I was very happy to open our NextSec event in collaboration with EY. We had some great presentations followed by a well-facilitated discussion panel which offered a wonderful knowledge sharing session for everyone who attended.
Imagine a fridge that can tell when the food inside it is going off, or an oven that can cook food automatically. A world of everyday items, all smart, all connected – that’s the Internet of Things.
But is this a force for good – or for evil? Do the sacrifices we’ll have to make in terms of privacy and security outweigh the potential benefits?
I shared my view in the KPMG SLAT video
I delivered a talk at the London Metropolitan University today where I was invited to share my story and participate in the university’s mentoring scheme. Although there were many students from different fields present, I focused on the computer science and information security area.
I elaborated on the possible and the transferable skills that young students can develop and apply during their undergraduate and postgraduate programmes. We also talked about job search, the general application process and the various career paths available to students in the information security and computer science areas.
Imagine the following situation. A father with his son are driving to the camping site for the weekend. The deer was crossing the road and the car hit it. The father dies in the accident and the son is badly injured. He was swiftly brought to the emergency room and requires surgery. A surgeon enters the room, sees the boy and exclaims: “I can’t operate – this is my son!”.
How is it possible?
Think about it for a few moments…
Didn’t his father die in the accident? The answer is really simple.
Cyber insurance is a hot topic of many debates today. It is believed to be the long-awaited cure for high-impact security risks, especially in light of constantly evolving privacy legislation and disclosure obligations. But what actually is it?
Simply put, cyber insurance is a tool intended to mitigate the loss from information security incidents. The decision to use it, however, should be based on rigorous risk management. Firstly, a company performs a risk assessment, during which information security risks are identified and logged. This can help the business to prioritise from a cost-benefit perspective. The company can then choose a risk treatment option: it can decide to accept, mitigate, avoid or transfer the risk.
Mitigation and acceptance are quite common approaches in the information security domain. Security professionals can implement a countermeasure to reduce the likelihood and impact of the threat. However, if it is not feasible to do so for economic reasons then the risk can be accepted. In the case of avoidance, businesses can decide not to perform the activity that exposes them to the risk. Lastly, information security risk can be transferred to a third party. This is where cyber insurance can be useful.
The ownership of risk, however, can’t be transferred fully. In the case of cyber insurance, it is more about risk sharing. Both parties should understand their accountability, liability and risk allocation.
Cyber insurance should be cost-effective. But how can one calculate the cost of such product? To understand this, we might want to look how insurance brokers work in more traditional areas. Insurance companies rely heavily on historical data, demographics and averages. The car insurance industry, for example, has evolved over many years to collate accurate statistics of the frequency of accidents per driver based on age, season, car type, country etc. in order to predict the likelihood and cost impact on a case by case basis.
For cyber insurance, however, historical data is not always readily available. Understanding the business becomes key to determining the cost. There are many parameters which can define the premium: size, territory, type of business, human errors and other unknown factors can all contribute to the price. Premiums rely on the maturity of the information security programme.
But is it possible to reduce this cost?
Yes, there are many ways to achieve cost reduction. In general, it is required for the business to demonstrate that some measures have already been taken to reduce the likelihood and impact of a potential cyber security incident. Certifications, such as ISO 27001 can be one of the ways to do so. Or for instance, having an incident response team can drive the premium down. Otherwise the insurer would have to provide its own service, hence charge the client extra. In a nutshell, premiums are never fixed. It has to be a dialogue between the company and the insurance broker. If a company adequately understands its risk, the insurance premium can and should be negotiated.
It is important to mention the importance of a holistic approach to risk treatment. Implementing controls to prevent security incidents and purchasing cyber insurance are not mutually exclusive strategies. If cost-effective, risk management and treatment should be a combination of both methods. Consider health and safety policies as an example. Safety coordinators invest in fire extinguishers minimise the impact of fire. Just like information security professionals deploy firewalls to keep malicious intruders out of the company’s network. Additionally, the building is also almost always insured. Maybe it is time to consider a similar approach to information systems.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
I was invited by the RHUL Computing Society to give a lecture on human aspects of security.
After my presentation, I gave the students an exercise to help them understand the different perspectives on information security policies. As a result, they learned the importance of the role of information security in an organisation and it’s important enabling function.
It was really nice to get such an active participation on their behalf. After the talk we had an interesting conversations on current security research trends and opportunities.