Secure Windows?
  • Secure garage door?
  • Adequate and appropriate Insurance?

Hands up all those that considered every element of the above and felt they made an accurate assessment of each? Or, did you make a shoulder shrugging gesture whilst thinking, ‘good enough’? Those with their hand up, for starters, shouldn’t take things so literally, but nonetheless, well done! But wait, was your risk assessment based upon evidence, experience, assumptions or perception? Humans are really bad at calculating accurate risk assessments, which is the very reason why society attempts to legislate against stupid activities, likely to harm us or others! Our approach to risk is nevertheless usually the minimum effort and expenditure that convinces us (and our conscience) that we’ve considered the risks and we’ve made a conscious decision, albeit not necessarily having made an accurate one!

So, why do we cling to broken technologies that are woefully inadequate in cyberspace?

Just like the padlock, we probably just don’t understand how much risk we are carrying, because we didn’t want to ask the question or we didn’t know the right question to ask. Any security professional worth their salt will tell you that the typical organisation’s computing devices aren’t protected by the technologies we have become comfortable with (AV, limited endpoint protection etc.) and aren’t worth the money and time invested in them If they aren’t protecting you from the today’s crop of threats. In some organisations I’ve assessed, they have actually increased business risk by weakening their systems, turning off such things as Microsoft Windows Defender/Essentials and continuing to use their preferred third party AV solution, without understanding the consequences of doing so, or assessing if the product even works (it didn’t!) In any case, Anti-Virus doesn’t address today’s user-based ‘social engineering’ attacks and your firewall is unlikely to be designed to either. Sorry to say, vouge cloud-based solutions aren’t the panaceas of information security either. For example, moving a mail solution to Office365 will not prevent the majority of spam and barely stop the simplest of spear phishing attacks, because that isn’t what it does! Marketing are partly to blame in the mad rush to sell cloud-based systems because they’re secure (usually meaning the communications are secure, via https and even that’s debatable!)

Enough rhetoric, present me with a solution already!

Ah, I’m afraid the classic ‘depends’ is my oh-so-clever answer. Not because I’m basking in the glow of my own smugness, but because it depends upon the values of or sensitivity attributed to the assets you want to protect and of course, how risky you’re prepared to be; not forgetting your assessment of residual risk may be suspect! If, like the devotees of the padlock, you just want the illusion of security, then maintain status quo; it’s all good. Don’t be surprised though when your online world comes crashing down and you have no strategy to recover. 

More practically, investigate technologies, procedures, techniques and training that add to your defence-in-depth strategy and don’t buy into the ‘snake oil’ often peddled, especially around ‘cloud’.

From an organisational standpoint, consider elements of the following, balancing bang for buck:

  • Policy overhaul and possibly security accreditations to focus your efforts;
  • User awareness training;
  • Sandboxing and content analysis technologies;
  • Much as I hate the phrase, application aware, next generation firewalls;
  • User and Networking behavioural analytics.

And if you don’t understand how all this bolts together, it’s likely that you aren’t going to address the risks you really need to. After all, you wouldn’t perform surgery yourself, or let a general surgeon loose on your brain. Find an expert, someone that can advise you, someone that you can trust. I know such a person and a company…..

www.protegatech.com



AISA Cyber Security National Conference

Terry Swan - Thursday, October 13, 2016
Protega are attending the AISA Cyber Security National Conference today and tomorrow - make sure to say hello if you are here! www.protegatech.com


Hang 'em high! (or Educate) - The social and moral dilemma!

Terry Swan - Friday, October 07, 2016
Written by Protega Director, James Wootton



Catching up on recent events and seeing that the Tesla model S is the latest in the line of vehicles to be researched and hacked, I remember one headline a couple of months ago catching my attention:

"Car Hackers Could Face Life In Prison!"

Which doesn’t seem to be a proportional response and I had to investigate the ‘meat’ of this bold headline. It refers to proposed US Michigan State legislation, and a bill sponsored by two state senators probably intended to protect the fledgling connected and autonomous vehicle industry within the state. Anyone falling foul of the bill could face up to life in prison.

"I hope that we never have to use it," Kowall said. "That's why the penalties are what they are. The potential for severe injury and death are pretty high."

State Senator Kowall is one of the sponsoring senators and his comment says it all. I can't help but feel that it's another knee-jerk reaction to the symptom, not the cause. I’m reminded of a number of previous car-related hacks that the Jeep Cherokee hack demonstration kicked-off, July last year. It highlighted the risk inherent in designing systems without really understanding the threats scenario against the vulnerabilities, unintentionally designed into the vehicle's interconnected and seemingly unrelated systems. Gone are the days when wire was just wire and it seems that the auto industry is still stuck in a time of propriety obscurity, rather than considering the secure design of interconnected, safety critical components. Disappointingly, FCA (the owners of Jeep) chose to spin the message rather than acknowledge that FCA's code was "a bit rubbish" and that their design process, software development and testing processes most likely lacked a critical component... Anyone? Glow with a halo of self-righteousness if you sagely answered correctly, ‘Security’!

"To FCA’s knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle."
"...the vulnerabilities uncovered by Miller and Valasek in their laboratory tests."

Both of the above are quoted from the FCA blog, and what a great job they've done there to dress up the turkey! A good job it wasn't a hack against a ‘real’ Jeep Cherokee, just a ‘laboratory mock up’. Hold up, wasn't it Miller's Jeep Cherokee they used?...

"Some of these people are pretty clever," Kowall said. "As opposed to waiting for something bad to happen, we're going to be proactive on this and try to keep up with technology."

This made me cringe and displayed the lack of understanding required to adequately deal with such issues. I want to make it clear that I’m not justifying malicious hacking activities, but this is creating law for the sake of it - cue hand rubbing lawyers, the only winners here. Sure, prosecute the alleged infringement, but equally prosecute any blatant negligence too.

"Lengthy attack", "difficult", "propriety", "air gap"; are all words and phrases used by the spin doctors in the obfuscation of the facts. "Doh!" (To quote one of my favourite animated TV characters, with alarmingly similar characteristics and thought patterns.)

I had hoped to think better of Tesla, but they too had a stab at spin. I’m clearly paraphrasing, but claiming ‘didn’t we do well by issuing a timely patch!’ doesn’t fill me with the confidence that they understand that architecturally you just shouldn’t be able to get close to safety critical components through the infotainment system! Hands up all those happy with the prospect of autonomous vehicles driving down the road, carrying those dear to you, given the lack of basic understanding that led to this kind of security vulnerability?

All of which nicely takes me back to the subject of my article, education!

Education is a fundamental force for good, a huge learning opportunity across the board and should be a mandatory weapon in the arsenal when it comes to risk reduction activities, especially it seems within the automotive industry. Education, training and awareness should not be limited to just the parties involved in the design and creation. Other should be considered in need too:

  • Educate and not just about security! Security teams, system architects, software developers, system designers, software and security testers, the communications team and management, in their various guises. All of which badly need to be trained to understand their responsibility to the public and do things both safer and better, I'd be more likely to buy from organisations that put their hands up, say ‘mea culpa’ but then go on to demonstrate improvement.
  • Educate the public. We make a lot of assumptions that safety critical systems are secure and resilient, we believe for some reason that corporations have our best interests at heart. Sadly, for the majority, it just isn't true. During business risk analysis, we humans are reduced to a dollar figure and a human life doesn't equate to much on paper. We, the public, must get used to asking corporations to prove their commitment, shunning brands that aren't willing to disclose or constructively deal with challenges to their security posture.
  • Educate the politicians being lobbied by large corporations. Not all hackers are malicious, and quite frankly I'd like a third party to check any manufacturers homework, especially where the safety of my family may be in question! Again, I’m talking about ethical testing, not malicious attacking.

So there you have it. If you got this far, I'd like to know your thoughts. Do you believe we all should shoulder the burden of responsibility and, through a basic understanding of the risks, be in a position to influence manufacturers of cars and other devices, which could cause us injury simply because it was cheaper and easier to blame someone else for discovering the flaw, the flaw that shouldn’t have been present in the first place?

O.k. I led you there! Or, the alternative:

Be morally outraged that humans would be inquisitive enough to expose risks we’d rather not know are present in the devices manufacturers tell us are getting safer every day!

I appreciate I’ve just painted a very polarised picture, but I believe mediocrity should not be tolerated in safety critical systems and through this bias want others to realise it too!

Cyber Security Summit 16 in Sydney

Terry Swan - Thursday, September 22, 2016
Protega are excited to be attending the Cyber Security Summit 16 in Sydney today #AusCyberSummit


FireEye ANZ Momentum 2016 Partner Conference

Terry Swan - Monday, August 01, 2016
Protega attended the FireEye ANZ Momentum 2016 Partner Conference yesterday and our very own Technical Director, James Wootton, spoke on the panel to discuss the state of the ANZ Security Channel.


The Cyber Wolves of Wall Street

Natasha G - Monday, November 23, 2015

In the following Protega blog post, our technical director James Wootton, puts a blockbuster twist on the latest high profile IT hackings. Look out everyone...the Cyber Wolves of Wall Street are on the loose... 

The Cyber Wolves of Wall Street 

It’s been quite some time since the infamous ‘wolf’ allegedly turned over a new leaf, but there’s a new world with new opportunities for the cyber wolf, one that is probably going  to lend itself to many shady deals, particularly if the current trend of high-publicity hacks of publicly listed companies is anything to go by. If we look at the latest Talk Talk compromise, we can see that there is a direct correlation between share price fall and recovery, relating to the hack event itself and subsequent capture of the alleged hackers.

It made me think of the many movies based upon companies that recognise and profit from such unhealthy events. However, imagine you have the power to manipulate such blips in share price through knowing when they’ll occur, something that I suspect will become a reality, requiring a change in current legislation worldwide and causing quite a stir in the process.

Let’s make a Movie!

Here’s the ‘meat’ of the blockbuster movie I envisage, clearly there’d be a lot more plot and ‘fluff’ around it:

Plot:

Harriet-the-hacker identifies companies that are publicly trading and clearly have no idea about security, exhibiting all the weaknesses expected of companies grappling with profit versus investment. As part of a complex hedge-fund or speculation gamble, Harriet analyses the viability of shorting shares for those companies that were previously identified. 

After randomising and creating a timeline for companies to be hacked, Harriet finds victims who are going to be the patsy (willing or otherwise) for those companies likely to provide a dip and recover profile, a-la Talk Talk. She selects people she can manipulate; script-kiddies, people who’d like to profit, or corruptible insiders.

Harriet then shorts the shares and hacks the target companies, at the appropriate point within the planned timeline, watching the share price plummet! Harriet cashes in once the share price bottoms out and shifts her strategy to a long position.

Harriet laughs as the Patsy gets caught, giggling with delight as she sees the near instantaneous start of share price recovery.

Over a glass of bubbly she watches the share price rise and cashes in once the price is to her liking, completing the financial transaction and sitting back, taking a sip, enjoying the fruits of her labours.

She completes the financial transactions and moves on to the next seemingly ‘random’ victim.

Notes:

There are also a number of blackmail scenarios available along the way too, which we could slip into the plot. Operational security must be considered as people, particularly algorithmic fraud analysers, may notice a trend when the companies dip and recover. She would have to make sure there are a mix of identified perpetrators and undiscovered perpetrator profiles, with a combination of short and short/long scenarios across a portfolio of accounts, of course, not in her name.

Anyway, I think it’s wise to leave it there and not provide too much detail, after all this is purely fictional!

Hold on, is this already a reality, not a work of fiction at all?

Imagine this isn’t Hollywood, but in fact something that is already occurring. A number of well-publicised recent breaches have involved share price ‘fluctuations’ that were just too darn perfect and predictable for people to have not profited from them. I racked my brains (both the squidgy one and Google’s) to come up with where I’d heard of this ‘scam’ and of course, a legitimate story appeared that paralleled this, in a way that should really rattle the financial regulators of the world!

Anyone remember a hacker named Weev? One Andrew Alan Escher Auernheimer, he who was part of the imaginatively named Goatse Security group that exposed a serious flaw in AT&T’s interpretation of securing sensitive data on iPads. Turns out, that after spending some time in prison (I’m staying well away from the rights or wrongs of that one!), he announced last year the formation of a hedge fund that would short shares of companies exhibiting such weaknesses, but distanced himself from the actual ‘reconnaissance’ process.

Whilst it appears that his dream hasn’t been fulfilled, even after a crowd-fund attempt, TRO LLC (you have to laugh at the troll there) and its website no longer exist. It would seem that should this hedging become a legitimised reality, there would be yet another black mark against the money houses and a loss of confidence. My example above raises some ‘issues’ around the legalities of the described actions, but given a plausible gap between the legitimate and blatantly illegal actions, it could probably be performed relatively risk-free (and no, don’t try this at home kids!, i.e. this article does not condone nor encourage any illegal behaviour – just to be clear).

How do we identify and perhaps legislate against such events?

Well, that’s the hard part. If you consider how many money markets and how many publicly listed companies there are, it’s a target-rich environment. Given the state of some of those traded entities from a risk perspective, I can see how this scam is going to work with a little thought and carefully selected victims.

Big Data Analytics would help here and given access to share dealing data, would most likely identify anomalous behaviour, but we’re a way from this level of inter-connectivity, so it would be relatively easy to hide the money shots amongst a bunch of losing deals. If the ‘Harriets’ of our cyber world were prepared to accept the game would be over after a predetermined time, then the ‘in and out’ will most likely be untroubled. Split the activity amongst many accounts and money mules… who’d know?

Of course, we’re then left with the usual exasperations of the security community and the seemingly not-so-obvious mitigations, aren’t we?

  • Patches
  • Passwords
  • People
  • Pentesting etc. (i.e. Assurance activities - Test your beliefs and assumptions and educate, but these of course don’t start with a P!)

Plugging away at these vulnerabilities and changing an organisation’s risk profile, would make such an attack unpalatable and should cause the Harriet’s of this world to move on to the next, much softer target, assuming of course that the other P-word (profit) didn’t stop the C’s from investing in an appropriate security strategy…

And seriously folks, the poor script writing above, purely fictional, don’t get excited and end up breaking the law, that would wreck my Christmas and yours!


If this thought provoking read sparked your interest, why not head over to Protega's LinkedIn page, where similar blog postings can be enjoyed. 

 

Agree to Disagree

Natasha G - Monday, October 26, 2015

In the following blog post, Protega's Rob Cooper, discusses the recent cyber hacking claims between China and the US. With an agreement between the nations to refrain from espionage activities lasting less than a day, are we all really surprised?!... 

Agree to Disagree 


On Friday 25th September, US President Barack Obama and Chinese president Xi Jinping cemented an agreement promising that neither nation would engage in cyber espionage for economic gain. However, less than a day after shaking hands, it was revealed that hackers associated with the Chinese government had tried to unlawfully access at least 7 companies.   You would think there would be a cooling off period! Did the USA really think that China would not attempt to hack them, and do we really think the USA will stop?

There were many hopeful people, however, who appeared to believe that this was the beginning of the end for cyber espionage from China. According to an article published by DARKReading.com on 27/9/2015, the Information Technology Industry Council (ITIC) lauded the agreement between the two presidents.

Dean Garfield, president and CEO of ITIC, which has been involved with talks between the US and China, stated the following on this controversial topic.

“This agreement finally starts a sustained dialogue where there was very little communication. It illustrates a spirit of cooperation on a sensitive issue, which is a positive signal to technology companies. We will work to ensure this cooperation on cybersecurity will be a bridge to improved market access for global technology companies. ITIC and its members, which include the world’s most innovative companies, will continue to work with both governments to further mutual understanding and ensure implementation of these commitments."

With a  long history of disregarding intellectual property, piracy and the like, China do not mess around when it comes to counterfeiting It is big business for them. They don’t simply copy products, but replicate whole companies. Take the example of the fake Apple stores. There are 30 times more fake Apple stores in the city of Shenzhen than genuine Apple stores. These stores are even made to look just like the real thing, with the staff wearing blue t-shirts emblazoned with white Apple logos.

Let’s not forget the ‘Chinese version’ of the Japanese electronics company, NEC. In 2004, it was discovered that NEC products were being counterfeited in China. Imagine the shock and outrage when further investigation revealed a network of more than 50 factories were producing counterfeit NEC products. They were even manufacturing and releasing “new” NEC products.

China has been in the news plenty of late, having been accused of all sorts of cyber shenanigans and attacks but of course they have vehemently denied any wrongdoing or responsibility. Earlier in the year they admitted for the first time that the country’s military and intelligence community have specialized cyber security divisions, although they continue to deny spying on American corporations or possessing the technical know- how to disrupt critical infrastructure.

These groups have been ruthlessly targeting industries of strategic importance to China and other nations, including agriculture, chemical, financial, healthcare and insurance sectors.   Protecting your data is paramount for any business and it seems there are a large amount of state financed hackers seeking precious data from companies worldwide.

It will be interesting to see how the USA responds to the allegations of Chinese cyber espionage on American IP…watch this space!


If this blog sparked your attention and fancy reading some more, check out Protega's LinkedIn  page.






How to Manage Mobile Customer Experience

Natasha G - Tuesday, September 22, 2015

In the following Blog Post Protega's Edwin Bowers discusses how mobile applications can be just as damaging, as they are beneficial, to organisations worldwide... 


How to Manage Mobile Customer Experience

If this article caught your eye, head over to the Protega LinkedIn Page, for the latest articles and news.


Throw out your Security Posture: Cyber Insurance Covers All!

Natasha G - Wednesday, September 09, 2015

In the following Blog post, Protega's Jordan Carmichael discusses his views on why solely relying on "cyber insurance" is the wrong approach to take when protecting your organisation's tech environment.... 


Throw out your Security Posture: Cyber Insurance Covers All!


Tech-focused economic observers predict that as a global business community, we will spend more than $1bn on cyber-insurance premiums in 2016. This is astounding growth for any industry and fully supports the theory of continued market expansion within the global tech risk space.

With the merry go-round that is the global threat landscape shifting on an almost daily basis, combined with corporate life starting to feel more and more like ‘start up life’ (littered with organisational change and innovation pace, driven by a fear of crippling opportunity cost) one is tempted to ask: “why bother implementing better controls to mitigate technology risk when you can just insure against it?” This would surely mean your organisation is protected against all potential security threats.  And even if your organisation did succumb to a publicised cyber-attack, there’s no such thing as bad publicity right?” Wrong. And it’s the wrong approach to take.

At Protega, we work with numerous customers who are still getting a handle on their organisation’s technology risk profile, making insuring against the ever prevalent threats almost impossible. The bottom line is, if your organisation can't claim a comprehensive understanding of your risk profile how can an underwriter produce a policy to cover you? To put things into context, I’d like to discuss a whitepaper on this matter which has been a hot topic throughout the Protega offices recently:

The paper suggests that 45% of United States underwriters and brokers believed that a lack of internal knowledge prevented cyber security policies being completed for their customers. Alarmingly, 72% of the same group stated that ‘a lack of exposure understanding’ from their customers was the principal obstacle in securing sales and writing policies. An additional 40% of the same group felt that a cumbersome application process was a hindrance. These statistics point to both insufficient expertise on the insurers’ behalf but also to a severe lack of structured, comprehendible data from customers as the primary obstacles in insuring against technology risk.

The reality is that cyber insurance is not the answer to all of your technology risk concerns. Simply reading just one of the vaguely drafted policies openly available should instantly send alarms bells ringing around your organisation’s board room. Could your business truly rely on the policy if and when you are hit?

To be unequivocally clear: I believe that Cyber Insurance is actually one of the most valuable steps our industry has taken in quite some time. I also believe that a well-defined policy could (and should) be a tremendous asset to your company in the mitigation of tech-driven risk for the foreseeable future. The point, however, is that just selecting a seemingly all-encompassing policy will leave your organisation grossly exposed and prevent true cover against the numerous risks that are out there.

The only way to ensure your organisation can get maximum value from a cyber-insurance policy is to first assess and understand your company’s risk exposure, which will highlight where a targeted attack would hurt your business most. Once you have established a priority list of organisational risks, you can then begin to mitigate these threats through quality policy creation and continuous first-rate standards of IT practice and systems. This will need to be followed up with the promotion of consistent, solid security awareness in all of your employees.  

Then and only then can you insure against the remaining risks.


If this article sparked interest, why not check out Protega's other blog posts on our LinkedIn