in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Encryption vs. Cyberinsurance: One's Risk Management, The Other's Risk Transfer

The Anthem data breach is turning out to be big not only in terms of number of people affected.  According to pymnts.com, quoting ft.com, Lloyd's of London has stated that cyber attacks are "now too big for private insurance companies to handle" after details of Anthem's hack were revealed.  This is another development that should make people take a long, hard look at using encryption software to secure sensitive data.

Risk Management

As breaches of personal and other sensitive information started to grow exponentially, and data security professionals kept pointing out that data security tools like disk encryption were meant to manage risk (and could not eliminate it), some people started to misinterpret the advice they were given.

It was unusual yet not rare to find people thinking along the lines of: well, if it's meant to manage risk, maybe we don't need these security tools.  We'll just manage it in a different way.  And, presto, you had companies that signed up for cyberinsurance only at the expense of using proper data security tools and drafting up enforceable, well-thought computer usage policies.

There are advantages to this short-sighted approach: huge savings on anything that is remotely related to technical issues, including IT labor; instant coverage as opposed to the weeks or months (or years!) that it could take to plan and implement a technical approach; reducing oversight and monitoring; etc.  The savings in time, energy, and money are astronomical.

The problem is, this is a different kind of risk management: while the use of data security solutions represents a reduction in risk, the use of cyberinsurance represents a transfer of risk.

Transfer vs. Reduction

From the point of a company looking to manage the risk of a data breach, perhaps it doesn't matter that they're transferring the risk as opposed to reducing it.  After all, on the surface it achieves the same thing: it clears away the risk.

But, there is the issue of permanence: as pymnts,com showed, insurance companies are increasingly unwilling to venture into the field of insuring again data breaches.  So, in the long run, companies may need to look into implementing data security tools after all (although it may not be true in the really long long run; technology has a way of finding solutions to its own vexing problems, especially ones that don't originate from the natural world).

Plus, legal protections don't extend to signing up for insurance.  And, people are not less likely to sue you because you signed up for insurance (in fact, maybe they'd be more likely to bring legal claims against you).

Last but not least, there is no guarantee that you'll be able to cash in on your insurance: insurance companies have gone to court over payments, asserting on technicalities that certain things aren't covered.

Meanwhile, reducing risk is win-win all around: legal protections abound in the form of safe harbor clauses in legislation; it wouldn't be hard to convince the courts that encrypted data does not represent a data breach because the data is protected; most people are quite aware that encryption offers real protection.  Plus, as opposed to transferring the risk (specifically, financial risk), the threat of a data breach is actually reduced.
Related Articles and Sites:
http://www.pymnts.com/news/2015/we-cant-cover-cyberattacks-says-lloyds-of-london-insurer/
http://www.databreaches.net/big-cyberattacks-crippling-private-cyberinsurance-firms/
 
<Previous Next>

HIPAA Encryption: Anthem Didn't Encrypt Data Stolen In Massive Hack

Smartphone Security: Phone Theft Drops In Cities As Kill Switches Take Hold

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.