Security Think Tank: Data insurance will not fix broken systems

How can IT security best use the new financial and insurance products available to IT to improve data protection without increasing cost?

Will taking out a three-year loan to spread security costs help SMEs or larger companies make data protection better? Will data loss insurance improve an organsation’s data protection? In both cases the answer is no, not if you allow IT to lead in either of these matters.

Why do I say this? Because personal experience and independent research consistently shows that IT Departments largely do not understand the wider context of good information management.

For instance, in the largest study conducted into employee BYOD behaviour and attitudes, surveying over 4,000 full-time employees, Ovum found a concerning level of ignorance by IT professionals about the BYOD trend.

Nearly half of IT departments in the study either did not know of BYOD or were ignoring its existence, operating a “don’t ask, don’t tell” policy, while a further 8.1% actively discouraged it.

Levels of ignorance by IT were significantly higher in mature economies with more rigid working practices, such as those of Continental Europe, compared to high-growth economies such as Brazil, India and South Africa.   

What IT departments are good at is buying and implementing technologies, but sadly not necessarily managing them well.

Security is an ongoing iterative, cyclical business process. It isn’t something that is financed and therefore subject to defined start and end points. It is a continual business requirement. You can fund the project, but what happens when the money runs out? Is the funding going to improve the organisation's risk-management processes, or better yet, make security a corporately accepted board level matter? Will it be spent on compliance, governance, audit and so on or on more technology.

A business needs to ask itself exactly what it is insuring itself against before taking out such a policy. For instance, we know that around 80% of breaches are caused by people - employees doing things that they should not – and sometimes this will be with printed matter or non-electronic based information. 

IT will have no role in protecting or preventing against these sorts of breaches. The business is insuring itself against the transgressions of its own employees. It feels a little like they have accepted their fate and while we know humans make errors, or are on occasion malign, surely some investment in regular security awareness training and a really robust information security management system would be a cost effective route?

Let us see [insurance] as the last resort, or safety net for when something seriously goes wrong

Lets imagine that the worst has happened and there has been a breach – what will the resulting payout cover? Loss of reputation? Loss of customer confidence and many other intangibles?

So, it is great that new forms of funding are available to fund IT projects, but let's not fool ourselves into thinking IT projects in themselves deliver improved compliance or better data protection. Make funding of IT part of the strategy, but not THE strategy. By way of illustrating this point, to date, over £4m worth of ICO fines have been issued where the data breaches were not due to inadequate technology.

As for insurance, let us see this as the last resort, or safety net for when something seriously goes wrong, but not something we are relying on day to day because we consider it to be an inevitable outcome. However, it will not fix a broken reputation and it will not stop customers dashing to competitors.

Mike Gillespie is director of cyber research and security at The Security Institute.

Read more on cyber insurance

Security Think Tank: Cyber insurance – buyers beware

Security Think Tank: Cyber insurance is a two-way street

Read more on IT risk management