Press: Security warranties: selling piece of mind
InfoTrust CEO, Dane Meah, alongside other prominent industry figures give their opinion on the rise of security warranties and insurance, and what it means for the industry.
At a time when data breaches seem to be reported every other day, and vendors constantly warn customers about the threat from cyber-criminals is real and growing, should end-user organisations look to security warranties and insurance for protection?
The cost of breaches
Crowdstrike made waves in June when it announced a $1 million “breach prevention warranty” as part of its Falcon Endpoint Protection Complete product.
The cyber-security vendor partnered with insurer AIG to bundle insurance with the product, at no extra charge, to cover “the costs incurred while responding to a data breach in the protected environment, including incident response, legal fees, notification,credit monitoring, forensic investigation and public communications expenses”.
The costs of responding to a security breach can be substantial. According to the 2018 Cost of a Data Breach Study by Ponemon Institute, the mean time to identify a data breach was 197 days, while the mean time to contain a breach was 69 days. Containing a breach within 30 days saved companies an average of over US$1 million compared to those who took more than 30 days to resolve a breach.
Crowdstrike partnered with underwriter AIG to set up the warranty, partly to provide confidence to customers.
“We’re trying to let our customers know that they can feel comfortable placing their trust in our comprehensive offering,” says Austin Murphy, VP of managed services
at Crowdstrike.
“We want to demonstrate its quality. The warranty is one of the ways in which we do that.”
Having access to insurance could help to remove a barrier to mounting an effective response.
“Smart customers know that they need help if they get into this situation,” says Aaron Bailey, co-founder and chief information security officer at Sydney-based The Missing Link Security. “Being able to access insurance could assist with getting the help you need.”
Buyer beware
Warranties and insurance are still a relatively new part of the cyber-security landscape, and not all warranties are created equal. “I’m a bit on the fence about their usefulness,” says Bailey. “I’m not aware of people testing these policies.”
Which is an important point: is the insurance policy you’re paying for worth the paper it’s written on?
“Generally, I take a cynical view towards the majority of the insurances and warranties that are being offered in the market,” says Adam Barker, technical director at Adelaide-based IT solution provider SecureWare. He sees plenty of insurers, lawyers, vendors, and many others all jumping on the ‘cyber’ bandwagon in pursuit of what they see as a rich source of revenue.
Barker urges caution when evaluating cyber warranties and insurance. “In certain circumstances there is value to be derived with warranties and/or cyber insurance,” he says. “As with everything, the devil is in the details.”
“Insurers are learning more about this space and eventually premiums and payouts will be more tightly aligned to security maturity,” says Dane Meah, chief executive of Sydney-headquartered security specialist InfoTrust. “Organisations should consider implementing security governance frameworks, such as NIST, ISO or ISM as it’s likely these will be the ‘common language’ that is used to assess security maturity.”
One extra challenge is that the traditional buyer for insurance generally sits in the finance department, rather than in technology. Technology leaders should partner with their colleagues in finance to ensure that insurance and warranty decisions are informed by both financial and technology implications.
Wash your hands
Customers should take care not to spend up big on a fancy insurance policy and then think they’ve solved all their cyber-risk issues.
“Insurances may create a false sense of security as payouts are often limited to actual losses or damages,” says Meah. “Business disruption, loss of productivity and brand damage are difficult to calculate and rarely, if ever, recoverable.”
“Don’t get cyber-insurance and then do nothing else,” counsels Aaron Bailey. “You can have car insurance, but you still wear a seatbelt and drive carefully.”
A robust security approach is about much more than products and warranties or insurance. It’s about having a comprehensive approach to security across the business.
“So much of an effective security strategy is in the people and process,” says Crowdstrike’s Murphy. “Our technology is fantastic, but the most value can be driven from it if it’s being used appropriately by a team of experts.”
Murphy said that part of getting AIG to underwrite the Falcon Complete warranty involved having them understand the people and process side of the managed service.
“We worked a long time with AIG to really give them a deep-dive on the technology and the process we’re following,” he said. It was the overall approach to reducing customer risk, not just deployment of products, that helped AIG feel comfortable with underwriting the warranty.
Next steps
Insuring against cyber risks makes sense, particularly in a world where the risk of cyber-losses is high and increasing. The hard costs of responding to a breach can be substantial, and insurance could help you to ensure the job of cleaning up is done properly.
The difficulty at the moment is the relative lack of maturity of the offerings. Customers will need to take extra care that the warranty or insurance they’re paying for has real value, not just marketing value.
“In the long term we’re all for insurance and/or warranties in this space,” says SecureWare’s Barker, “However, neither are mature at the moment so care needs to be taken to best understand the real value.”
While the field is emerging, and still evolving, cyber-insurance is something businesses should definitely be looking at. “It’s still new, but not so new that you should ignore it completely,” says The Missing Link’s Bailey. There are plenty of channel partners who would be more than happy to help you to navigate the complexities.
Information security is a relatively new discipline, but the rise of insurance and warranties shows that it’s now being considered a core business issue rather than a niche technology problem. This is a very good thing, and shows that cyber-security is heading very much in the right direction.
To view the original article click here.
To contact InfoTrust and find out how we can help mature your organisation’s cybersecurity posture email info@infotrust.com.au or call us on +61 2 9221 5555.
see our
Related resources
As InfoTrust approaches its 7th anniversary, we are excited to announce significant changes as we grow our foothold in the cybersecurity market and look ahead to future expansion. Co-founders Dane Meah and Simon McKay will be stepping into Board positions while welcoming a new CEO, Keith Buckley to run the day-to-day operations and fuel the next stage of growth.
Buckley brings with him several decades of experience in the technology sector for companies including Dell, Symantec, McAfee, Riverbed and most recently Citrix, with a strong track record of taking established businesses to the next level.
Faced with a range of challenges from emerging cybersecurity threats to the COVID-19 Pandemic, Not-For-Profit Organisations in particular, are being tested on how they deal with the evolving threat landscape. The Salvation Army’s recent implementation of InfoTrust’s Incident Response Retainer Services prompted Justin Flower, InfoTrust’s Southern Region – General Manager to interview<
Salvation Army has augmented its cybersecurity capabilities by investing in InfoTrust’s Incident Response Retainer Services. This service supports the Salvation Army security team in responding to cyber incidents, reducing the potential risk of damage and breaches. InfoTrust’s consultants assist in finding the root cause of a security incident, provide containment and subsequent remediation advice.
Following on from Australian Prime Minister, Scott Morrison’s announcement the morning of Friday 19th June. InfoTrust has provided advice to media outlets and the general public on what they, and Australian businesses, can be doing to protect themselves against cyber attacks. Although this is not new information to many organisations, who generally have a good understanding of the cyber threats they face. The key message from the announcement was that the increased frequency, and sophistication of these attacks from a state-sponsored actor against the Australian government and businesses is of concern. The advice from the Government is to ensure you remain vigilant and cautious of any digital communication and interaction online.
I’m excited to announce that InfoTrust has been awarded Netskope’s Emerging Partner of the year 2019.
Each year Netskope awards this to partners that deliver not only consistent customer growth but also leverage the breadth of Netskope’s solution to create ground-breaking services.
“InfoTrust has demonstrated significant customer success, solution innovation, speed to market and deployment, and innovative go-to-market strategies. The fluid nature of cloud services and user flexibility in accessing and working with customer data has resulted in massive security challenges for the enterprise. This requires new approaches and best practices — two things core to InfoTrust’s success” – Reno Maglitto, A/NZ Director of Channel & Alliances at Netskope.
We’re excited to announce that last month InfoTrust achieved CREST certified status.
The Council of Registered Ethical Security Testers (CREST) is a non-profit organisation, which assesses and certifies that an individual or business is providing security assurance services of exemplary quality, with deep understanding and knowledge of the latest vulnerabilities and techniques used by real attackers.
Although we have employed CREST certified individuals for some time now, this is an exciting step for InfoTrust as it is an additional certification achieved by utilising best-practice methodologies and the highest standards of test hygiene and conduct.
We're Here To Help