The recent cyber-attack on TalkTalk has reinforced a common perception that cyber-attacks are the work of shadowy figures operating from bedrooms or basements, attempting to mimic the work of James Bond’s arch rival, Spectre. The reality – and a lesser known fact – is that the majority of attacks (55 per cent) involve insiders.
These insider-inspired attacks may not grab the headlines in the same way as attacks by 15 year-olds do – in fact for obvious reputational reasons, they rarely make the newspapers at all - but they do give the IT departments of the organisations that have suffered the attack just as big a headache.
So spending time building stronger internal defences would be time well spent. Unfortunately, the results of a survey that my company has just carried out would appear to show that this is not the case and that these IT departments could well be putting their own organisations at considerable risk.
For a growing number of companies, that risk could now have been shared with an insurance company, by taking out a cyber insurance policy. Cyber insurance is growing fast (global gross written premiums grew from $850 million in 2012 to $2.5 billion in 2014) and on the face of it, has significant appeal for senior management.
After all, transferring risk in exchange for a premium makes good commercial sense – and has done ever since the Lloyds coffee house owners of the 17th Century changed their business focus. The ideal form of cyber risk management, then, is achieving the right balance between internal IT security measures and the transfer of some risk to an insurance company. Achieving that balance could then allow the senior management to sleep more easily at night. But the stringent conditions surrounding these policies means that these insurance companies may not pay out, leaving the IT department with a serious amount of explaining to do.
Let’s consider just three aspects our our research which may give IT departments cause for thought and, hopefully, then action.
One of the questions we asked our survey respondents was when ‘considering purchasing cyber-insurance do you anticipate that this will require a change to your existing IT security policy?’ Most (41 per cent) felt they would not, whilst 32 per cent said they didn’t know, thereby putting the majority of of our respondents directly on a collision course with the insurance company. This finding alarmed us and here’s why. This stance assumes that the company’s IT security policy is already of a sufficiently high standard so as satisfy an insurance company. But cyber insurance policies are still relatively new, ergo, insurance companies have set the bar very very high. We think that it’s essential that the IT Department understands precisely what the policy conditions are and then audits its current IT security policy so as to determine if it would pass the fitness test.
The second element that worried us was the insufficient amount of attention being paid to security updates. Nearly half our respondents thought it would be either quite difficult (43 per cent) or very difficult (10 per cent) to ’identify whether…security software fails to make critical updates’. In the event of a cyber-attack triggering a claim on the policy, this is one of the first areas that the insurance company will look at and, in those circumstances, it seems that our unlucky 43 per cent would have some explaining to do.
The third area of our research concerned the IT Departments’ - some might say - lackadaisical attitude toward staff access.
50 per cent of the sample felt that it would be either ‘difficult’ or ‘very difficult’ to identify whether any ex-employees still had access via accounts to resources on their network. The same percentage thought the same about ex-third party providers accessing their network and an even bigger proportion (55 per cent) thought the same about ex-contractors accessing their networks.
Of these three groups, former staff represent the greatest threat. Research shows that 88 per cent of insider attacks came from permanent staff; 7 per cent from contractors and only 5 per cent for agency contractors. So not knowing which of your former employees still had access to your network seemed a mighty big security lapse to us, and one that the cyber insurance company would want to bring to the attention of senior management too when turning down the insurance claim.
So what can IT Department do about this state of affairs? Our recommendations are as follows:
- If your company is considering taking out a cyber-insurance policy, get involved in the decision making process. (This seems obvious, but nearly a fifth (14 per cent) of our respondents didn’t know that their company was considering buying one!)
- Make sure that you have a clear understanding about the limitations of your existing technology and how that may affect your cover
- Make sure that your regular and automated security activities (updates, patches, signatures, etc) are
- Maximise your own visibility. If you suffer a breach, the insurance company will want to attribute the source and the more data you have the easier your job will be
- Know your access control weaknesses. Most cyber insurance policies assume you have complete control and that you have visibility of every user who has access to your infrastructure
The insurance industry is catching on to cyber insurance fast. And why not? National governments are even threatening to make it compulsory, thereby accelerating its take up.
Like their counterparts which offer residential customers reduced premiums if they can prove that they have invested in upgrading their household security systems, so these insurance companies will ‘reward’ those organisations whose IT Departments can prove that they have taken the equivalent security steps within their organisations.
And as the highest chance of a cyber-attack will likely come from a former employee, then that’s where these new security policies should start too.
Chris Pace, Head of Product Marketing at Wallix UK
Image source: Shutterstock/nito