I've ventured into new territory lately: cyber-insurance. Here's why.
Hotel chains. Zoo gift shops. Amusement parks. Our own U.S. government's Office of Personnel Management. Security breaches continue to abound, apparently undiminished. And they are all over the news, which is causing me no end of headaches at work (especially with the overly dramatic coverage the network news provides). Just today, Trump Properties announced a security breach that compromised credit card numbers, with a particularly telling statement: "Like virtually every other company these days, we have been alerted to potential suspicious credit card activity and are in the midst of a thorough investigation." "Like virtually every other company" -- except mine, as long as I can prevent us from being a victim like all the others.
Every time one of these breaches hits the news, I get interrogated by my company's board and senior management. What are we doing to protect ourselves? Are we doing enough to avoid being a victim? And lately, I've been getting asked, "If the U.S. government can't protect itself, how can we hope to?"
Leaving aside for the moment that all these victims (including the government) have not done all they can to protect themselves, these questions are not easy to answer. First of all, the senior executives at my company are not particularly tech-savvy. After I get about three words into my explanation of our technology defenses, their eyes glaze over and they lose interest. And the answer is complicated. I have many layers of technologies and process in place to defend my company's network, along with sophisticated intrusion detection that should alert me if anybody does get past our defenses. It's hard to boil all those down into a 30-second elevator summary.
I'm also having difficulty answering the question "Are we doing enough?" I talk about the SANS Top 20 risks and controls, which are an excellent starting point. I have done extensive risk assessments, both internal and external, and have security controls in place for all the risks that have been identified. I've even made a list of "everything" that security practitioners can do. But again, the eyes glaze over the minute I start talking.
Plus, there's the truth of the matter: Nobody can really do enough to stop 100% of all technology threats. And nobody wants to hear that.
We are barraged with constant updates from Adobe to fix serious vulnerabilities in its Flash Player software that runs on practically every computer, everywhere. Microsoft releases security patches every month, which we have to deploy quickly without missing any systems. We are bombarded with phishing emails, and our employees can't seem to avoid malicious websites. How can we hope to stay on top of all that, before the hackers take advantage of something we missed, or haven't gotten to yet?