A holistic approach to cybersecurity
Well over a decade ago, I had the opportunity to visit a research center north of New York City that was jointly run by IBM and Symantec. I met with a computer scientist who would singlehandedly receive copies of the latest computer viruses, open up their code to see what made them tick, prepare countermeasures and ship the remedy back to affected clients. This process usually took several hours.
Today’s waves of cyberattacks may be coming on too fast for the best computer scientists to unravel fast enough to stop their spread across connected networks. If anything, the recent ransomware attacks that shook up many of the world’s IT systems highlights the need for insurers to work even harder — and smarter — to batten down their hatches.
More money is part of the solution, and there doesn’t seem to be a shortage of that going into security efforts. A recent study out of Cybersecurity Ventures notes that the global cybersecurity market grew from $3.5 billion in 2004 to $120 million this year. Spending over the next four years is expected to reach $1 trillion, the researchers add.
But throwing more money at the problem will only be feeding a black hole which will keep demanding more dollars, euros, pounds or rupees. Insurers need to get smarter about their cybersecurity as well. “It's time for organizations to rethink their approach to security,” writes Todd Thibodeaux. “Keeping your organization safe must be a full-time commitment, not simply a passing concern following the latest report of a data breach.”
In today’s cybersecurity world, the industry is seeing opportunities and challenges on three levels:
- On the business side, cybersecurity insurance represents a lucrative and fast-growing business line. The challenge for insurers will be to keep up with the constant threats and demands for coverage that will continue to keep evolving.
- Insurers will need to also keep up with evolving threats within their own IT departments – keeping their systems and networks out of harm’s way.
- Looking outward and forward, growing insurers’ reliance on the Internet of Things mean a vastly expanded “attack surface” with large swaths out of the direct control of insurance companies.
Looking at their own protective requirements, connected insurers face increasing threats that need to be addressed aggressively. The following countermeasures will help address the threats in a holistic way:
Keep up to date with the latest technology. Vendors keep track of the latest issues and provide constant updates, but it’s up to IT professionals in the last mile of ensure that their enterprises are covered. Microsoft already had issued protection against the WannaCry ransomware, but many IT administrators had not updated their corporate machines.
Keep the organization up-to-date along with technology. Tim Callahan, chief information security officer for Aflac, described his company’s security initiatives, which rely just as heavily on user education as it does technology fixes. Here on Digital Insurance, he says: "Not everything is going to be prevented based on fundamentals, but most of the time we see when you do the forensics it’s the lack of hygiene that allowed it to affect you."
Invest in security training and skills. Just as police work would go nowhere without input from members of their communities, cybersecurity needs to be the responsibility of the entire community of employees. As Thibodaux points out: “While your resident system administrator or network engineer are unlikely to fall for a phishing attempt, what about the rest of your employees? A single oversight is all it takes to undermine many other precautions.”
Fight apathy and organizational inertia. “Organizations have shown that they're willing to risk massive losses and reputation damage rather than overhaul their approach to security,” Thibodueax says. It’s key to get security issues in front of the C-suite and board, who need to see the urgency of protecting systems up front, versus cleaning up afterwards. In the insurance industry, in which customer relationships are built on trust, the ability to demonstrate that data is safe is vital to the health of business.