When you work in IT and you’re at a dinner party and somebody asks, ‘What do you do?’ you can usually see the blood run from their face as they’re like, “Oh my God, why me? My one night out this week! Why did I ask?!” However, recently, I was invited to a dinner party with place names (a little over the top? Or strategic?) and I was placed next to an insurer. Naturally, the host knew that people in IT and insurance would get along like a house on fire. Or was it to keep the nerds down one end of the room, I’m not entirely sure.
Anyway, after he introduced his role and company to me, it was my turn to divulge what area of IT I was in. I mentioned the word cyber and before I could say security, he was telling me that there is cyber insurance that will “cover everything”. Everything?! This was a bold claim and suddenly our end of the table became the noisy end. I instantly questioned his statement as to what level people are covered and he claimed as a cyber insurance broker that they pay out for all ransomware attacks – whatever value the ransom is. I was astonished! For all my time at the police I had it ingrained in my mind that crime doesn’t pay and by fuelling cyber crime you are funding the bigger picture of international organised criminal gangs which will just increase the more they receive.
So this took me to Google to not just research this claim but also to question his ethics as this was now starting to sound illegal. My research suggested that “Due diligence is required to ensure ransoms are not paid to ‘terrorist’ cyber attackers”. Pointing this out made him even more smug yet there was nothing I could do to suggest that they will never know the origin of the cyber attacker. So how can insurers pay a ransom when it could be going to a terrorist? His defence angle was vice versa suggesting that there is nothing to prove they are!
Ethically this is against everything I know but who’s in the wrong here? The cyber insurers or the governing rules? What on earth are companies thinking when they are sold cyber insurance? Are they of the mindset that if the worst case scenario occurs, that their broker will just pay the ransom and get them out of the hole they are in? Well yes – that seems to be exactly what is happening. We have become accustom to the fact that the cyber criminals are winning and the law is allowing it.
Cyber insurance is currently booming and many insurers are offering varying levels of protection to customers who (personally) seem in the dark about a lot when it comes to cyber security. We all know that scaring tactics aren’t the best way to go about selling a product yet increasing hacking stories in the media are certainly making CEOs a bit twitchy. Rightly so that C suite staff should be rising their heads above their monitors when it comes to their infrastructure security but is insurance better than prevention? Do they think insurance is prevention? Even forgetting ethics for a moment, paying a criminal to receive your data back could be just as catastrophic should malware be transmitted along with the back up – along with your premium increasing in the next year with your insurer.
By simply reducing the risk beforehand is a far better way to keep this threat from exploding within a company? This is easily achievable by training, anti malware software and setting privilege rights correctly.
And would the ICO ever know about this? Would these ‘attacks’ be churcned through a government database of cyber stats? In a word, no. Essentially, Ransomware locks you out of your house and just holds the key at ransom. Nothing is ever stolen so it isn’t a burglary for the cops to investigate.
So back to my new acquaintance at the dinner party, which I was now in a full on debate even with interjections from other professions around the table giving their 2 cents worth. It seems very few people believe that prevention is the best option because people will always seek the easiest way out. Unless we force people to include prevention methods from the offset, people will inevitably fall back on reactive measures which we have seen do not always work.
Jake Moore is a Cyber Security Specialist for ESET, Europe’s number one Internet Security and Antivirus company. He is also a well respected industry expert when it comes to commenting in the media regularly in a range of tier one publications. He previously worked for Dorset Police spanning 14 years primarily investigating computer crime in the Digital Forensics Unit on a range of offences from murders to missing people. Within law enforcement powers, he learnt how to retrieve digital evidence from all devices whilst learning all sorts of ways to ethically break security in order to help protect innocent victims of crime. He then became a cyber security consultant for the force delivering tailored advice to the public and local businesses in order to help protect the community and build upon their security foundations.