Having just heard self-professed Mr Cybersecurity Man, Andy Prow, CEO of RedShield Security, describe the perfect storm befalling the cyber security sector right now, it was no surprise that those in the insurance sector were left questioning the sanity of trying to offer cover.
Prow, who used to run ethical hacking company Aura Group and now heads up RedShield which protects the New Zealand government, major banks and airlines, among others, painted a picture of an incessant and frantic bid to remain ahead of the hackers, with 28 days being the agreed lag time between a vulnerability being fixed and hackers exploiting it.
Referring to the British Metropolitan police force still using Microsoft XP 28 months after Microsoft decided to stop supporting it, he said: “This is why there is a problem.
“There is such a massive delay between when you can fix things and when people are fixing things versus how quickly the hackers are working. So this is a perfect storm we’re in at the moment.”
The issue with fixing vulnerabilities, he said, was that they became a virtual signpost to hackers. “The problem is that the patch is an utter blueprint for what the problem was, it cannot help but describe what the problem was so literally within around 28 days of a patch being released, the hackers exploit it.
“If you’re not installing the security updates within 28 days, 50% of your computers are going to be compromised.”
Prow said the Internet of Things would compound the issue, with home devices being controlled via apps providing more potential opportunities for hacking.
He said enterprises were struggling to keep up and all the time hackers were moving quicker and quicker, as he reeled off a long list of hacked organisations including Sony, Ashley Madison, Target, and even Associated Press (AP).
That entailed AP’s Twitter account being compromised in 2013 with hackers sending out a tweet saying ‘Two explosions in White House, Barack Obama injured’, the result of which was a US$136 billion impact on stock markets.
With the implications of such hacks being so massive, Delta Managing Director, Ian Pollard was prompted to ask the question: “Do you think that we’re barking mad to even try and insure it?” However, Prow denied that that was where the madness lay.
“Businesses are naïve to this problem. We had a port go offline where they didn’t know any of the manifests in any of the containers. They hadn’t seen themselves as a cyber security threat. “So they need insurance as they need to call in experts to fix it and that’s really costly.”
Prow then turned to insurance companies: “Where you are barking mad is that you’re not finding out about this stuff enough. We keep coming across insurers that have kind of gone ‘Yeah, there’s the premium, they’ve got cyber liability insurance’ but we’re going, ‘has that customer done a full risk assessment of all the systems that run their business?’ Maybe they have but the insurance company hasn’t seen it.”
“So that’s the barking mad part. So yes, sell it because the barking mad customers need to buy it but the amount of premium now at risk from their businesses, that’s where I’d say the barking madness and naivety is going on, in my opinion.”
Delta has this week launched its upgraded cyber insurance product enhanced with a new cyber-attack prevention package. The underwriting agency has created a team of experts from 13 organisations and is now offering SME policy holders access to free cyber security assessments.
“Cyber security is not just about IT triage,” Pollard said. “A robust management strategy will ensure that when the worst happens you understand the impact on each aspect of the business.”