BBC News reported today that power companies are being refused insurance cover for cyber-attacks because their defences are perceived as weak.
Underwriters at Lloyd’s of London say they have seen a “huge increase” in demand for cover from energy firms, but surveyor assessments of the cyber-defences in place concluded that protections were inadequate.
From this news, Cryptzone, Websense & Thales UK have made the following comments:
Einar Lindquist, CEO, Cryptzone
“It doesn’t surprise me that insurance companies are nervous. The Statoil breach at the end of last year is testament to energy giants being caught out by cybercriminals. However, I believe that the risks are universal in all organizations, so we should expect to see this reluctance transfer across other sectors. Businesses may increasingly discover themselves to be uninsurable in the coming months unless they can prove robust IT security measures are in place.
“The root of the Statoil breach is common in many organizations as there’s little or no consensus on what constitutes sensitive documentation. It is impossible for IT to be aware of all the confidential and sensitive information stored in the corporate IT environment. It is of course sensible to document and communicate a framework of what constitutes sensitive information, but it may not always be as obvious as listing particular applications or document authors. Indeed following the recent scandal surrounding an IT contractor in the US leaking vast quantities of data, it is advisable that IT administrators, neither know about or have access to sensitive content.
“Mistakes are always going to occur that result in the potential disclosure of sensitive content, but it is up to organizations to ensure that the impact of those mistakes is kept to a minimum. Too many organizations are leaving themselves wide open to data breaches because of an over-reliance on their overstretched IT security department rather than sharing the responsibility with business managers, who have a vested interest in keeping content safe.”
Andy Philpott, SVP Sales, EMEA, Websense
“This is a wake-up call for utility firms seeking out insurance against cyber attacks and increasingly being refused. There needs to be a mental shift refocusing from insuring against the aftermath of an attack to preventing it entering the network in the first place. Recent research we’ve conducted shows that over 70% of security professionals don’t trust their current security program.
So many companies are still using security technology that is not fit for purpose in today’s threat landscape. Not all security solutions are equal and I would urge companies to do their due diligence. Security defences need to be effective across all stages of an attack, using layered defences to cut across the threat kill chain.
It’s an inevitability that a determined and targeted attack will eventually be successful, but it’s how you deal with it once it’s inside your network. Many evasion techniques are used to easily bypass traditional security defences. The best insurance would be to test, test and test your security; understand where the weakness lie and have real-time security able to analyse malware on the fly. Most importantly, put data leak prevention at the core of your business so that even if an attacker gets in, they will not be able to steal any data. Security can never be ‘set and forget’ and needs to be at the forefront of a company’s mind at all times for any chance of ensuring security effectiveness.
Tony Burton, critical infrastructure protection business lead, Thales UK
It is clear that there is growing concern in the energy industry around the security of their infrastructure and its robustness against the modern day cyber attacks. Legacy systems, often built before the internet existed, were simply not designed with the levels of interconnection and security threat we see today. Even systems that have remained isolated from the internet and business IT systems are vulnerable to threats and can ‘leap the air-gap’ via process, people and physical (USB Stick) vectors. Energy firms and other areas of CNI are beginning to face up to this challenge and are increasingly recognising that good security is good business. The insurance issue and contingency holdings are prime examples of how good security can have a positive effect on the bottom line results of these companies. However, the security of these operations is not a simple challenge and this is what the insurers are beginning to recognise.
The options to simply change software to a more up to date version, implement patching or install firewalls/gateways and intrusion detection systems are not always available due to the potential introduction of instability or inherent integration problems. Specialist domain expertise is therefore needed to fully secure these legacy and new systems through a combination of Physical, Process, People and Cyber security measures that will adequately protect against cyber and physical intrusions. Energy firms need to commit to investing the time and money in this holistic approach to the security of their operations in our interconnected day-and-age and only then will they restore confidence from prospective insurers.”