So, this is more a question for cyber security professionals in general, what are we turning cyber security insurance into?
I’m not asking the usual ‘is cyber-insurance worth it’, like in my CTO’s blog (which you can read here).
We’ve all seen the risks, yet insurance is still a good policy for every company, as a last means to mitigate costs of these attacks. After all we still can’t stop the human fault…. to err is human, until we get automated out of our jobs anyway.
My questions are more around how we deal and safeguard the data we give companies. Like the phone customer who loses their data once their trusted provider gets breached. At the end of the day cyber-crime effects not just the first company who gets breached, but also the many end users. Sometimes this happens in ways we could never have thought; such as giving an ex-stalker dangerous information about a customer that could ruin someone’s life. (1)
Similarly, we’re adding collectively vast details of our security structures to insurers to allow for best priced insurance. Details of what technologies and security we have in place currently and what budgets have not permitted CISO’s to complete.
Even more worryingly, this creates a wealth of confidential data from the companies buying cyber-crime insurance around their security infrastructure. This will, in the long term, turn many insurers into a data gold mine for hackers, a true bank vault of perfect information for future attacks on others. One insurers breach could reveal the security of hundreds of companies, leading to trickle cyber-crime to more companies, their users and customers. Cyber-crime is occurring at a greater scale, and faster, than ever.
The approach is to offset the greatest risk of hacking to the insurers, creating a domino effect for companies breached by one attack. This gives the keys to the kingdom to the insured companies and their customers as well. The good news for previous breaches is that it stayed within their systems and customer base, but with this new one space collated database the insurers sit on, it’s a dangerous combination.
Arguably this also offsets a lot of the duty of care of this data onto insurance companies to cover company’s security shortcomings.
Am I overly worrying, or are we trusting too much vital data to one source?
Sources: (1) https://www.bbc.co.uk/news/technology-46896329
Written by: Ryan Short, Junior Internal Account Manager at Armadillo.