Should you listen to your insurer for your business cyber risk management?
Jan 21st, 2016
Cyber security is a relatively new subject in businesses management. It first emerged in the 80ies with password guessing, featured in movies like Wargame with the rudimentary attack sophistication of those times. But Should you listen to your insurer for your business cyber risk management?
The attack sophistication increased gradually. By the end of 2000, elaborate hacking devices (Stuxnet worm) that could only be issued by cooperating military forces were born. To date no state has officially claimed ownership. However anonymous US officials speaking to the Washington Post stated the worm was developed during the Obama administration. This was done to sabotage Iran’s nuclear program.
Insurer are of course also facing challenges in insuring business against cyber threats. They have realized that from an actuarial point of view they face significant challenges in accessing accurate and relevant data.
What an Epiphany! Looking only in the rear mirror while driving is indeed going to complicate the steering of the vehicle! Now, insurers have always worked like that, i.e. using past data (statistics) to evaluate their business opportunities. They have already got their share of misery from climate changes and other events. Incidentally, we discussed this in various posts including one on Force Majeure and Insurance denial .
Cyber threat fast-track evolution is typically an arena where using actuarial data and statistics can only be wrong. It will expose everyone, including the insurers, to enormous overexposures.
Unfortunately insurers have asked hazard specialist (IT people) help in solving their conundrum, a mistake we oftentimes see occurring invarious business spaces.
We can therefore read statements such as „…by measuring defenses rather than incidents using big data, a measurement process evolves that provides real data for risk analysis...“
Obviously. IT people want to measure what they know (and I am not even going to delve into potential conflict of interest since they may also sell the installations etc…), but they often confuse hazard with risks and by managing hazards instead of risks they end-up being ineffective or inefficient i.e. squandering money, not getting results, or lead to insurance denial, like it happens in other areas of industry.
Broad spectrum defense investments and in particular poorly prioritized ones are generally neither effective nor efficient. Businesses and government agencies often focus on the next “silver bullet” product, unaware that most cyber security problems stem from flawed procedures and human error, reportedly said Art Gilliland, senior vice president and general manager for Hewlett-Packard’s software enterprise security products.
Should you listen to your insurer for your business cyber risk management?
So, what lies beyond the ubiquitous check-lists and empty generic advice offered by governments’ agencies and other IT actors?
Below are a few pointers we have gathered by performing cyber risk assessments up to national scale both in the civilian and military arenas.
-
- A Solid Cyber risk management should first of all understand how to measure success in the Business, or, in other terms, look at the minimal survival criterion of the systems involved supported by clear social and organizational tolerance criteria.
- Correct identification of “external” threats and reduction of operational and strategic information (intelligence) gaps are paramount: it is critical to look upstream (suppliers) and downstream (service companies) in the supply chain because vulnerabilities upstream or downstream can significantly affect operations in the considered system.
- The understanding of the functional links between each system’s element:
- firewalls,
- application patching (ongoing software updates that don’t require a system shutdown),
- networking with endpoint security products including smartphones, tablets, bar code readers and point-of-sale terminals,
and how they contribute to its functionality and defense, and not the other way around, is fundamental to ensure robustness and resilience. By the way this should include, of course long chain cascading events and strategic interdependencies.
- Careful considerations have to go toward different threat-from mechanism of attack such as:
- Executable code attacks (against browsers)
- GUI intrusion tools
- Industrial espionage
- Internet social engineering attacks
- Network sniffers
- Packet spoofing
- Session-hijacking
- Sophisticated botnet command and control attacks
- …,
to then understand and locate potentially exposed digital assets within the system. Quantify the chances of success/failure and the potential consequences,including what-if scenarios.
Many say that cyber defense risk assessments are impossible, the IT world is too complex, there are too many “bad guys”, etc.
In reality they say so because they fail to ask the right questions to the right people. In addition they have not developed the right methodologies.
We hope you do not mind if we close this blogpost with a few quotes from a very famous “heretic” from the Renaissance: Galileo Galilei which fit very well with the theme of this post.
BTW Galileo Galilei was the guy who spent his remaining life in house arrest after Inquisition forced him to recant his astronomical theory placing the sun (and not the Earth) in the middle of the system. While in detention, to keep busy during winter, he set the basis of two sciences called today kinematics and strength of materials.
Here we go with the quotes which could have been written yesterday!
Measure what is measurable, and make measurable what is not so.
In questions of science, the authority of a thousand is not worth the humble reasoning of a single individual.
By denying scientific principles, one may maintain any paradox.
This is a mockup of a real Cyber-defence dashboard built by Riskope using ORE (Optimum Risk Estimates) methodology (©Riskope)
Tagged with: cyber risk management, Cyber threat, Force Majeure, ineffective, inefficient, insurance denial, Stuxnet
Category: Consequences, Mitigations, Optimum Risk Estimates, Probability Impact Graphs, Risk analysis, Risk management, Tolerance/Acceptability
[…] Technology (IT) silo”, but should be treated as an ERM component. As we showed in a previous post IT silo lead to […]