Cyber Security has become a headline-grabbing item, with constant attacks very much the order of the day. The risk any business now faces is that soon it may be the one making the news, not just reading about someone else’s misfortunes.
One of the biggest challenges for security solutions is getting budget from the business, often because of the way security is treated by the board. For too many years now security product and solutions have been viewed as 'insurance' and this is something that needs to change. Insurance is the necessary purchase that no-one wants to make. Just as many of us resent paying for our car or holiday cover, it’s something we are glad to have when that nasty prang happens, or a passport gets lost or stolen.
Equally, cyber insurance is highly valuable of itself. It is something organisations should embrace and use, as it could well be their ‘Get out of jail’ card when things go wrong. However, it isn’t about grabbing the cheapest option; it goes way beyond the sales process. It needs to be seen as a ‘cost of doing business’. It probably won’t mean the business shuts down, if an organisation doesn’t have that cover in place, but it will cause major headaches.
In the US, cyber insurance is sold very much at the sales level. If there was a 'CompareCyber.com' website, most organisations would probably use it and buy from the first vendor in the list. You can actually pick up $10 million worth of cover quite cheaply. And while that may sound like a lot, what exactly does it get you? $10 million could be nothing more than a drop in the ocean where a major breach happens, when you consider the knock-on effect in potential revenue loss, time to recovery (longer than most enterprises think!) and brand damage.
Organisations might want to consider another analogy – the way they provide water to the workforce. Switch off that source – have all the water coolers removed overnight – and the impact on the business will not simply be thirsty employees. There will be outright irritation and disaffection. Morale will be hit. The business will undoubtedly suffer consequences. Similarly, ignore or switch off cyber insurance and the negative outcomes won’t be far behind.
This is where security assessment is vital. With Symantec, for example, our approach is to work with a business to:
- Understand their posture
- Know where their investments are and make recommendations on how they might want to invest going forward
- Take them to a point where they are properly and comprehensively rated against their peers.
To get the cyber insurance equation right requires this level of investment. There can be no cutting corners; no reliance on 'CompareCyber.com’.
Let’s go back to an earlier point. Insurance is there to offer us protection, in case something goes wrong; organisations implement security, in case someone gets in. The problem is that security is no longer about 'in case' someone breaches an organisation’s defences, but rather 'when' that breach will take place. We have moved from the relative comfort of possibility to the harsh reality of certainty.
So the big question any organisation needs to ask itself now is: “How ready will I be when that happens?”