Insurers have been making significant investments into their cybersecurity over the past few years, but digital security experts say that New Zealand companies may have been investing in the wrong approach, and, as a result, they are now as vulnerable to cyberattacks as they ever were.
Thales director for ANZ Brian Grant said that while companies have been working hard to protect their people from hackers and breaches, New Zealand has seen a high number of successful cyberattacks in recent years.
He said this is often down to security systems that rely on people to not make mistakes, rather than protecting their data from the get-go - something he says needs to change, and be replaced with a ‘zero trust’ strategy.
“Even though they’ve been making enormous investments into cybersecurity, companies are still not getting the outcome they expect,” Grant told Insurance Business.
“We’re trying to protect people by creating usernames and passwords, trying to make people better at not clicking on things, and so on. But the very nature of it is we’re human, and we make mistakes, and trying to prevent people from making mistakes is almost impossible.”
“What we’ve been saying to the market is that while you need to know how to work in a digital world and how to do it correctly, you’ve got to stop having people’s privacy exposed and compromised because of bad systems,” he explained.
“We’re trying to get them to move to this concept of ‘embedded’ data security, rather than trying to defend people and networks. For example, if you go to an insurer’s website and enter some personal information, an ‘embedded’ data security system would immediately anonymise that data right there and then.”
Grant noted that the ‘traditional’ approach to protecting data would be to secure it in a database after it is collected, leaving time between the collection and the storage where it is vulnerable to a breach.
He said that insurers need to look at encryption systems that protect data immediately and to do it continuously, rather than adopting a ‘one-off project’ approach to security.
“You can’t control threats, but you can manage your own risk,” Grant said.
“If you anonymise and encrypt that data at the point of capture, you remove that whole risk period. That way, it doesn’t matter if someone actually gets compromised, because stealing that information is essentially stealing rubbish - the attacker is going to get no value out of it.”
“We’re seeing insurers paying more attention to cyber security, but they’re generally still investing in the wrong things,” he added.
“We work with some of the largest insurers in the world, and they’re not thinking strategically in terms of the risks they’re trying to avert. But the reality is that the digital landscape hasn’t been around for very long, we’re all relatively inexperienced in it, and a lot of us haven’t yet figured out what works.”
While organisations develop more comprehensive cyber security plans, Deloitte manager of cyber, privacy and resilience Werner Swiegelar said that he has also noticed an uptick of companies looking at cyber insurance, and particularly at the tools and protection it can offer before an event.
He said that companies looking to enhance their cybersecurity can definitely benefit from a policy - however, he noted that these can also be very complicated in terms of cost and cover, and so each business needs to carefully consider which policy is right for them.
“We’ve definitely seen an increase in organisations looking at cyber insurance,” Swiegelar said.
“It can certainly complement your cyber protection, and will help remediate the costs of a cyber breach in terms of a forensic investigation. It will help with your liability for the loss of your data, with paying any fines or penalties, and it can also assist with some business interruption costs if they were caused by a hack or malware attack.”
“When you’re considering cyber insurance, it’s very important to ensure that you understand your risk exposure,” he explained.
“If your controls are quite weak and you don’t understand your exposures, it’s going to be quite hard to make a claim if you’ve essentially left the front door open. You need to understand those complexities, as policies can vary a lot and there’s a lot of different cover and price ranges.”
“You should also ensure that you’re balancing your premium costs, and that you understand the cost of the policy versus the cost of your controls,” he added.
“For a small to medium enterprise, a policy ultimately may or may not be worth it, but you definitely need to do your due diligence.
“Lastly, make sure that you do have a robust incident management process. Most companies are likely to have or be exposed to a breach, so it’s really about making sure that you have a strong incident management programme in place before anything happens.”