Businesses are spending a small fortune on cyber security but what they are doing is not working very well, according to a cyber security expert who sees the insurance industry as a key to improving the situation.

“We have a lot of money going into trying to address this problem,” David Garrett, founder of Tensyl Security, a San Mateo, Calf. -based security consulting firm, told executives at the 2017 Super Regional P/C Insurer Conference in Lake Geneva, Wis. last month.

Businesses are spending more than $70 billion a year for cyber security tools and more than $3 billion in cyber liability insurance premiums.

Garrett identified several reasons cyber security efforts are failing including that current approaches to security ignore organizational cultural issues and that the “avalanche” of cyber tools is overwhelming buyers who have little way of knowing which ones work.

According to the security expert, the property/casualty insurance industry is positioned to play a pivotal role in cyber security by educating clients on the real drivers of cyber breaches, collecting better data from insureds on their security practices, and helping their insureds decide which security steps and tools are the most effective.

“In fact, I think that by helping insureds, carriers will actually grow this particular business,” he said.

According to Garrett, nearly every person on the planet has had his or her identity stolen in the last eight years.

Also, more than 20 percent of small and medium size businesses have reported that they have been victims of a cyber attack, a number that is growing 15 percent and more a year. The real percentage is higher because many firms do not report they have been attacked, he said.

David Garrett
The Ponemon Institute estimated cyber security expenditures at $75 billion in 2015. The Worldwide Semiannual Security Spending Guide from International Data Corp. (IDC) forecast that worldwide revenues for security-related hardware, software, and services will grow from $73.7 billion in 2016 to $101.6 billion by 2020. IDC said the U.S. share of that cyber security investment in 2016 was $31.5 billion.

Businesses are also paying for cyber liability insurance. The global market for cyber insurance grew to about $3.4 billion in premiums last year and could rise to between $8.5 billion and $10 billion by 2020, reinsurer Munich Re estimates. U.S. property/casualty insurers wrote $1.35 billion in direct written premium for cyber insurance in 2016, a 35 percent jump from 2015, according to reports by Fitch Ratings and A.M. Best. Insurance broker Marsh estimated that total annual cyber premiums hit $2 billion in 2016 and may reach $20 billion by 2025.

Cyber attacks are all over the news.

“You read about them every day. Whether you’re talking about the potential Russian hack into our election, or the Yahoo! data breach, or name the next mega data breach which is going to happen later this week because there will be one,” he said.

Yet, all this money and attention don’t seem to be making a dent.

5 Reasons for Faliure

“Why is it that, even though a lot of very smart people are trying to address this problem and spending significant amounts of money, we’re not doing well?” Garret asked. “We’re doing terrible at it. I have been asking myself, ‘why?’”

He offered five reasons cyber security has been ineffective:

Common misconceptions. Most people understandably think of cyber security as an IT problem. “For most people, the inner working of information technology is somewhat of a mystery. It makes, somewhat, sense that it’s both the cause and the cure of a lot of the problems,” Garrett said. But IT is not the whole picture. “The true drivers, in my opinion, of some of these cyber security risks, are organizational cultural issues. You can buy the latest firewall and buy the latest data loss prevention tool. But if there’s a fundamental issue with your organization’s culture that’s driving some of this risk, you’re really in no better spot.”
Traditional security strategies. Most enterprise risk management tends to be specialized. The finance department handles financial risks. The legal department handles legal risks. The facilities department handles physical security risks. The IT department handles IT risks. “That does not lend itself well to digital risks. Digital risks span all of those various risks,” Garrett said. Also, a data breach raises technical and reputational issues. Traditional risk management strategies do not provide visibility into those different risks.
Security risk factors: culture and enforcement. There are certain behaviors and activities that correlate with the likelihood that there will be a breach. One is tolerance for inconvenience. “A truism, in information security, is that security and convenience are inversely related. You cannot have both,” he said. One example is passwords. The longer they are, the harder it is for employees to memorize them. Human nature dictates going the route that has the most convenience and that doesn’t necessarily equate to better security. Denying administrative rights to employees makes it more difficult for hackers to install software. But it’s not always done because employees want their freedom to be able to download that Yahoo app because March Madness is coming down the pike. “There is almost a culture within an organization that favors convenience.” Lack of security governance is another risk factor. There is often an infrastructure of people, policies and processes that set corporate policy when it comes to security but those policies need to be enforced. Organizations that take those steps in a “cavalier way” are more likely to have a data breach. Also, decentralized organizations can be a risk. Many organizations that grow through acquisitions work in silos. If there is a risk that needs to be managed, it’s more difficult to do that if the group in one silo has a different set of IT than the group in another silo.
Data imbalance. Paradoxically, at the same time information security professionals are flooded with data, they have no data. That is they have lots of data of certain types from firewalls and data loss prevention tools for tactical decisions but not necessarily data that support strategic decision making. “We see an attack coming in from a particular IP address, we can shut off access to that IP. Organizations are actually getting pretty good at being able to do that,” he said. But there is a lack of data in other areas, such as on the culture of an organization, whether the organization prioritizes convenience over security. “There’s ways to do that but that’s not happening right now. It’s one place where insurance carriers can really distinguish themselves from one another is the ability to be able to collect really meaningful data,” he offered.
Choice overload. This is a term invented by Columbia Business School professor, Dr. Sheena Iyengar, whose research is around what drives consumers to buy. There is an “avalanche” of products in the information security field, especially for small and medium sized businesses. “Lots of companies that are doing really cool and exciting things. Many small and medium sized businesses are not capable of differentiating between them. It has become noise,” he said. “What is happening, and I’m seeing it happen more and more often, is that companies are not actually purchasing the technology that could help address some of these issues. Companies are either delaying or not actually making that choice.”
Making a Difference

Garrett believes there are various ways the insurance industry can make a difference. The industry can collect better data from insureds on their security practices, help them decide what steps and tools would work for them, offer safe cyber discounts and, most important, improve organizations’ cyber culture.

“I don’t think that carriers, so far, have done a good enough job of really educating the insureds about the true drivers,” he said.

He suggested that white papers, seminars and conferences are among the ways to educate clients.

He urged carriers to help their clients understand that whether they have this firewall or that data loss prevention tool is in some ways less important than talking about their culture, taking a holistic approach.

“Most companies, most organizations, are not thinking of this problem in that way,” he said. “I think the carriers have a real opportunity to change the conversation.”

Safe Cyber Discounts

Regarding safe cyber discounts. many carriers are already offering them. “To those I would say, ‘Keep doing it, and in fact make it an even bigger part of your program because I think they’re very effective,” Garrett said.

He suggested financial incentives be based on factors such as whether the organization has a dedicated information security team. “I know, at least anecdotally, that those organizations that have professionals that focus exclusively on this are generally in a more mature state and much more nimble when it comes to being able to change and address risk. I think that is one of the first questions I would certainly want to know,” he said.

Another safety credit qualifier might be if the organization does annual security risk assessments. He said having an outside, independent risk assessment provides a level of independence.

He acknowledged that not all risk assessments are equal and the field is changing regularly. But they still have value. “I do think that to an extent that an organization takes a cyber security framework and embraces it and is trying to improve based upon it, they’re in a much stronger position,” he said.

According to Garrett, it matters less which security assessment or framework an organization chooses than it does that the organization has decided it is going to follow a structure to be able to constantly measure maturity and improvement over time. “You can’t measure improvement unless there’s some basis to measure it up from. That’s really what one of the best values of the security framework is,” Garrett said.

Credits can also be given to those with independent cyber security certifications. “In my mind, it’s less the certification than the investment that the company has made in it as being reflective of the vision of the company,” he said.

Insurers can also help with the choice overload problem plaguing the security field.

“Now I’m sure this is a little bit of a tricky subject because insurance carriers are not necessarily in the business of being the Consumer Reports for software vendors,” Garrett acknowledged. “But I do think that there’s an ability, and most carriers would have the leverage, to start helping insureds identify certain insurance products that are routinely rated the best.”

He urged carriers to play a more active role in helping insureds so that “there isn’t sort of paralysis of decision‑making, when it comes to some of these more technical choices.”

Better Data

Finally, he urged carriers to focus on collecting meaningful data on insureds’ cyber cultures, data that they can access but most other organizations could not.

“What seems to be happening now is that the data being collected now from insureds is fairly superficial: ‘Do you have a written information security plan?’ You know, ‘What industry are you in?’” he said. “Those are important metrics… but I think there’s a real opportunity set up to create models that provide much more insight into the types of behaviors that are going to result in data breaches.”

He suggested insurers collect data on passwords.

“It’s well known that weak passwords are a well-used attack factor to get into organizations,” he said, explaining that it is possible to do an analysis of an organization’s passwords to evaluate the strengths and the weaknesses. Such an analysis can provide insight into an organization’s “convenience versus security risk factor” and whether it’s an organization that’s favors convenience over security.

Another series of questions insurers might ask could get at how the organization handles routine IT management such as software updates or patches to software. “It happens all the time,” he noted. “At least if you have good IT hygiene, you’re doing that.”

Part of this analysis looks at how insureds are managing vulnerability over time. “How long does it take them to actually patch those critical securities?” If it takes them a long time, it may mean they lack resources or are understaffed. “It also could mean a sort of cavalier attitude towards patching and security,” he said.

A focus on information gathering can make a difference.

“I think there’s a real opportunity to create models that provide much more insight into the types of behaviors that are going to result in data breaches,” Garrett told the executives.