Blog: Cyber Liability Insurance

Sketchy BIS Report Data, FUD, and Why You Need Cyber Liability Insurance

Ken Munro 11 Jul 2014

Insured?

I spent yesterday on HMS President at the annual ISSA Dragon’s Den event. Great fun watching security vendors try not to pitch their product whilst pitching their product!

My plan was to speak about threat intel, but after seeing the quote on the BBC News the night before last of ‘33% of SME businesses have been attacked by an unauthorised outsider’ I got really cross.

It was taken from the BIS 2014 Information Security Breaches Survey. Sounds good, doesn’t it. Then I noticed that the survey was carried out by PWC, and ‘in association with’ (does that mean sponsored?) Infosecurity. OK, there was decent independent peer review of the survey, but I’m surprised that government would let an organisation that has a significant vested interest in businesses spending money on security consultancy carry out the survey.

Conflict of interest or what?!

So, the comment that got my goat: “33% were attacked.” That’s a technical report, yet there is NO discussion of what sort of attack they include within this statistic.

A virus infection? A port scan? A phishing mail received? Cryptolocker? An exploit attempt that was blocked? A successful exploit and back door placed? A DDoS? A succesful attack or just blocking of an automated mountain of junk script kiddie stuff?

How can meaningful risk decisions and remedial actions be drawn from such a vague statement? That isn’t a technical report, it’s just creating more fear, uncertainty and doubt, feeding the coffers of security product vendors and consultancies. “Buy our 1U rackmount security appliance that will fix your PCI /SOX /HIPAA/DPA (delete as appropriate) compliance issues” – I think we’ve all seen marketing gumpf like that, and I hope you weren’t taken in by it.

Whilst I love the hack stories one hears in the security space, and I’ve got a lot myself from 18 years in this game, yet another hack story doesn’t justify the report. Yes, examples give depth and understanding to a report like this, but usually provoke the wrong response:

To quote the report:
“A large transportation company in Wales encountered a malware infection on their systems. This infection was not detected for a number of months and resulted in a massive number of man-hours and more than £250,000 spent to address the issue.”

The correct response would be to ensure that you/they have a first party cyber liability policy. That would cover pretty much everything involved in the incident. Cyber policies are remarkably cheap for the cover they provide!

The wrong answer would be ‘go and spend a fortune on consultancy and product that may or may not fix the above breach vector.’ Incidents and breaches lead to knee-jerk reactions. The board doesn’t want it to happen again, so they throw money at the problem, inefficiently.

You buy a nice car. Do you expect never to cause an accident or have someone crash in to you? No, that’s why you buy insurance, just in case. You get it serviced, you look after it with regular maintenance, you protect your investment. If trashed in a crash, you get cash to replace it.

So, to conclude – I’m really disappointed in BIS getting dragged in to the same old meaningless surveys that security vendors have been punting out for years. Using FUD to sell product is not helpful.

Personally, I recommended in my presentation at the Dragon’s Den that you go and generate your OWN threat intelligence. Find out if you’re actually being targeted, or it’s just script kiddie and bot noise. If you know the answer to that, you can show the board what is being thrown at YOUR business, not rely on mumbo-jumbo reports from big consultancies and government departments that should know better.

It’s easy to do, using free honeynets and honeypots. More on honeynets in my next article.