Cyber-insurance is irrelevant without robust protection

NTT Com Security's Garry Sidaway argues firms should not consider insurance without first having a water-tight strategy for preventing breaches

Businesses are now looking at taking out cyber-insurance policies to reduce the financial risks associated with a security breach, recognising that information security technology alone will never prevent 100 per cent of potential hacks.

Cyber-insurance is a minefield of ambiguity though, with some organisations unaware what is covered under their general insurance policies or not even knowing enough about their own security measures. In fact, our recent Risk:Value report showed that just 48 per cent of UK businesses are covered for both data loss and a security breach under their insurance, while a quarter don't even know what they are insured for in the event of a data security breach.

What's concerning is that, if a company isn't clear on its own security architecture, any information supplied in the event of a security breach could instantly void its insurance policy. That's even more concerning when we consider that the majority (56 per cent) of business decision makers in the UK agree they are likely to suffer a security breach at some point.

Critically, if organisations are serious about insuring their vital assets, they must first invest in enforcing appropriate protection measures that can be demonstrated to the insurer. This means assessing and reducing the risk in the first place, and the appropriate and measurable steps to continuously monitor these risks. Only then can an insurance company begin to understand the company's risk exposure and create a policy that is relevant to the business (and won't be at risk of being void). It's equally important that companies understand what insurance covers - as general insurance might not cover the impact of a security breach - and never assume they are covered for data loss or a breach.

Working with a managed security services provider (MSSP) can help an organisation fully understand its risk exposure across all areas of the business. A thorough evaluation from a trusted, expert advisor will highlight areas of risk, make recommendations, prioritise actions and build a strategic roadmap for continuous risk management.

Furthermore, a full assessment of this kind can be shared with a company's prospective insurer as evidence of proactive security measures and a comprehensive enterprise security architecture.

Another way to demonstrate to an insurer and the board that robust measures are in place is for an organisation to think like an attacker. Traditional assessments like penetration testing, whilst important, focus on a particular area of infrastructure or web application while simulating an advanced persistent threat (APT) would give a deeper understanding of any breaches that could potentially occur related to its processes, people and technology. Essentially, the simulation follows the steps an attacker would take when profiling an organisation in order to try and breach its defences, and attacking through the path of least resistance before penetrating the organisation and covertly extracting data.

Businesses can't afford to ignore the impact cyber attacks can have on their bottom line. Whether it's damaged reputation, lost customers or financial losses, the consequences are far too significant. The risk of attack is unlikely to diminish and the sophistication and frequency of attacks will continue to grow. General liability insurance has been proven to be insufficient in covering cyber attacks, which is why organisations must do everything possible to understand their exposure, put in place appropriate IT security controls to mitigate risk and demonstrate to insurers that information security and risk management are at the top of their agenda. Collaborating with an MSSP could help them achieve this by providing evidence that controls are in place and, more importantly, are constantly measured and tested,

It's time for data security to be taken seriously. Insurance should never be considered without having a robust strategy for preventing security breaches in the first instance. By taking out cyber insurance that is appropriate to their risk exposure - and demonstrating to insurers the measures are in place to mitigate the consequences of a breach - organisations are making a commitment to transfer risk and ultimately reduce any costs associated with attacks.

Garry Sidaway, SVP Security Strategy and Alliances at NTT Com Security