Current Filter: >>>>>>

   

Underwriters at Lloyd's of London report what they are describing as a "huge increase" in demand for cover from energy firms, but surveyor assessments of the cyber-defences in place have concluded that the protections these offer are often not up to the mark and so are declining to cover those who fall short of the mark.

So, is this a call to arms for utility firms in general? Websense certainly thinks so. "This is a wake-up call for utility firms seeking out insurance against cyber attacks and increasingly being refused," says Andy Philpott, the company's SVP sales, EMEA. There needs to be a mental shift refocusing from insuring against the aftermath of an attack to preventing it entering the network in the first place. Recent research we've conducted shows that over 70% of security professionals don't trust their current security programme."

LAYERED DEFENCES
So many companies are seen as still using security technology that is not fit for purpose in today's threat landscape. "Not all security solutions are equal and I would urge companies to do their due diligence," cautions Philpott. "Security defences need to be effective across all stages of an attack, using layered defences to cut across the threat kill chain.

It's an inevitability that a determined and targeted attack will eventually be successful, but it's how you deal with it once it's inside your network. Many evasion techniques are used to easily bypass traditional security defences. The best insurance would be to test, test and test your security; understand where the weaknesses lie and have real-time security able to analyse malware on the fly.

"Most importantly, put data leak prevention at the core of your business, so that, even if an attacker gets in, they will not be able to steal any data," he adds. "Security can never be 'set and forget' and needs to be at the forefront of a company's mind at all times, for any chance of ensuring security effectiveness."

NERVOUSNESS UNDERSTANDABLE
Einar Lindquist, CEO at Cryptzone, says he is not at all surprised that insurance companies are nervous. "The Statoil breach at the end of last year is testament to energy giants being caught out by cybercriminals. However, I believe that the risks are universal in all organisations, so we should expect to see this reluctance transfer across other sectors. Businesses may increasingly discover themselves to be uninsurable in the coming months, unless they can prove robust IT security measures are in place."

The revelation at the tail-end of 2013 that internal Statoil technical documentation had been exposed on public servers caused a great deal of alarm at the time. And yet the reported causes at the root of this breach are common in many organisations, Cryptzone's Lindquist points out, with little or no consensus on what constitutes sensitive documentation

"It is impossible for IT to be aware of all the confidential and sensitive information stored in the corporate IT environment. It is, of course, sensible to document and communicate a framework of what constitutes sensitive information, but it may not always be as obvious as listing particular applications or document authors. Indeed, following the recent scandal surrounding an IT contractor in the US leaking vast quantities of data, it is advisable that IT administrators neither know about, or have access to, sensitive content.

EMPOWER MANAGERS
"Business managers who are responsible for content should be given the tools to enable them to secure their team or department's content automatically as it is created or edited; after all, they are in the best position to know what information in the wrong hands could threaten the business - be it industrial espionage, reputational damage or sabotage of production lines," Lindquist continues. "Giving managers authority and responsibility for managing their business groups in identity management systems is not as perilous as many IT professionals assume. Our experience is that this serves to tighten up security and improve timescales for disabling old accounts when people leave an organisation or reassigning appropriate access when people change job functions within the same organisation."

Page   1  2