The more you can do to safeguard your company against cyber attacks and employee error, the better you will fare in the coming years. Cyber insurance is still evolving, and as such you can still get good deals even if your cyber security is not completely up to snuff. But for those who get in front of the issues facing companies today, it will be a buyer's market for a long time to come.
The cloud continues to be a challenge for companies. Last month, hundreds of thousands of records belonging to plastic surgery patients were discovered online on an unprotected Amazon Web Services (AWS) storage "bucket" database.
That compromise wasn't an isolated event. Call it bad cyber hygiene or leaky data syndrome, these kinds of compromise by misconfiguration have been reported by myriad companies and organizations, including Netflix, Ford, the Pentagon, Booz Allen, Verizon, WWE, Time Warner Cable, the National Credit Federation, Dow Jones, and more. Each has reported--or worse, have been discovered to have--extremely sensitive customer data stored on cloud servers that were not properly secured. Often, the stories revolved around misconfigured AWS servers.
These kinds of database security fails are not native to AWS. Other services have also been associated with catastrophic data leaks and compromise due to misconfiguration. In single such instance, the personal data of the entire population of Ecuador was compromised and in another the data of 1.2 billion people.
Who is accountable? Is it a design flaw, or an implementation issue? At some point that will be a question that cyber insurers will think about 24/7, solutions evolving alongside challenges and underwriting calculations following close behind. For those who want to get ahead of the curve, the time to think about these issues, and get more cyber savvy is now. Here are a few steps you can take to help protect your company and get the best deal on cyber insurance.
Use Smart Passwords
User behavior has been and will continue to be the biggest barrier to effective cybersecurity. The four most common consumer passwords of 2019 were "123456," "123456789," "qwerty," and "password." One or two of those consumers might be working for you--not something you want to find out the hard way.
At issue here is a societal mindset, one that trickles not down, but up to the biggest and best-funded businesses and organizations in the world where we see these stories about vast troves of valuable data being left online without password protection.
Insurance often moves in lockstep with regulation. The question for legislators and insurers alike is not really if mandatory password regulations will be enacted when it comes to storing data in the cloud, but when. Companies that anticipate the new laws coming down the pike will be in the best position to get the best deals.
Implement a Culture of Smart Security Practices
While data leak by misconfiguration is distressingly common, it can be stopped with the proper implementation, and that's something companies can control.
Cyber insurers may be best equipped to make specific determinations about risk, since they sink or swim on a correct understanding of the problem but right now it's a buyer's market. As data breaches and leaks have become the third certainty in life, coverage for cyber-related incidents has become a necessity.
One of the basics when determining risk for an insurance policy is taking an objective survey of an organization's entire cybersecurity stance and practice, identifying the areas most likely to lead to an incident, and offering more affordable coverage to the companies that adjust accordingly. That's not where we are--yet.
The known pitfalls of a platform like AWS can then be balanced against the benefits of a properly configured use of those services--one that is more secure against the curious and prying eyes both from within an organization and "out there." You get there by insisting on a culture of cyber best practices at the workplace--from the mailroom to the boardroom.
It seems like a given that companies looking for a strong cyber insurance provider will be more proactive with regard to securing their information--a win-win where sensitive personal data will no longer be sitting unprotected online and businesses have a better shot at weathering the potentially fatal costs of a leak or breach.