The more you can do to safeguard your company against cyberattacks and employee error, the better you will fare in the coming years. Cyber insurance is still evolving, and as such you can still get good deals even if your cybersecurity is not completely up to snuff. But for those who get in front of the issues facing companies today, it will be a buyer’s market for a long time to come.
Cloudy with a Chance of Extinction
The cloud continues to be a challenge for companies. The stories are many and varied. Recently, hundreds of thousands of records belonging to plastic surgery patients were discovered online on an unprotected Amazon Web Services (AWS) storage “bucket.”
This kind of thing is happening more frequently. That compromise wasn’t the only incident that week. Call it bad cyber hygiene or leaky data syndrome, these kinds of compromise by misconfiguration have been reported by myriad companies and organizations, including Netflix, Ford, the Pentagon, Booz Allen, Verizon, WWE, Time Warner Cable, the National Credit Federation, Dow Jones, and literally hundreds more. Each has reported—or worse have been discovered to have—extremely sensitive customer data stored on cloud servers that were not properly secured. Often, the stories revolved around misconfigured AWS servers.
These kinds of database security fails are not native to AWS. Other services have also been associated with catastrophic data leaks and compromise due to misconfiguration.
Catastrophe indeed seems like the right word to describe these cyber events.
The Problem Isn’t the Platform
This is about how data is handled in the cloud. It’s clear that the culture around cyber security is a work in progress as evidenced by the widespread failure to practice good cyber hygiene, including the application of even the most minimal protections for online data.
Who is accountable? Is it a design flaw, or an implementation issue? At some point that will be a question that cyber insurers will think about 24/7, solutions evolving alongside challenges and underwriting calculations following close behind. For those who want to get ahead of the curve, the time to think about these issues, and get more cyber savvy is now.
User behavior has been and will continue to be the biggest barrier to effective cybersecurity. The four most common consumer passwords of 2019 were “123456,” “123456789,” “qwerty,” and “password.” One or two those consumers might be working for you—not something you want to find out the hard way.
At issue here is a societal mindset, one that trickles not down, but up to the biggest and best-funded businesses and organizations in the world where we see these stories about vast troves of valuable data being left online without password protection.
Insurance often moves in lockstep with regulation. The question for legislators and insurers alike is not really if mandatory password regulations will be enacted when it comes to storing data in the cloud, but when. Companies that anticipate the new laws coming down the pike will be in the best position to get the best deals.
The Case Against Freedom
Senators Ron Wyden and Elizabeth Warren argued that data management should be regulated in the wake of the Capital One compromise where a former AWS engineer exploited a misconfigured server operated by the banking giant. The two senators wrote a letter to the FTC stating:
“Amazon continues to sell defective cloud computing services to businesses, government agencies, and to the general public. As such, Amazon shares some responsibility for the theft of data on 100 million Capital One customers.”
Assigning blame for the data leaks on the AWS platform won’t solve the problem, but it may result in better security. The cloud is ubiquitous. Holding one company liable for less rigorous security requirements is fine, but risks are constantly evolving, and the real issue here is a failure of the imagination. We need to get in the habit of forecasting potential issues, and getting in front of them with cultural solutions. Training better cyber hygiene trumps a better system every time.
We need a holistic approach before insurance companies develop their offering enough to incentivize them. When eventually they do, you’ll get the best deals available.
Your Company to the Rescue
While data leak by misconfiguration is distressingly common, it can be stopped with the proper implementation, and that’s something companies can control.
Cyber insurers may be best equipped to make specific determinations about risk, since they sink or swim on a correct understanding of the problem but right now it’s a buyer’s market. As data breaches and leaks have become the third certainty in life, coverage for cyber-related incidents has become a necessity. One of the basics when determining risk for an insurance policy is taking an objective survey of an organization’s entire cybersecurity stance and practice, identifying the areas most likely to lead to an incident, and offering more affordable coverage to the companies that adjust accordingly. That’s not where we are—yet.
The known pitfalls of a platform like AWS can then be balanced against the benefits of a properly configured use of those services--one that is more secure against the curious and prying eyes both from within an organization and “out there.” You get there by insisting on a culture of cyber best practices at the workplace—from the mailroom to the boardroom.
It seems like a given that companies looking for a strong cyber insurance provider will be more proactive with regard to securing their information--a win-win where sensitive personal data will no longer be sitting unprotected online and businesses have a better shot at weathering the potentially fatal costs of a leak or breach.