Cyber-insurance is irrelevant without robust protection

clock

NTT Com Security's Garry Sidaway argues firms should not consider insurance without first having a water-tight strategy for preventing breaches

Businesses are now looking at taking out cyber-insurance policies to reduce the financial risks associated with a security breach, recognising that information security technology alone will never prevent 100 per cent of potential hacks.

Cyber-insurance is a minefield of ambiguity though, with some organisations unaware what is covered under their general insurance policies or not even knowing enough about their own security measures. In fact, our recent Risk:Value report showed that just 48 per cent of UK businesses are covered for both data loss and a security breach under their insurance, while a quarter don't even know what they are insured for in the event of a data security breach.

What's concerning is that, if a company isn't clear on its own security architecture, any information supplied in the event of a security breach could instantly void its insurance policy. That's even more concerning when we consider that the majority (56 per cent) of business decision makers in the UK agree they are likely to suffer a security breach at some point.

Critically, if organisations are serious about insuring their vital assets, they must first invest in enforcing appropriate protection measures that can be demonstrated to the insurer. This means assessing and reducing the risk in the first place, and the appropriate and measurable steps to continuously monitor these risks. Only then can an insurance company begin to understand the company's risk exposure and create a policy that is relevant to the business (and won't be at risk of being void). It's equally important that companies understand what insurance covers - as general insurance might not cover the impact of a security breach - and never assume they are covered for data loss or a breach.

Working with a managed security services provider (MSSP) can help an organisation fully understand its risk exposure across all areas of the business. A thorough evaluation from a trusted, expert advisor will highlight areas of risk, make recommendations, prioritise actions and build a strategic roadmap for continuous risk management.

Furthermore, a full assessment of this kind can be shared with a company's prospective insurer as evidence of proactive security measures and a comprehensive enterprise security architecture.

Another way to demonstrate to an insurer and the board that robust measures are in place is for an organisation to think like an attacker. Traditional assessments like penetration testing, whilst important, focus on a particular area of infrastructure or web application while simulating an advanced persistent threat (APT) would give a deeper understanding of any breaches that could potentially occur related to its processes, people and technology. Essentially, the simulation follows the steps an attacker would take when profiling an organisation in order to try and breach its defences, and attacking through the path of least resistance before penetrating the organisation and covertly extracting data.

Businesses can't afford to ignore the impact cyber attacks can have on their bottom line. Whether it's damaged reputation, lost customers or financial losses, the consequences are far too significant. The risk of attack is unlikely to diminish and the sophistication and frequency of attacks will continue to grow. General liability insurance has been proven to be insufficient in covering cyber attacks, which is why organisations must do everything possible to understand their exposure, put in place appropriate IT security controls to mitigate risk and demonstrate to insurers that information security and risk management are at the top of their agenda. Collaborating with an MSSP could help them achieve this by providing evidence that controls are in place and, more importantly, are constantly measured and tested,

It's time for data security to be taken seriously. Insurance should never be considered without having a robust strategy for preventing security breaches in the first instance. By taking out cyber insurance that is appropriate to their risk exposure - and demonstrating to insurers the measures are in place to mitigate the consequences of a breach - organisations are making a commitment to transfer risk and ultimately reduce any costs associated with attacks.

Garry Sidaway, SVP Security Strategy and Alliances at NTT Com Security

You may also like

Vendor

Chris Walsh, managing director of channel lifecycle services firm ABCD Services, warns of the dangers of startup vendors with unrealistic expectations of revenue and lacklustre channel strategies

clock 21 September 2020 • 6 min read

Sponsored

At a recent roundtable 'Channel Voices' event at the Gherkin sponsored by IT infrastructure vendor Vertiv, a group of invited partners stressed the need for transparency and honesty between vendors and their channel to avoid relationships breaking down....

clock 07 January 2020 • 12 min read

Distributor

With just a day to go until the 25th annual Channel Awards, we catch up with the SMB Reseller of the Year category sponsor Exertis, to find out why the sector is such a vital part of its business strategy

clock 14 November 2018 • 3 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

'Cyber has to become seamless, unnoticed and taken for granted' - XChange UK day one, part two

'Cyber has to become seamless, unnoticed and taken for granted' - XChange UK day one, part two

Delegates looked a decade into the future of cybersecurity and heard how generate value from generative AI

Kelsey Rees
clock 07 March 2024 • 8 min read
Six cybersecurity trends for 2024

Six cybersecurity trends for 2024

Gartner lists six ways the cybersecurity market will be influenced and impacted this year

Kelsey Rees
clock 22 February 2024 • 3 min read
Cybersecurity incident response: Your company's ICU

Cybersecurity incident response: Your company's ICU

Performanta CEO Guy Golan explains why incident response is the beating heart of a cybersecurity service

Guy Golan
clock 22 September 2023 • 4 min read

Highlights

Staff & Salaries 2022

Staff & Salaries 2022

A snapshot of pay and headcount trends in the UK channel

Doug Woodburn
clock 09 March 2022 • 1 min read
Midwich CEO on Nimans acquisition, 2021 results and return to pre-pandemic levels

Midwich CEO on Nimans acquisition, 2021 results and return to pre-pandemic levels

Stephen Fenby talks to CRN after Midwich’s 2021 results in which profitability exceeded pre-pandemic levels

Josh Budd
clock 08 March 2022 • 3 min read
4 more vendors suspend sales in Russia following Ukraine invasion

4 more vendors suspend sales in Russia following Ukraine invasion

IBM and Microsoft are among a number of vendors which have also announced that they will halt sales in Russia following the invasion of Ukraine.

clock 08 March 2022 • 3 min read