Cybersecurity insurance: A key level of defense in depth
The idea of defense in depth is to have lines of defense spread throughout the network and the enterprise. No one failure of defense should result in a breach of systems. Probably no two failures should either. These are general security principles that apply to non-technology domains as well. With respect to enterprise technology, defense in depth requires least-privilege access on all systems, encryption of data in transit and at rest, prompt application of security updates, and many other approaches.
It's not a technical factor, but cybersecurity insurance is an essential line of defense in any security scheme for a modern organization considering any digital transformation initiative. The point of a secure infrastructure with no adverse incidents is to keep the business running smoothly. In the pursuit of that goal, cybersecurity insurance is a business imperative, even though you always want to prevent a cybersecurity breach and avoid the need to file claims.
Cyber insurance gaining popularity
As a relatively new and highly competitive business, cybersecurity insurance is evolving to better serve customers by helping them optimize their own risk models. Coverage is widespread but not universal, even among large organizations. A 2019 Spiceworks study found that 38 percent of organizations across North America and Europe have an active cyber insurance policy, and 45 percent of those with a cybersecurity insurance policy purchased it in the past two years. In a separate Spiceworks poll, another 11 percent said they planned to purchase a policy in the next two years.
The insurers have every reason to want their customers to use the most effective security technologies. Industry programs like Cyber Catalyst by MarshSM , under which the insurers themselves designate products and solutions they consider effective in reducing cyber-risk, can benefit customers by helping to improve terms and conditions in insurance negotiations and perhaps guide purchases when the decision is otherwise a close one. A Cyber CatalystSM designation includes the insurers’ reasoning behind the designation and thus represents a valuable independent assessment that can inform planning and purchase decisions.
The goal of Cyber CatalystSM is to provide information and incentives to insurance customers to help them strengthen the defenses in their organizations. All organizations need as much of this help as they can get. There are many types of harm for which you might need cybersecurity insurance. This is not an exhaustive list.
- Business interruption: A cybersecurity incident could easily interfere with your business to the point that you lose revenue.
- Incident response: Typically, companies need to call in expensive experts to fix the problem.
- Ransom: If you are hit by ransomware, the only practical course of action may be to pay the criminals to get your data back.
- Theft: Much cybercrime is simply about stealing money from companies.
- Data leakage: Criminals might steal confidential data with business value or customers' personally identifiable information.
It’s possible that you use outside services for hosting and management of your own systems and rely on these services to secure your assets. Don’t assume that the provider will reimburse you for all of your expenses if they themselves are attacked. Managed service providers and hosting services are popular targets for ransomware gangs because they are such rich targets. By compromising the service provider, they can compromise all the provider’s customers.
It’s important to note that some service providers have better security practices than others, and it is the poorly secured ones getting compromised. Needless to say, you should investigate the security practices and reputation of service providers you may hire. These things happen in the real world.
Attacks on businesses and governments come from many different directions, and there is no one solution that will close them all off. You need to insist on strong password policies, multifactor authentication, prompt application of software updates, encryption of data in transit and at rest, and products that implement these safeguards properly. No one said it was going to be easy.
Defense in depth and other best practices, along with the most secure products and appropriate cybersecurity insurance coverage, give you the best shot at avoiding incidents and limiting the damage from those that do happen.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.