Secure Your Battle Stations
Secure Your Battle Stations Network security, unlike errors and omissions, or acts of God, is an intensely competitive endeavor. Intelligent minds are out there, actively seeking out and exploiting your vulnerabilities. And, as you take intelligent steps to reduce your exposure, they come up with countermeasures. Meanwhile, the potential for loss from a security breach can cripple your business. The insurance industry is only just beginning to delve into the realm of network security, but as a solutions provider or an end customer, you need to look seriously at transferring at least some of your security risk to an insurance carrier.Before buying any kind of policy, do an assessment of the type and magnitude of your particular security risk. That will tell you where to focus your insurance coverage and how much of it you need. The easiest potential costs to assess are immediate losses of revenue. Cash flow stemming from Web-based transactions is clearly at risk. Disruption of internal IT resources due to denial-of-service (DoS) attacks and corrupted or deleted data also falls under that category. Those costs may be more difficult to estimate, but in many cases may represent a bigger financial loss. Most recent viruses, for example, have done most of their damage by disrupting e-mail service. The aftermath of a DoS attack can prove at least as costly as the attack itself, and such costs can be difficult to quantify. Post-attack response, recovery and forensics are expensive, both in terms of person-hours and IT service disruption. It may take considerable time and effort after an attack to determine whether sensitive intellectual property has been stolen or corrupted, and even more to pursue legal recourse if it has been. A successful attackparticularly one which includes theft of sensitive informationmay be followed by an extortion attempt. A public attack can damage your companys reputation and brand identity to an extent that dwarfs the tangible costs. Greg Grant, director of marketing programs and strategic alliances at Internet Security Systems Inc., believes that "damage to third parties is probably the most overlooked cost of security breaches." Such a breach may result in widely different kinds of third-party liability, some of which may be trivial to assess and others wholly speculative. The costs of a violated SLA or fraudulent credit-card transactions, for example, are readily predictable and may be spelled out in a contract. However, liability for damage caused to third-party networkswhether caused by employees or as part of an attack by an outsidercan be extremely difficult to predict. As the insurance industry hasnt established standard procedures in that area, there are no reliable industrywide statistics on damages from security breaches and nothing from which insurers can create usable actuarial tables. As a result, the process of selecting the scope of coverage and setting premiums is generally accomplished on a company-by-company basis. Most insurers rely upon a thorough and extensive security audit by outside experts to determine your policy eligibility and premiums, but differ a great deal on specific requirements and the weight placed on different elements of the assessment. Others look only at specific measures as an indicator of overall security posture. For example, according to Jon Callas, director of engineering at Counterpane Internet Security, "Lloyds [of London] looks at our customers the way health-insurance companies look at nonsmokers. They assume that someone who cares enough about security to hire us is going to be pretty much on the ball." No matter what your insurer requires, hire an independent firm to do a thorough audit of your entire company before settling on a specific policy. Avoid relying entirely on the insurers internal auditors. Without specific information on your businesss strengths and weaknesses, youre at the mercy of the insurer when it comes time to select appropriate coverage. "A CIO who buys without identifying the specific risks is likely to end up underinsured where its risk is greatest, and overinsured where its least," warns Kovar of The Yankee Group. Set aside time and resources to implement the auditors recommendations, retaining the auditor as a consultant or bringing in a second firm, if possible. Schedule regular audits to update your self-assessment, and continue to implement new recommendations as they come up. Aside from the obvious security benefits, that allows a firm to avoid insuring risks that can be reduced or eliminated with relatively cheap policy or technology solutions. Indeed, most insurers will offer sizable discounts to customers who take active steps to improve their security postures. "We help insurers by reducing the buyers vulnerability and improving the quality of their portfolio," says Jeff Louie, worldwide marketing manager for Hewlett-Packards Mission Critical Services Organization. "The insurer can then, in turn, reduce their premiums." John Wurzler, of Wurzler Underwriting Managers, concurs. "Good security practices can make the difference between a $20,000 premium and a $7,000 premium. If the customer takes extraordinary measures, so will I. If theyve got 24 x 7 monitoring of their servers and firewalls, I might be able to give [them] an 80 percent discount." Because policies are so heavily customized, its important to be very clear as to what is covered and what is not. Does your policy cover losses in revenue or only net profits? What about recovery costs? Is your extranet covered, as well as your intranet? Remotely connected machines? Are you covered for third-party liability? What if one of your employees attacks a partners network? Will they offer bounties for stolen credit-card numbers? Will they cover your legal costs? Can you qualify your partners for their own coverage? The appropriate combination of policy terms will depend entirely on your companys specifics, so take great care. "The thing that executives need to understand most is that its their necks on the line here," warns Kovar, addressing the need for every type of high-tech insurance. "In the end, they are going to be held personally liable for failure to conduct due diligence if theyre not addressing these issues. If they think they can hide behind a corporate veil, theyre going to be in for a big surprise."
Matthew Kovar, an analyst at The Yankee Group, argues that a "CIO who does not move to insure against hackers probably doesnt really have a good sense of what is at risk and, in my opinion, is probably not doing his job."