By Dean Thompson
According to Lloyd’s of London, a massive global cyberattack could result in economic losses as high as $53 billion.
Given that, it’s no surprise that an increasing number of businesses are adding cybersecurity coverage to their liability insurance. But as businesses rush to insure, the cost and precise scope of coverage of these policies are coming under under scrutiny. A key question is whether or not non-malicious human activity is covered.
On one hand, cybersecurity policies that do not cover human error – which would include falling victim to sophisticated phishing schemes, visiting Trojan-infected sites, or even deferring patches or updates – would be of far more limited value.
That’s because, according to a recent Verizon study, 81 percent of breaches are due to compromised credentials. And credentials are often compromised due to human error, such as poor password behavior. Think about it, they’re your credentials and only you know them, so if someone else gets a hold of them, you’ve probably erred.
On the other hand, insurance companies offering cybersecurity policies that do cover human error might find themselves in a world of hurt after one successful malware attack makes its $53 billion journey across the globe.
That’s a huge number that could question the very solvency of insurance companies after a single attack. And while I hope such attacks will be rare, WannaCry’s breakneck success – infecting 230,000 computers in 150 countries on day one, with damages pegged by Lloyd’s at a cool $8 billion – suggests otherwise.
Human error coverage
Today, insurance companies offering cybersecurity policies go to varying degrees to ensure businesses are taking adequate steps to secure their data before they write (and price) policies. They are leveraging security experts such as Verizon to perform rigorous evaluations of a company’s security policies prior to determining the premium cost. And the strict protection of user credentials is a key component, as those organizations with least privilege are the ones with the least exposure to a destructive breach.
Businesses will lean heavily towards policies that do insure against human error, and considering the above numbers, they should be ready to pay hefty premiums. But much like your home insurance premiums are reduced when you install fire and burglar alarms, companies that take exceptional measures to protect themselves will see monthly premiums that reflect their efforts.
Rewarding best practices
Insurance carriers are rewarding customers who have implemented a comprehensive set of tools, policies and best practices aimed at ensuring data is protected to the greatest degree possible, centering on the protection of user credentials with cheaper insurance premiums.
Even more important is the implementation of least-access policies across the organization. When every user is restricted in terms of the permissions they have on systems, what systems they can access and the data they can access, hackers that use compromised credentials to break into company networks would similarly be limited in the amount of damage they can do. Insurers have found least access privilege reduces the attack surface, so the customer is less of a risk for them and that is why their insurance premiums are lower than others.
It’s always difficult to calculate the value of security because it tends to revolve around what could happen — the costs associated with recovery, down-time, lost productivity and the loss in brand value. But that is changing. Implementing the right technologies will have a direct impact on premiums and save real dollars every month. It might be time to pull out those ROI calculators and reexamine the potential cost savings associated with least access privilege and securing your employees’ credentials because to err is human.
About the essayist: Dean Thompson is vice president of global technical services and OEM sales at Centrify, a supplier of identity and access management (IAM) solutions.