Data breach insurance? What does it really protect?
This recent article on data breaches in CFO Magazine is aimed at – not surprisingly – the CFO's of SMB's. That’s a good thing – CFO’s need to know that emerging corporate risks can be managed effectively.
The article makes the claim that "Cybercrime isn’t a problem just for large companies. Here’s how smaller businesses can protect their computers and networks from data breaches." But is the challenge about protecting computers and networks or is it about protecting data?
More on how SMB's can take a clever and easier approach to reducing cybercrime risk later in this post, but cybercrime is now such a big issue that data security risk is now the top issue in corporations at the very highest levels of corporate responsibility. For the first time in 2012, it's become the #1 issue in the board room of the world’s largest companies. You can read about that here. That’s why the world’s top companies are already adopting data-centric security technology to mitigate cybercrime risk more effectively than ever before.
CFO's are going to be one of the first people getting that gut wrenching phone call from the CISO if there’s a company data breach. There are immediate corporate survival risk issues that need to be taken care of: US SEC or UK FSA reporting requirements for public companies for instance, public notification processes, impact mitigation, board notification, PR fallout, legal process and risk assessment, determining if insurance actually covers the risk, and of course the budget slice and dice to re-organize finances to accommodate potential multi-million dollar remediation expenditure.
So where do insurance and firewalls fit in protecting from a breach? While these are important (and firewalls should be in place anyway), the real problem – as illustrate by the very reports that are cited in the article- is that the attackers are going after the data and exploiting gaps in IT security systems in servers, databases, firewalls, and intrusion detection. For example, SQL injection, a way attackers steal data from databases, may bypass a firewall to get live sensitive data – it’s happened on many occasions. Clever malware sent in an email or instant message might find its way to the internal network and start extracting sensitive data bounty to offshore crime groups. An insider behind the firewalls might have direct access to data they shouldn't really see and steal it there and then.
So just as small retailer has to assume a shoplifter may walk in the door any time and so take steps to reduce the impact, the same thing applies to data in applications and systems: businesses have to assume they will get breached, but minimize the risk. IT flaws will always be present and exploitable by malware and attackers – that’s a given. Insurance might buy a little premature peace of mind, but won't solve the problem – attacks to data happen whether insured or not. Also keep in mind that if your company shares data in emails and files, it might be out of your traditional firewall control too – and your insurance policy – in your partners IT systems, and at risk across the internet.
One also has to ask "will insurance even cover the costs and solve my problem?" What
about hidden costs? Customer trust impact? Brand damage? Lost productivity? Budget ? So while the CFO may be arguing over the insurance coverage after a breach is discovered, the attackers might be on a home run taking more data gold if the real problems aren’t addressed.
Keep in mind too the all-important “Safe Harbor”. That's somewhat like a handy “get out of jail monopoly card” so that no disclosure notification is required in the event of a breach. It only applies if you have protected your data as required by the data privacy regulation. With the exception of PCI DSS, safe harbor is referenced in US state data privacy laws like MA Privacy Regulations, and federal mandates like HIPAA/HITECH and so on. Insurance doesn’t give you safe harbor, data protection does.
So here’s what to do:
Take a data-centric approach to data protection. Make the data useless to attackers in the event of a breach, but still capable of driving the business process or application. See how others have done it – whether it’s an SMB or a top tier Bank. Success in the SMB market was recently covered in a really great article in USA Today - showcasing how leading SMB's are really taking cost effective innovative approaches to thwarting cyber-attacks and cutting compliance costs.
Bottom line – Insurance doesn’t stop your company being in the public eye or suffering loss of customer confidence in the event of a breach, and it doesn't cover your real risk. Think data-centric security as a way to mitigate risk – anywhere the data goes. And for SMB's there are powerful and cost effective options to protect data that way – in enterprise applications as in the USA Today article, and for email and files instantly and very cost effectively from Voltage Cloud Services or as on premise solutions.
If you would like to learn more, don't hesitate to get in touch – we have an SMB team
ready to help you get back to running your business and out of worrying about data breaches and expensive data privacy compliance challenges.
Email us at SMBSales@voltage.com