The recent Apple, Cisco, and Aon announcement outlining a partnership to offer cyber insurance policy discounts for businesses isn’t necessarily a new concept, according to Bryant G. Tow, Managing Principal of CyberRisk Solutions, but, he says, it is very interesting and a “fantastic thing.”
As he noted, “Anytime you can incentivize a company to strengthen its cybersecurity or overall protection, it is an important thing,” Tow said.
Tow explained that he has worked with insurance companies since 1998 to develop methodologies for risk assessments. “Back then, we asked ‘How do we know someone is even insurable?’ and it was about losing databases or data that was critical to the business, not so much focused on hacking.”
As technology, cyber threats and the attack vectors have evolved, a team-up of companies of this caliber gets a lot of attention and may attract more companies to look at cybersecurity more holistically.
“The attack surface follows the business need, and Apple products, from iPhones to iPads, have become a larger part of the attack vector because there are so many being used for business today,” Tow said. “Now it seems that the trend is that personal assistants such as the Amazon Echo and Google Home are becoming huge targets for spying on personal privacy.”
Tow notes that the perimeter of any network dissolved years ago, because data is everywhere. However, partnerships like these address the technology side of the equation and not other areas in the Ring of Security.
“Partnerships and agreements such of these make my job easier, because of the incentives to management to move toward securing their environment,” Tow said. “However, it doesn’t protect credentials and social engineering – getting someone to click on a ‘thing’ that would get them to give their credentials away. Nor does is it address the process or procedural vulnerabilities that are the ground zero for most breaches.
“Even if you have perimeters set up, you still may experience theft of credentials or privilege escalation if someone logs into a system with those credentials. This agreement only plays on the technical side of the equation. It does not play in vendor risk. It does not play in business continuity. It does not play in incident response or physical threat. And, although some security products have control for USB devices, that doesn’t necessarily protect from somebody walking thumb drives out past your multi-million-dollar security systems,” Tow explained.
Tow also explained that companies should be careful that they don’t become complacent if they take advantage of data protection insurance or breach insurance. As he explained, breach protection may not necessarily cover losses from an internal action, such as an employee clicking on a link that causes the breach. Court cases have been decided in both directions depending on the circumstances. The partnership also presumably doesn’t ensure that the company has properly installed the equipment, that it is active, that logs files being monitored, or that the company is using the proper threat detection.
Lastly, Tow explained that if a company should decide to take advantage of this type of package, it should be vigilant about ensuring that employees – from leadership down – don’t get a false sense of security and think that “Because the insurance company thinks we are secure, we are.”
“In general, cyber technology covers only about 40-50 percent of your attack surface,” Tow explained. “There are three things that companies typically do with risk – fix the vulnerability to eliminate risk, accept the risk and prepare to absorb the loss if it occurs, or transfer the risk out so if there is a loss, you are made whole.
“You may think you are transferring the risk. Meanwhile, monetarily, your breach may be covered to some degree, but it is still your name in the newspapers if you are holding custodial data and it still is your IP that goes out the door,” Tow continued. “We don’t want to have the illusion that transfer of risk is the end-all, be-all and gain a false sense of security because we are using these products. Reliance on this for your protection strategy would be a miss. Real, effective cybersecurity has multiple elements.”