A few days ago @Wh1t3Rabbit @dearestleader @DFIR_Janitor and I had a nice little conversation about insurance companies and Information Security with regards to breaches and how companies handle the potential risks. We already have red-teamers that are tasked with doing risk compliance testing for companies and now it seems that the blue-teamers are going to be dragged into being the “adjusters” in this new realm of cyber-insurance. (to be fair to the others, I will take responsibility for this post just in case it fails utterly, their good names won't be besmirched, but if they agree, even better!)
Now the article I am going to cite does not come out and say
this, but this would of course be the natural progression, in my humble opinion.
So without commenting any further, here is the article from ZDNET to which I am referring: http://www.zdnet.com/police-cant-stop-cybercrimals-but-maybe-insurers-can-7000035514/
Of particular note are the following quotes:
“Encouraging the creation of an insurance market for online
crimes could help enforce standards of security, just as home insurers insist
on a particular type of locks on doors and windows before they will agree a
policy. This makes it harder for burglars to break in as well as potentially
reduces the burden on the police.”
OK, so from this we can glean that, if insurers are
involved, upper management might buy into more stringent security measures
because it will save them money? Really, well if they would invest and promote
the best practices in security to begin with, then they wouldn't need insurance
in the first place, right? Also, this begs the question, which “lock” would be
the preferred lock, opening an avenue that only “insurance” approved security
appliances can be used in a system?
And it continues:
”The government argues that insurers are in a good position
to encourage businesses - small ones especially - to improve their
cybersecurity by asking tough questions about their breach and operational risk
policies.”
Again, really, it takes insurers to encourage this? I’ll say
it again, this is the job of the C-level folk to make this happen not some
third party that will make money off a lazy corporate security climate, regardless
of a breach. Think about it this way, a bank’s physical location might be
insured but they spend a hell of a lot of money on security, not to mention those
large and very expensive vaults that are installed at every location. Hell, it’s
easier to break into a banks IT infrastructure than it is to literally rob a
bank (and get away with a respectable amount of money). Let that sink in for a
minute…
To their credit, there is a somewhat sane response in the
article:
“Whilst insurance offers financial protection to businesses,
it does not incentivize businesses to invest in enhancing their cyber security defenses."
However, the paragraph continues down the spending the money
trail with this:
“He said organizations that demonstrate good cybersecurity
should be rewarded through lower premiums, adding: "This would align to
steps taken by insurers offering protection against wider business interruption
and ensure that such risks were being appropriately managed by businesses and
not just managed through insurance coverage.”
Which looks good in print, but sounds to me like this is
compliance taken to the next level instead of truly focusing on the real issues;
creating and maintaining a stalwart security posture, instead of just adding
another level of “bandages” into the mix.
So, is everyone ready to work for an insurance company?
No comments:
Post a Comment