February 21, 2018
Cyber: No Protection Against Complacency
by Adam Stern
While data is considerably safer these days in the cloud, no cyberinsurance policy can substitute for active vigilance.
Cybersecurity insurance appears to be enjoying a heyday. While it’s been around for some time, the perceived need for it has never been greater, as DDoS attacks and major hacks grab headlines and fray nerves.
As recently reported in The Hill, Lloyd’s of London approximates that “average cloud service events of varying severity range from $4.6 billion in total damages for a ‘large’ attack to $53.1 billion for an ‘extreme’ one. In the vulnerability example, the average costs range from $9.7 billion for a large event to $28.7 billion for an extreme one.”
Lloyd’s suggests that we ought to insure cyberattacks as we do natural disasters. Ransomware imposes its own sort of multiplier effect, measured in business loss, damage to reputations and (customer) privacy and, of course, in out-of-pocket outlays paid handsomely in Bitcoin.
But in treating cybersecurity insurance as an essential check-off item for organizations, the last thing underwriters, businesses and consumers need is complacency. We rightly regard insurance as protection; we pay for it, and may or may not alter our behavior to actually diminish the threat of the event itself.
And that’s the risk that insurance doesn’t mitigate against; indeed, it can aggravate it, by conferring on businesses a false sense of, pardon the term, security. Cloud security isn’t like filling out a job application; it’s not a matter of checking boxes and moving on. Piecemeal approaches to security never work. Patching a hole or fixing a bug, and then putting it “behind” you – that’s hardly the stuff of which effective security policies are made. Because security is a moving target, scattershot repairs ignore the hundreds or even thousands of points of vulnerability that a policy of continuing monitoring can help mitigate. And that insurance can address only after the fact of potentially catastrophic loss.
See also: 2018 Predictions on Cybersecurity
Cloud security policies must be in place before, during and after the ink is dry on any cybersecurity insurance policy. Any cloud provider worth its salt brings to the task a phalanx of time-tested tools, procedures and technologies that ensure continuous uptime, regular backups, data redundancy, data encryption, anti-virus/anti-malware deployment, multiple firewalls, intrusion prevention and round-the-clock monitoring. So while data is considerably safer in the cloud than beached on equipment under someone’s desk, no cyberinsurance policy can substitute for active vigilance – accent on active, because “vigilance” is definitely a verb.
Absent both the right mindset and proper policies and guidelines, cybersecurity insurance can prove pointless.
About that mindset: Sound security planning requires assessing threats, choosing tools to meet those threats, implementing those tools, assessing the effectiveness of the tools implemented – and repeating this process continually. Security is a process, not an event.
On the premise that the best defense is understanding the real nature of the offense – or, in this case, offenses, because cybersecurity insurance addresses a multi-front battleground – it may be helpful to think in terms of a basic four-tier model that defines the broad steps businesses can take to maximize their safety. With that model, it’s possible to match the level of protection to the class of threat a given organization faces. Users need to be familiar with online threats and at least somewhat conversant with tools to arrest them; no single system can circumvent vulnerabilities that haven’t been patched.
Below, this prototypical four-level gauntlet:
First line of defense: The first line consists of a firewall supported by intrusion detection and prevention technology, along with anti-virus and anti-malware software, which is limited to blocking items downloaded over unencrypted protocols.
Second line of defense: The second line centers on the trained, educated user – someone sufficiently cognizant of threats to think before executing a link or downloading an attachment: a user, in other words, who is attuned to the real and present danger inherent in viruses and malware, and who acts accordingly.
Third line of defense: The third line is composed of patch management and locally installed anti-virus and anti-malware software, working together to effectively block attacks. Proper implementation of third-line defense means fewer bugs and optimized performance.
See also: How to Eliminate Cybersecurity Clutter
Fourth line of defense: In the event that malware or ransomware hits a system, it’s possible to restore the server via application-consistent snapshot technology on a storage area network, a rollback process that takes just minutes and restores the server to its exact state prior to the attack.
It may be helpful to treat these lines as concentric circles. Remember that the human element remains the most important social engineering piece of this construct. It’s always best to stop a problem early, before it festers and productivity suffers; think smoke detectors vs. sprinkler systems. And just as regular brush clearance in fire zones is a necessary precursor to maintaining fire insurance coverage, so these measures prepare businesses for cybersecurity insurance – and underscore the wisdom of making that purchase.