Why having the best cybersecurity software isn't enough
Choosing the right cybersecurity software can help businesses defend themselves, but it’s not enough to fully manage cyber risk.
Recently, Marsh announced that it was banding together with several global insurers to assess the best cybersecurity technology available to businesses.
It’s terrific to see the insurance industry collaborate on cybersecurity, and the resulting program, called Cyber Catalyst, meets an important need: helping businesses make more informed choices about their cybersecurity software.
The financial consequences of poor cybersecurity are severe. Earlier this year, an Accenture report estimated that cybercrime could cost U.S. companies $5.2 trillion by 2024. That’s almost the size of the economies of France, Italy and Spain combined. And with many insurers entering the fray with cyber insurance, collaboration to mitigate cyber risk makes sense. Especially within a global business environment, it’s important to secure global supply chains from hacking risk. What’s more, a collaborative industry assessment of cybersecurity technologies can help weed out sub-par offerings.
The Marsh initiative is encouraging and builds on the work of several of the large brokers in highlighting what’s needed to help manage cyber risk. There are also several companies that rate the cybersecurity of a business. These are all good developments, but security designations are only part of the solution.
Technology only works when it’s properly deployed, supported and maintained—and that requires the right talent. Unfortunately, there’s a shortage of security talent right now, which means many organizations lack the right people to help them mitigate risk. Think of the right cybersecurity technology as your dream sports car, and talent as the keys. Without the keys, you’re just sitting in the car. Wouldn’t you rather get on the open highway?
In addition to having the right talent to deploy cybersecurity technology, organizations need to be able to integrate the technology into broader business systems. This means having the right processes, policies and governance in place. How will the tools be used? How often will they be updated? How quickly must patches be implemented? Equifax had all the right vendor tools in place, but outdated security practices — notably, failing to patch a known security vulnerability — led to the largest security breach to date.
Another Equifax vulnerability was in its underlying technology: the web-facing system that enabled consumers to check their credit ratings was five decades old. Many companies run old or out-of-date systems for good business reasons, and in today’s global marketplace, may be cobbling together several legacy systems. That’s not a problem in and of itself—but it can create compatibility problems with the latest tools, and so the security weaknesses may not be addressed.
Finally, even with the smartest talent, stringent policies and up-to-date technology, cybersecurity has one huge blind spot. Trusted users, such as employees, vendors and other third parties, are vulnerable to social engineering and credential theft. With compromised credentials, an attacker can swiftly bypass even the most rigorous technologies.
The only way to really understand a company’s security profile is to test, test and test again. Penetration tests are an important tool, but even these aren’t enough. Businesses need to think like attackers, but many aren’t naturally inclined to do this. Red teams can help here. According to the Financial Times, technology giants “use red teams to try to hack their own software, knowing that if they relied on software producers to judge this they would overlook many holes and vulnerabilities.”
Picture a Venn diagram. In one circle, there’s proactive, comprehensive control testing by red teams. In the other, there’s successful, consistent deployment of cybersecurity measures and all it entails: the right talent, processes, technology stack and training to prevent social engineering. Where those circles don’t overlap, organizations can tighten up their cybersecurity defenses — or leave a vulnerability that lets hackers in.
Addressing cybersecurity is going to take every idea we can muster to help turn the tide, and collaboration within the insurance industry is a step in the right direction. That said, there’s an opportunity to do more, and I hope that insurers will continue to take the lead to help organizations shore up their cyber defenses.
Nadine Moore is the cybersecurity lead for insurance at Accenture. This contributor can be contacted through the Accenture website. These opinions are the author’s own.
See also: