How to select cyber insurance

I wrote previously about how cyber insurance can be a useful addition to your risk management program.

Unlike more established insurance products, cyber doesn’t have the same amount of historical data, so approaches to underwriting this risk can vary. Models to quantify it usually rely on a number of high-level factors (the industry your organisation is in, geography, applicable regulation, annual revenue, number of customers and employees, etc.) and questions aimed at evaluating your security capabilities.

You are usually asked to complete a self-assessment questionnaire to help the underwriter quantify the risk and come up with an appropriate policy. Make sure the responses you provide are accurate as discrepancies in the answers can invalidate the policy. It’s also a good idea to involve your Legal team to review the wording. 

While you can’t do much about the wider organisational factors, you could potentially reduce the premium, if you are able to demonstrate the level of security hygiene in your company that correlates with risk reduction.

To achieve this, consider implementing measures aimed at mitigating some of the more costly cyber risks. What can you do to prevent and recover from a ransomware attack, for example? Developing and testing business continuity and disaster recovery plans, enabling multi factor authentication, patching your systems and training your staff all make good sense from the security perspective. They can also save your business money when it comes to buying cyber insurance.

If possible, offer to take the underwriter through your security measures in more detail and play around with excess and deductibles. Additionally, higher cover limits will also mean higher premiums and these are not always necessary. Know what drives your business to get cyber cover in the first place. Perhaps, your organisation can’t afford to hire a full time incident response manager to coordinate the activities in the event of a breach or manage internal and external communication. These are often included in cyber insurance products, so taking advantage of them doesn’t necessarily mean you need to pay for a high limit. While it is tempting to seek insurance against theft of funds and compensation for business interruption, these can drive the premium up significantly. 

It’s worth balancing the cost of the insurance with the opportunity cost of investing this sum in improving cyber security posture. You might not be able to hire additional security staff but you may be able to formulate a crisis communication plan, including various notification templates and better prepare with an incident simulation exercise, if you haven’t already. These are not mutually exclusive, however, and best used in conjunction. 

Remember, risk ownership cannot be transferred: cyber insurance is not a substitute for security controls, so even the best cover should be treated as an emergency recovery measure.


Cyber Insurance: Managing the Risk

ID-100178628

Cyber insurance is a hot topic of many debates today. It is believed to be the long-awaited cure for high-impact security risks, especially in light of constantly evolving privacy legislation and disclosure obligations. But what actually is it?

Simply put, cyber insurance is a tool intended to mitigate the loss from information security incidents.  The decision to use it, however, should be based on rigorous risk management. Firstly, a company performs a risk assessment, during which information security risks are identified and logged. This can help the business to prioritise from a cost-benefit perspective. The company can then choose a risk treatment option: it can decide to accept, mitigateavoid or transfer the risk.

Mitigation and acceptance are quite common approaches in the information security domain. Security professionals can implement a countermeasure to reduce the likelihood and impact of the threat. However, if it is not feasible to do so for economic reasons then the risk can be accepted. In the case of avoidance, businesses can decide not to perform the activity that exposes them to the risk. Lastly, information security risk can be transferred to a third party. This is where cyber insurance can be useful.

The ownership of risk, however, can’t be transferred fully. In the case of cyber insurance, it is more about risk sharing. Both parties should understand their accountability, liability and risk allocation.

Cyber insurance should be cost-effective. But how can one calculate the cost of such product?  To understand this, we might want to look how insurance brokers work in more traditional areas. Insurance companies rely heavily on historical data, demographics and averages. The car insurance industry, for example, has evolved over many years to collate accurate statistics of the frequency of accidents per driver based on age, season, car type, country etc. in order to predict the likelihood and cost impact on a case by case basis.

For cyber insurance, however, historical data is not always readily available. Understanding the business becomes key to determining the cost. There are many parameters which can define the premium: size, territory, type of business, human errors and other unknown factors can all contribute to the price. Premiums rely on the maturity of the information security programme.

But is it possible to reduce this cost?

Yes, there are many ways to achieve cost reduction. In general, it is required for the business to demonstrate that some measures have already been taken to reduce the likelihood and impact of a potential cyber security incident. Certifications, such as ISO 27001 can be one of the ways to do so. Or for instance, having an incident response team can drive the premium down. Otherwise the insurer would have to provide its own service, hence charge the client extra. In a nutshell, premiums are never fixed. It has to be a dialogue between the company and the insurance broker. If a company adequately understands its risk, the insurance premium can and should be negotiated.

It is important to mention the importance of a holistic approach to risk treatment. Implementing controls to prevent security incidents and purchasing cyber insurance are not mutually exclusive strategies. If cost-effective, risk management and treatment should be a combination of both methods. Consider health and safety policies as an example. Safety coordinators invest in fire extinguishers minimise the impact of fire. Just like information security professionals deploy firewalls to keep malicious intruders out of the company’s network. Additionally, the building is also almost always insured. Maybe it is time to consider a similar approach to information systems.

Image courtesy of Stuart Miles / FreeDigitalPhotos.net


The role of a CISO

I’m often asked what the responsibilities of a CISO or Head of Information Security are. Regardless of the title, the remit of a security leadership role varies from organisation to organisation. At its core, however, they have one thing in common – they enable the businesses to operate securely. Protecting the company brand, managing risk and building customer trust through safeguarding the data they entrusted you with are key.

There are various frameworks out there that can help structure a security programme but it is a job of a security leader to understand the business context and prioritise activities accordingly. I put the below diagram together (inspired by Rafeeq Rehman) to give an idea of some of the key initiatives and responsibilities you could consider. Feel free to adapt and tailor to the needs of your organisation.

You might also find my previous blogs on the first 100 days as a CISO and developing an information security strategy useful.

Read the rest of this entry »

How to respond to a security incident

In this blog I would like to outline a process of responding to a security incident, including a breach of personal data. It is intended to be high-level in nature to allow for adaptation to different types of incidents and specific needs of your organisation.

There are many definitions of a security incident out there. I prefer this one: a security incident is an attempted or successful unauthorised access, use, theft, disclosure, modification or destruction of information, or interference with or misuse of information processing infrastructure, applications and data. A personal data breach is one of the types of a security incident which occurs when personal information is subject to loss or unauthorised access, use, disclosure, copying or modification.

Read the rest of this entry »


Resilience in the Cloud

4157700219_609fca025b_z

Modern digital technology underpins the shift that enables businesses to implement new processes, scale quickly and serve customers in a whole new way.

Historically, organisations would invest in their own IT infrastructure to support their business objectives and the IT department’s role would be focused on keeping the ‘lights on’.

To minimise the chance of failure of the equipment, engineers traditionally introduced an element of redundancy in the architecture. That redundancy could manifest itself on many levels. For example, it could be a redundant datacentre, which is kept as a ‘hot’ or ‘warm’ site with a complete set of hardware and software ready to take the workload in case of the failure of a primary datacentre. Components of the datacentre, like power and cooling, can also be redundant to increase the resiliency.

On a lesser scale, within a single datacentre, networking infrastructure elements can be redundant. It is not uncommon to procure two firewalls instead of just one to configure them to balance the load or just to have a second one as a backup. Power and utilities companies still stock up on critical industrial control equipment to be able to quickly react to a failed component.

The majority of effort, however, went into protecting the data storage. Magnetic disks were assembled in RAIDs to reduce the chances of data loss in case of failure and backups were relegated to magnetic tapes to preserve less time-sensitive data and stored in separate physical locations.

Depending on specific business objectives or compliance requirements, organisations had to heavily invest in these architectures. One-off investments were, however, only one side of the story. On-going maintenance, regular tests and periodic upgrades were also required to keep these components operational. Labour, electricity, insurance and other costs were adding to the final bill. Moreover, if a company was operating in a regulated space, for example if they processed payments and cardholder data, then external audits, certification and attestation were also required.

With the advent of cloud computing, companies were able to abstract away a lot of this complexity and let someone else handle the building and operation of datacentres and dealing with compliance issues relating to physical security.

The need for the business resilience, however, did not go away.

Cloud providers can offer options that far exceed (at comparable costs) the traditional infrastructure; but only if configured appropriately.

One example of this is the use of ‘zones’ of availability, where your resources can be deployed across physically separate datacentres. In this scenario, your service can be balanced across these availability zones and can remain running even if one of the zones goes down. If you build your own infrastructure for this, you would have to build one datacentre in each location and you better have a solid business case for that.

It is important to keep this in mind when deciding to move to the cloud from the traditional infrastructure. Simply lifting and shifting your applications to the cloud may not work. These applications are unlikely to have been developed to run in the cloud and take advantage of these additional resiliency options. Therefore, I advise against such migration in favour of re-architecting.

Cloud Service Provider SLAs should also be considered. Compensation might be offered for failure to meet these, but it’s your job to check how this compares to the traditional “5 nines” of availability in a traditional datacentre.

You should also be aware of the many differences between cloud service models.

When procuring a SaaS, for example, your ability to manage resilience is significantly reduced. Instead, you are relying on your provider to keep the service up and running, potentially raising the provider outage concern. Even if you have access to the data itself, your options are limited without a second application on-hand to process that data. Study the historical performance and pick your SaaS provider carefully.

IaaS gives you more options to design an architecture for your application, but with this great freedom comes great responsibility. The provider is responsible for fewer layers of the overall stack when it comes to IaaS, so you must design and maintain a lot of it yourself. When doing so, assume failure rather than thinking of it as a (remote) possibility. Availability Zones are helpful, but not always sufficient. What scenarios require consideration of the use of a separate geographical region? The European Banking Authority recommendations on Exit and Continuity can be an interesting example to look at from a testing and deliverability perspective.

Be mindful of characteristics of SaaS that also affect PaaS from a redundancy perspective. For example, if you’re using a proprietary PaaS then you can’t just lift and shift your data and code.

Above all, when designing for resiliency, take a risk-based approach. Not all your assets have the same criticality – know your RPOs and RTOs. Remember that SaaS can be built on top of AWS or Azure, exposing you to supply chain risks.

Even when assuming the worst, you may not have to keep every single service running should the worst actually happen. For one thing, it’s too expensive – just ask your business stakeholders. The very worst time to be defining your approach to resilience is in the middle of an incident, closely followed by shortly after an incident. As with other elements of security in the cloud, resilience should “shift left” and be addressed as early in the delivery cycle as possible. As the Scout movement is fond of saying – “be prepared”.

Image by Berkeley Lab.


Penetration Testing: Questions answered

ID-100245348

1. Why perform penetration testing?

Penetration testing is an instrument for getting additional information about the systems’ state of security. A penetration test shows where hackers may breach your system; hence, this information can be used to support the decision-making process when implementing protection mechanisms.

In a nutshell, penetration testing would help with:

  • Vulnerability analysis for the target system,
  • Assessment of the loses due to a potential breach,
  • Gaining an unbiased view on the state of the system and protection mechanisms,
  • Gaining insight on the qualification of the internal security staff.

2. Who should perform penetration testing?

To get unbiased view, penetration testing should be performed by third party independent professionals.

You should also consider the ethical aspect, and only hire teams with a proven reputation in the field. Otherwise, information about companies’ critical vulnerabilities may be leaked to competitors.

3. When is the best time to perform penetration testing?

The best time to perform penetration testing is after the implementation and configuration of a new system. You should apply all the security mechanisms according to the good practices and legal and regulatory requirements before undergoing a penetration test; otherwise the necessity of such an exercise would be questionable.

4. Who would benefit from penetration testing?

Organizations that realise the importance of information security and protection of information assets would highly benefit from penetration testing.

Banks and insurance companies are not the only ones on this list. There is nothing more valuable that human life, which is why penetration testing could be valuable for transport and energy companies.

But what if a company is not large enough for the system breach to cause a crisis or substantial financial losses? Even in these cases, penetration testing may prove to be useful. Small and medium-sized enterprise are likely to have a website which helps to sell goods or services. Losses due to a system breach could substantially harm their reputation and competitive advantage.

5. What penetration testing approaches are there?

White box: where the penetration testing team already has some initial information on the system, including the range of IP addresses, ports, source code, hardware and software components, etc.

Black box: where the penetration testing team has no information on the system at all. The team has to model a potential hacker’s actions from the ground up. In doing so, they might, for example, use social networks to find victims of social engineering. This approach is usually more expensive and requires more time.

6. Penetration testing: only a set of tools?

One may think that penetration testing is limited to running several vulnerability scanners, password cracking utilities, traffic sniffing tools, etc., which are, no doubt, the main tools that are used by penetration testing professionals. These are, however, only limited to aiding the expert in finding weaknesses. A comprehensive and robust penetration test mainly relies on the expert’s skills and experience..

7. Can a penetration test be performed to discover vulnerabilities, which don’t lead to significant financial losses?

An attacker might not be motivated by the financial gain, but still can cause some harm. For example, a company might use network printers. Each printer would have it’s own IP address with the open 9100 port. An attacker might:

  • discover the printers’ addresses by scanning the network
  • remotely connect to a printer using the ‘telnet <printer’s IP address> 9100′ command
  • print messages at his / her own choice.

8. What should one expect as a result of the penetration test?

The company that commissions penetration testing  normally receives the following full descriptions on:

  • penetration testing activity and its stages.
  • tools used
  • vulnerabilities discovered
  • exploited vulnerabilities
  • likelihood and risk of the identified vulnerabilities and their potential impact
  • recommendations on how to mitigate the outlined risks

Image courtesy of hywards/ FreeDigitalPhotos.net