By John Alcock, Head of Security Strategy and Assurance services in UK & Ireland at Fujitsu
Data breaches have become inevitable for almost every organisation; regardless of sector. They are not only increasing in occurrences, but also in size. When considering that serious security breaches cost large firms between £600,000 and £1.15m and small firms £65,000-£115,000 every year, the importance of cyber insurance becomes clear.
While cyber insurance is not new, there has been a recent rise in its uptake. Earlier this month Lloyds of London said that it has seen a 50% increase in demand for cyber insurance products during the first three months of 2015 compared to the same period last year. This can possibly be attributed to growing concern over forthcoming EU legislation but it is the high profile security breaches that have dominated the news agenda over the past twelve months which have particularly got the attention of board members. As 100 financial institutions worldwide fell victim to one of the largest ever cybercrimes - when it was uncovered a Russian gang could have stolen up to £650m - companies have started taking more precautionary methods to protect themselves.
While investing in cyber insurance is a positive step in reducing the impact of a data breach on a business, it is important to understand it is only one part of range of security measures companies need to take. Cyber insurance does not prevent the attack – it picks up some the some of the fallout costs associated with it.
However, for cyber insurance to be effective and affordable at all, a company must have a clear understanding of its security architecture and what it requires.
Proactive steps need to be taken before the cyber insurance policy is in place:
1. A “cyber hygiene” overhaul – It is vital you get your cyber hygiene in order. If you don’t your policy will cost a fortune and may be void anyway. Begin by ensuring your IT infrastructure is properly maintained. A review process should help you achieve this by identifying services that need to be controlled, users that need to be managed and systems that need to be patched. A cyber hygiene checkup should be scheduled routinely to cover the most common flaws in data security
2. Know your architecture – It is vital you understand your security architecture. A lack of understanding can result in the void of your policy. You need to know the risks faced by your different operations and different departments. From there, you can identify the appropriate security controls respectively, to protect each part of your business.
3. Monitor and respond – a continuation of risk management should underpin all security processes. You must carry on monitoring your estate and the threat landscape. Learn from past mistakes and previous incidents, assess the measures that need to be taken and adapt these into your security architecture. With this insight, plan how to recover after an incident – not just a short-term financial recovery, but how you will continue your business. Just because you may be covered by an insurance policy, doesn’t mean your business will survive.
4. Make employees part of the solution –Security should be embedded in company culture by outlining clear succinct policies to protect information and services. However, not only do employees need to play by the rules, they also need to be the eyes and ears on the ground – remaining vigilant to any suspicious behavior and reporting incidents.
5. Plan to recover – No matter how secure you think your business is, breaches and attacks will inevitably happen. Put in a place a solid plan so that you and your employees understand how to detect, contain and recover from a security incident.
Once these internal matters have been attended to a decision can then be made on investing in cyber insurance. Businesses cannot rely on insurance solely as a way of protecting themselves from an attack. Whilst insurance may help mitigate some of the financial impact of a security incident or breach, the reputational impact, and the impact to the business operation cannot be mitigated. Instead, organisations need to be proactive in understanding their security architecture and checking its relevance to todays’ threats, manage and review their decisions about what insurance policies need to be in place, and continuously monitor the risks to ensure a data breach doesn’t mean a company collapse.