Tag Archives: security

Cyber Insurance Needs Automated Security

Hackers, malware, viruses, ransomware and phishing emails are becoming a normal part of increased connectivity, and their impact on everyday life is growing. The result is a profound increase in the demand for cyberinsurance. The downside? Cyberinsurance is hard to price as risk potential is not well understood, and losses can enter into the millions of dollars. Moreover, businesses with cyberinsurance may be lulled into complacency by their coverage. They shouldn’t be. Just reimbursing the costs of damage after a cyberattack isn’t smart business—smart businesses seek to prevent the cyberattack from occurring.

Enterprises do this at great expense, with costly, complex tools and teams beyond the reach of small and medium-sized enterprises (SME). SMEs need automated cybersecurity for cost-effective, full protection. That’s because cyberninsurance is insufficient to protect a business: It isn’t a substitute for good business practices that work in concert with cybersecurity. In short, cyber insurance and cybersecurity must complement each other to provide what businesses really want: peace of mind at predictable costs.

Cyber Safety Is as Essential as Fire Safety

Think of it like this: You wouldn’t protect a business from a fire simply by buying a fire insurance policy. Best practice fire safety includes smoke alarms, fire extinguishers, fire-retardant building materials, a designated gathering spot and regular fire drills. On the other side of the coin, governments have adopted fire safety building codes, and insurers don’t sell fire insurance without verifying fire safety compliance: Fire extinguishers, smoke detectors and sprinklers must be installed and properly maintained.

See also: Cybersecurity Holes in Connected Cars  

Similar businesses practices are necessary for cyber protection. But the technology has not caught up with business needs. Many cyber insurance policies are written without accurately measuring the risks that make a business vulnerable to a cyber attack. A one-time snapshot of the number and type of data records, or even a more full-fledged review of internal and external systems, is inadequate to assess risk. Technology evolves too quickly for these snapshots or scores to be valid over time. The moment a system needs upgrading, data may be at risk. The moment a new virus begins to spread, businesses are vulnerable. As long as a patch is not applied, systems and data are exposed. These big changes to risk affect the underwriting assumptions. It’s a shifting landscape, one that requires that businesses remain constantly vigilant. Automated cybersecurity technology is more effective than people at monitoring and addressing threats. In short, cyber insurance without automated cybersecurity is like fire insurance without smoke detectors.

Cyber Risk Models Need Much More Data

Automated cybersecurity platforms that detect and protect against cyber attacks are also useful to measure risk over time. Telematics let auto insurers such as Progressive and Metromile more accurately measure risk—and price accordingly. We need new “cyber-telematics” that allow underwriters to more accurately measure cyber risk. They provide risk insights about the insured, enabling the development of rich aggregate risk models. Cyber-telematics also helps underwriters develop risk models from the measurements correlated with cyber risk—and see the red herrings that aren’t. Cyber-telematics answers industry concerns noted in a March 2017 Property Casualty 360 article that “the insurance industry faces a rampant reporting bias that is hard to translate into policies.”

Without a thorough understanding of the profound risk being underwritten, losses are unpredictable—and potentially catastrophic. Insurers have long understood the impact of underestimating exposure aggregation with respect to natural disasters and other correlated losses like terrorism or asbestos claims. Of these, Towers Watson wrote, “The difference is that the terrorist attack is a single event and not a decades-long process, and the losses will be recognized and paid much more quickly.” The same, or worse, should be expected of large-scale single cyber events.

Technology is essential to collecting the data for, then understanding, mitigating and accurately modeling cyber risk.

Large enterprises have massive budgets, and most create a custom cybersecurity system using expensive experts and tools from multiple vendors. This has made it much harder to penetrate their defenses. As a result, hackers have moved down the food chain, making small and medium-sized businesses especially vulnerable. These businesses face the potential of a business-ending event in the face of a cyber attack.

Automation is the right answer when people and systems aren’t available or affordable. SMEs need automated cybersecurity to reduce risk and reduce cost. Current solutions are simply too expensive in terms of staffing and too complex in terms of tool integration. With automated cybersecurity, SMEs receive the benefit of robust machine learning coupled with economies of scale that take advantage of the cost efficiencies introduced by automation. For insurers, automation enables data gathering that informs robust risk management models, providing key insights to identify and mitigate loss potential.

See also: How to Eliminate Cybersecurity Clutter  

According to Hiscox data, 60% of smaller companies in the U.S. reported one attack or more in the last 12 months—and 72% of larger companies. In the U.S., the average estimated cost of an organization’s largest cyber incident was $35,967 for 99 or fewer employees and $102,314 for 1,000 or more employees. However, a November 2017 Property Casualty 360 article reports that “in the aftermath of an incident, SMBs spent an average of $879,582 due to damage or theft of IT assets; additionally, disruption to normal operations cost an average of $955,429.” This wide variance in the reported cost of cyber incidents reflects uncertainty among insurers.

The Hiscox report further observes, “While big firms incur the highest costs in nominal terms, the financial impact of cyberattacks is disproportionately high for the very smallest companies.” Because these “smallest companies” can least afford effective cybersecurity, they need automated solutions. Let the machines do the work.

Peace of Mind

Cyberinsurance complemented by automated cybersecurity is key to modern business—neither is sufficient on its own. SMEs are better protected with the complement of these tools. A simple metaphor is the modern automobile. Today’s cars don’t simply provide airbags to react to accidents, they include technologies to avoid accidents: anti-lock braking systems (ABS), blind spot monitoring, lane departure warnings and more. Modern cybersecurity and cyber insurance are similar complements: Airbags cushion the blow, much as a rapid response can limit the losses from a cyberattack, and automated cybersecurity monitors networks and protects SMEs, much as accident prevention systems protect drivers.

Modern technology demands the next evolution of cyber insurance and cybersecurity measures, similar to the evolution of fire insurance and car safety technology. Effective, automated cybersecurity technologies, coupled with comprehensive cyber insurance, are needed for real peace of mind against cyber attacks.​

Security Training Gets Much-Needed Reboot

Using innovative strategies, some companies may be erasing employee security training’s reputation for ineffectiveness.

Security training “got a bad rap, because it was so bad,” says Steve Conrad, the founder and managing director of MediaPro, a Bothell, Wash.-based security awareness training company with such clients as Microsoft, Yahoo and Adobe.

Old training methods “usually consisted of slide presentations — or their online equivalent — that were super dull and could last an hour or two,” he says. “Employees were expected to sit through this, either at their desks or in a group and come away with knowledge gained. And that was it. Awareness training was once and done, and it just didn’t work.”

See also: How Good Is Your Cybersecurity?  

Stu Sjouwerman, founder and CEO of KnowBe4, a security awareness training company founded in 2010 and based in Clearwater, Fla., says “old-school security training” often stems from “classical break-room sessions where employees are kept awake with coffee and doughnuts and exposed to death by PowerPoint.”

Those days are over, according to officials of the two companies.

MediaPro — which was founded in 1992 and has focused on security awareness training programs as a product since 2003 — says it’s an e-learning company that bases its training on proven adult learning principles, providing educational content in a way that learners remember.

“This concept extends beyond the training courses themselves,” Conrad says, “to our focus on consistent reinforcement of key learning principles through extracurricular content such as games, videos and posters, as well as phishing simulation exercises.”

Phishing exercises help change behavior

KnowBe4, Sjouwerman says, sends frequent simulated phishing attacks to train employees “to stay on their toes.”

Both companies believe that employees’ most common security mistake is falling for an email phishing scam.

“Bad guys have come up with all sorts of creative ways to convince employees to click on a link or send sensitive information via a spoofed (sender) address,” he says.

Clicking on a link in a suspicious email and opening an infected attachment can be avoided, Sjouwerman says, “by recognizing red flags.” Red flags include receiving an email from a suspicious domain or address you don’t ordinarily communicate with, or one sent at an unusual time, such as 3 a.m.

No company is immune to such scams, Conrad says, “but simulated phishing campaigns aimed at an organization’s employees teamed with comprehensive cybersecurity education can go a long way toward changing risky employee behavior.”

Technical safeguards against phishing scams exist, “but no organization should rely on those alone,” he says. “Social engineering — the basis of phishing scams — is such an effective way into the sensitive data of an organization because it completely bypasses these technical safeguards and goes after what is most companies’ weakest link: the human.”

Workers’ weak spot

Why do employees engage in risky behaviors when cybersecurity threats are so abundant?

“It’s likely a combination of being busy and being exposed to so many technological sources of distraction on a daily basis,” Conrad says.

Sjouwerman mentions another reason: “No one ever took the time to enlighten them about the clear and present danger that risky behavior can really cause, especially in an office environment.”

A 2016 study by PhishMe, a Virginia-based phishing threat management company, found that 91% of cyber attacks — and the resulting data breaches — begin with a spear-phishing email.

Another study done last year by LastPass, a Virginia-based password management service, found that 91% of respondents know it’s risky to reuse passwords for multiple online sites, but 61% do it anyway. The study also found that the No. 1 reason respondents changed their password was because they forgot it, and only 29% changed it for security reasons.

Employees’ risky behaviors have triggered an increasing number of companies to provide better security training.

“I think this is a really exciting time in the market. Huge numbers of companies are committing to doing real education, and we’re seeing exciting innovations in the variety of content that is available,” Conrad says. “I like to think that the age of boring people about security is over and we’re entering an era where people are going to be motivated and engaged by education around these issues.”

See also: Cyber, Tech Security Start to Merge  

Repetition is key

Employee training, Conrad says, needs to be more frequent than an annual affair.

He says, “Learners need to hear something more than once for it to stick — just ask any ad executive or marketing jingle writer,” he says. “Think about what makes up an advertising campaign: a series of messages that share a single idea or theme, transmitted via different media channels on a regular basis, for an extended period of time — with the singular goal of influencing consumer behavior.

“A great security awareness initiative should look like a great advertising campaign. Repeated, consistent messages delivered throughout the month, quarter or year — whatever cadence is appropriate for a given organization.”

This post originally appeared on ThirdCertainty. It was written by Gary Stoller.

How to Picture the Future of Driverless

Picture this:

The year is 2025. A call comes to the police station—someone has broken into a local home. A drone is deployed to the address and arrives within five minutes. The drone feeds video to the station and to the closest autonomous (driverless) police vehicle. The drone guides the police car to the location. The officer in the car (we’ll assume he’s human, for now!) isn’t actually driving; he’s an occupant, watching the drone’s video feed. He can see the suspect fleeing, and he researches other crimes in the neighborhood along with potential suspects. The drone estimates the perp’s height and weight, and the officer can see his clothing and a possible gun in his belt. The police officer communicates with other officers in the area to coordinate the capture. As the suspect runs, his description and location is fed constantly to all nearby police vehicles, and he is surrounded within 15 minutes of the initial call.

This is far from fiction. The international consulting firm Frost and Sullivan predicts that 180,000 driverless cars will hit the U.S. market in 2020. That’s less than 1% of today’s annual new car market, but that’s just the beginning!

Just about every major car manufacturer (as well as Google, of course) is developing autonomous vehicles, and the competition is getting  more intense as the demand for collision avoidance features grows. Just as drones are spreading (if not yet regulated), driverless cars will become widely accepted. Americans love to drive, but there are too many undeniable advantages to autonomous cars.

The first one is safety. According to the U.S. Insurance Institute for Highway Safety  (IIHS), 94% of all car accidents are caused by human error. Nearly two million crashes could be avoided if human error were eliminated. That’s not to say that driverless vehicles won’t crash, but, as the technology improves, crash rates will drop like a rock. In 2025, if our roads are still packed with commuters, the occupants of many vehicles will be reading, answering emails, video conferencing and browsing the web. In other words, they’ll be working. A recent Morgan Stanley report predicted that driverless cars could add $5.6 trillion (yes, with a ‘T’) to the global economy because of the combination of a steep reduction in accidents and the dramatic increase in productivity. It is estimated that in 2035 autonomous cars will account for 25% of all cars.

Back to the police force. As driverless cars evolve, routine traffic monitoring will drop, high-speed chases will slowly decline (with drone help) and smaller police forces will focus on more serious crime. Cameras will capture everything—both from the ground and the sky. Officers will become highly trained in electronic law enforcement. Efficiency will rule!

Of course, these are just predicted outcomes. This policing panacea isn’t all roses; it will not eliminate the need for community relationships, direct contact with neighborhoods and personal contact in law enforcement. Furthermore, while vehicle collisions will fall, the cost and maintenance of autonomous cars will remain extremely expensive in the near future. Currently, it costs about $150,000 to equip a driverless car. But that cost will drop to $7,000 by 2030 and to $3,000 by 2035.

Nothing’s perfect. Every emerging concept or technology brings unexpected challenges and unintended consequences. But it appears that autonomous automobiles will emerge soon, and it’s likely that some day we’ll say they are “here to stay.”

For today, I guess I’ll have to drive myself home. What a chore.


If Growing Gets Tough, Tough Get Growing

Successful businesses continuously draw on their strengths – and their people – for growth.

How do you describe the strengths of your business now? How would you describe the strengths that you’ll likely need in a year? In a few years? And how do these strengths translate into the skills your people will need in the future? For most companies, the answers to these questions are always evolving, as disruption increases and the pace of business picks up.

We’ve seen the recent evolution of companies’ capabilities — like fast-food chains rolling out deluxe coffee-shop menus, or utilities delving into smart home appliances.

A lot of organizations have solid processes for evolving their business strategies. But as sound as the development and approval process is, it often leaves out an important aspect: Can your people evolve, too?

Most CEOs aren’t certain that theirs can. In our latest CEO survey, nearly 80% of U.S. business leaders say they’re concerned that a lack of key skills threatens their organizations’ growth prospects.

This stat raises the question: Are some of these organizations taking their growth strategies too far afield, beyond their core strengths, in a desperate search for faster growth?

In Strategy+Business Magazine, we recently wrote about how companies that deliver sustainable growth remain true to what they do best and take advantage of their strongest capabilities—what we call a capabilities-driven strategy.

It takes a substantial effort. As we say in the story, “If you respond to disruption by changing your business model and capabilities system, you can’t dabble. You have to commit fully.”

That level of commitment is only possible, of course, with the right people to step up and deliver on your company’s greatest strengths.

Think of the potential talent issues at hand for so many businesses: How does a legacy technology company avoid disruption and commoditization? How can a fast-food chain turn up its café side of the business without trained baristas on hand? How can a utility amp up the tech-savvy talent needed to design Internet-and-data-fueled thermostats and security devices?

They’ll all need to align their talent strategy with their business strategy.

In our advisory work with clients, we are in frequent talks with companies that need to make these moves. And talent is at the top of the priority list.

Before preparing to grow your strengths, think about the capabilities in your current ecosystem of people and where gaps might pop up: 

People strategy, leadership and culture: Does our people strategy support our growth initiatives (and, more importantly, is there a strategy)? Is the right leadership development system in place, including a robust global mobility program? Will our culture support the execution that’s required?

  1. Reward: Does our compensation and benefits strategy still fit? Is pay competitive? Are there areas to be restructured that could free capital for re-investment?
  2. Talent acquisition: Do we need to pull in brand-new talent by strategically hiring from the outside or by making strategic acquisitions?
  3. Organization design and operating model: Have we designed an organizational structure and operating model that have clear links between all our capabilities?
  4. Change management and communications: Do we have the right program management structure and strategic change methods for execution? Do we know who the real information brokers are in the organization who will informally drive the change?
  5. Technology: Do we have the right technology to support the kind of employee experience our people need? Are we leveraging workforce analytics to retain our top-performing people, and are we conducting frequent employee surveys to understand the pulse of the organization?

These are just a few of the talent areas that are important to understand.

Odds are you won’t need to revamp all of them. But a carefully designed and innovative talent strategy underlies the successful evolution to get growing.

 To read more details on the strategic changes you may need to make to stretch your growth, read the full article, “Grow from your strengths” in strategy+business magazine.

Home Is Where the (Smart) Hub Is

The smart home was all the rage at the 2016 CES (Consumer Electronics Show). The exhibit space and products devoted to smart homes was absolutely mind-boggling.

Well-known products such as the Nest Thermostat, the Roost Smart Battery for smoke alarms and Amazon Echo were displayed alongside a wide variety of other products to make every “thing” in your home smart. Want your refrigerator to assemble a grocery list for you by bar code scans of items about to run out? No problem – the Samsung Family Hub Refrigerator can do that. Looking for a bed with biometric sensors to track your sleep, monitor physiology and make adjustments to improve your night’s rest? Look no further than the Sleep Number-it bed. Need to separately monitor and manage the temperature and environment for each room? The Ecovent system has that capability – and can even alert you if your home is at risk for mold. The list could go on and on.

Given unlimited time and money, you could truly make your home an Internet of Things showplace with smarts everywhere you turn. Of course, you would probably not have enough room on your smartphone to manage all the apps that control the smart things. So how to make sense of all the options? And how should insurers capitalize on the smart home trend? For starters, it is useful to think of smart home devices in four categories:

  • Security/Safety: Existing home security companies are all evolving to provide smarter systems using wireless technologies and more sophisticated sensors. In addition, companies like Ring and Glue provide smart locks and doorbells for secure entry. Others focus on safety through monitoring and pre-emptive alerts for leaky pipes, smoke alarms, failing sump pumps and other things.
  • Entertainment/Information: Smart TVs are already a fixture in many homes, with availability from a variety of suppliers. The Amazon Echo responds to voice questions and prompts to provide news, weather and information, among other capabilities. Devices for gaming are incredibly powerful, and virtual reality headsets are gaining in adoption.
  • Energy/Environment: The Nest Thermostat device has led the way in providing a smart, connected way to monitor and manage the temperature and environment throughout the home for comfort and energy efficiency. Others, such as Lutron, offer controls for lights, shades and temperature, aimed at saving energy.
  • Commerce: The Amazon Dash Button may seem to be a gimmick, but it has opened up possibilities for e-commerce by allowing homeowners to reorder items with literally the touch of a button. Smart appliances and embedded touch screens automate the ordering of parts before they fail or common supply items before they run out.

Then come the questions about how (and even if) all of these devices will work with each other. There is a great deal of overlap and potential interaction between devices both within and between these categories. Enter the smart home hub. There are a number of companies and devices purporting to be hubs to connect the smart things in your home. Some operate well within just one domain – coordinating security-related devices, for instance. Others are broader and have the capability to connect a wider range of smart devices. The Apple HomeKit, Samsung SmartThings Hub and Amazon Echo are a few of the well-known hubs, but others are emerging.

The take-home is that insurers should consider three actions to better understand the smart home space and its potential opportunities and threats.

First, monitor the evolution of the companies and products in the space and the product adoption trends. It probably goes without saying that this is easier said than done.

Second, make sure your tech guys follow the standards, communication protocols and tech issues as they progress (especially related to data-security concerns).

Finally, actively partner with and invest in companies in the smart home space. First-hand learning and experimentation is paramount if you want to gauge the opportunities to offer new insurance product offerings or services that will set you apart from your competitors.