Data breaches are a regular occurrence, one need simply look at the papers to read about the myriad of breaches that have occurred over the last year. From the Sony attack in late 2014, to the more recent breach on Government employees in the US, it is clear that security breaches will continue to happen; and the threat landscape, as opposed to “going away”, will continue to evolve at a pace as fast as those working to prevent it.
It is, in part at least, thanks to this ever growing landscape, that we are now seeing a focus, both from the media and the industry on cyber insurance. This focus has seen the issue of data breaches flipped on its head recently. When Cottage Healthcare was hit by a data breach, losing out on 32,500 patient records it notified its insurer, Columbia Casualty Company, who ended up shelling out a settlement of $4.125 million. However reports now claim that Columbia Casualty is demanding its money back after claiming that it was in fact, a result of the healthcare provider’s poor IT security that attackers were able to access the sensitive data.
Among the allegations leveled at it, Cottage Healthcare has been accused of failing to check for, and apply security patches within 30 days of the hack taking place; replacing the default access settings, implementing annual security audits and outsourcing data to firms with poor security. In addition, Cottage Healthcare is also under investigation for not securing patient records properly. It is clear that insurers are unwilling to simply pay large sums for avoidable incidents when organizations should have basic data protection in place – no matter what size, or industry, they reside in.
Not only do Cottage Healthcare now have a wealth of industry issues to contemplate, it also begs the question: what do consumers think of this breach? According to research from Fujitsu, they too, are unhappy with organizations with 69 per cent of consumers revealing that they do not trust organizations with their information. In addition, one in ten consumers revealed that they have suffered a data loss and only 10 percent believe organizations are doing enough to keep their data secure. It is clear organizations still have a lot to learn when it comes to security.
The answer for all organizations is not to “get better cyber insurance” but, instead, to focus on the right protection, detection and response capabilities. Yes, organizations need to ensure all policies are risk based, but having a good understanding of the scope required and the business as a whole to distinguish the most important assets to protect will serve organizations better. Companies should focus on ensuring their governance is sound and use a security checklist to ensure basic cyber hygiene is in place, such as patched systems, good passwords and service controls.
There is also a need to look back – it is vital for organizations to understand their cyber history and the problems they have previously experienced. Only by learning from previous mistakes are businesses will be able to look ahead and proactively prepare for any future cyber-attacks by imitating the risk.
Finally, by having clear policies for the use of the IT, portable media and devices in the workplace, particularly within organizations that allow people to use their personal devices, IT departments can ensure that data is appropriately protected, at the same time bringing security into the culture of the organization ensuring everyone can play their part. It is important to remember that it is about the implementation of an effective policy, rather than having the policy itself.
In the current landscape, organizations have more responsibility than ever to keep their business and customer data safe. They cannot rely on cyber insurance to bail them out if a breach occurs, instead, they should be putting in place risk-based policies to protect their most important assets. Now is not the time for complacency, organizations must get proactive if they want to remain trusted, and most importantly, secure.