When you work in IT and you’re at a dinner party and somebody asks, "What do you do?" you can usually see the blood run from their face as they’re like, "Oh my God, why me? My one night out this week! Why did I ask?!" However, recently, I was invited to a dinner party with place names (A little over the top? Or strategic?) and I was placed next to an insurer. Naturally, the host knew that people in IT and insurance would get along like a house on fire. Or was it to keep the nerds down one end of the room? I’m not entirely sure.
Anyway, after he introduced his role and company to me, it was my turn to divulge what area of IT I was in. I mentioned the word cyber and before I could say security, he was telling me that there is cyber insurance that will "cover everything". Everything?! This was a bold claim and suddenly our end of the table became the noisy end. I instantly questioned his statement as to what level people are covered and he claimed as a cyber insurance broker that they pay out for all ransomware attacks - whatever value the ransom is. I was astonished! For all my time at the police I had it ingrained in my mind that crime doesn't pay and by fuelling cybercrime you are funding the bigger picture of international organised criminal gangs, which will just increase the more they receive.
"We have become accustomed to the fact that the cybercriminals are winning and with law enforcement struggling to contain it"
So this took me to Google not just to research this claim but also to question his ethics as this was now starting to sound illegal. My research suggested that “Due diligence is required to ensure ransoms are not paid to ‘terrorist’ cyber attackers”. Pointing this out made him even more smug yet there was nothing I could do to suggest that they will never know the origin of the cyberattacker. So how can insurers pay a ransom when it could be going to a terrorist? His defence angle was vice versa suggesting that there is nothing to prove they are!
Ethically this is against everything I know but who’s in the wrong here? The cyber insurers or the governing rules? What on earth are companies thinking when they are sold cyber insurance? Are they of the mindset that if the worst case scenario occurs, that their broker will just pay the ransom and get them out of the hole they are in? Well yes - that seems to be exactly what is happening. We have become accustomed to the fact that the cybercriminals are winning and with law enforcement struggling to contain it.
"It seems very few people believe that prevention is the best option because people will always seek the easiest way out"
Cyber insurance is currently booming and many insurers are offering varying levels of protection to customers who (personally) seem in the dark about a lot when it comes to cybersecurity. We all know that scaring tactics aren’t the best way to go about selling a product yet increasing hacking stories in the media are certainly making CEOs a bit twitchy. Rightly so that C suite staff should be raising their heads above their monitors when it comes to their infrastructure security but is insurance better than prevention? Do they think insurance is prevention? Even forgetting ethics for a moment, paying a criminal to receive your data back could be just as catastrophic should malware be transmitted along with the back up – along with your premium increasing in the next year with your insurer.
By simply reducing the risk beforehand is a far better way to keep this threat from exploding within a company? This is easily achievable by training, anti malware software and setting privilege rights correctly.
So back to my new acquaintance at the dinner party, which I was now in a full on debate even with interjections from other professions around the table giving their two cents worth. It seems very few people believe that prevention is the best option because people will always seek the easiest way out. Unless we force people to include prevention methods from the outset, people will inevitably fall back on reactive measures which we have seen do not always work.