SoylentNews is people
SoylentNews
An Anonymous Coward writes:
According to Technology Review, some business leaders have decided that cyber attacks are just another fact of life and they might as well give up on fixing the problem through IT. And buy insurance instead.
Of course, now the insurance companies have the problem of calculating risk and accompanying premiums.
People are starting to view cybersecurity as a business risk instead of an IT problem, says Arvind Parthasarathi, CEO of Cyence, a three-year-old firm that helps insurers model cyber risks. That means recognizing this is not a problem with a clear solution, but a risk that can be managed, though not eliminated. Now, says Parthasarathi, executives are asking, "How much risk am I comfortable keeping?"
Insurers are asking the same question as they try to determine how to price new cybersecurity policies. The modern cyber threat is complex and rapidly evolving. The most pressing challenge is quantifying the risk of a cyber catastrophe hitting many policyholders at once, estimating the maximum loss in the worst-case scenario. That's what insurers failed to do before Hurricane Andrew. [Which caused some insurance companies to fail.]
A cyber disaster comparable in scale with Hurricane Andrew is hard to model in part because one hasn't happened yet. Last October, we got a glimpse of one way such a calamity might unfold when hackers used a network of commandeered webcams, DVRs, and other Internet of things devices to launch a massive denial of service attack on Dyn, a major router of Internet traffic. [...] The cost of the Dyn attack is not yet clear, but a recent four-hour outage of Amazon's S3 cloud storage system (which was not the result of a cyberattack) cost S&P 500 companies at least $150 million, according to an estimate from Cyence. It is not hard to imagine a large-scale attack on a cloud service causing billions in losses.
The article covers other cases including losses from a really major attack.
Your PHB said that your security requests were too expensive. And now he (or his bosses) have decided that it's not even possible to be secure. Time to throw in the towel?
(Score: 2) by krishnoid on Wednesday April 12 2017, @12:18AM (1 child)
A cyber disaster comparable in scale with Hurricane Andrew is hard to model in part because one hasn't happened yet.
Could they model it using Hurricane Andrew for scale?
(Score: 0) by Anonymous Coward on Wednesday April 12 2017, @12:34AM
Andrew might not be big enough? After all, it seems reasonable to guess that the property insurance companies thought they were charging high enough premiums...until Andrew came along and caused the failure of several large insurers.
There are different kinds of cyber problems. Some businesses (like the big Target crack) may lose their customers for a long period. Other businesses might lose sales one day and gain them back the next once the problem has been cleared. Airlines can't do that, they already run most of their planes near capacity, so a day lost is income that will never come back. And there are probably many cases in between these extremes.
(Score: 3, Funny) by krishnoid on Wednesday April 12 2017, @12:26AM
Your PHB said that your security requests were too expensive. And now he (or his bosses) have decided that it's not even possible to be secure. Time to throw in the towel?
Sort of?
(Score: 4, Insightful) by jmorris on Wednesday April 12 2017, @12:34AM (4 children)
Don't despair, this is a good sign. It means the suits are finally starting to realize they could be on the hook for Sagans if things go sideways and of course their first instinct is to insure it away. But if you will remember, it was the insurance companies that built Underwriters Labs, not the government and not the industries who built the faulty electrical wiring and appliances that were burning down homes left and right. Once they laid down the law and told homeowners that if they bought stuff with the UL logo their home was insurable and if they didn't they were on their own if it burnt down those customers quickly got the hint and so did the manufacturers.
Wait until a major insurer says Microsoft Windows (Desktop or Server) isn't insurable at any standard premium rate. SHTF time. Then of course it won't stop there. Wordpress? Think they will insure anything on a site with that roach motel on the same wire? Anyone using software utilizing Agile development? No, twenty years from now we would see Software Development for Enterprise use really will become an engineering discipline and crap wouldn't break all the time anymore. Probably wouldn't see major versions drop several times a year anymore, but will that be a bad thing?
(Score: 0) by Anonymous Coward on Wednesday April 12 2017, @01:15AM
Close on the first point, according to https://en.wikipedia.org/wiki/William_Henry_Merrill [wikipedia.org]
Professionally: Merrill began his career as an electrical engineer in Boston, Massachusetts. In 1893, he was sent to Chicago, Illinois to investigate the World's Fair Palace of Electricity. He was hired by insurers for the World's Columbian Exposition to examine the safety of the electrical wiring in the Palace of Electricity. This experience led him to found Underwriters Laboratories.
Merrill was an MIT grad and the gig at the World's Fair gave him the idea to start UL as a testing and standards lab. Not quite the same as if the idea came directly from a person(s) within the insurance industry.
Sadly, we probably can't count on UL to pick up the gauntlet for software security, from https://en.wikipedia.org/wiki/UL_%28safety_organization%29 [wikipedia.org]
UL has expanded into an organization with 64 Laboratories, testing and certification facilities serving customers in 104 countries. It has also evolved from its roots in electrical and fire safety to address broader safety issues, such as hazardous substances, water quality, food safety, performance testing, safety and compliance education and environmental sustainability.
In 2012, UL transformed from a non-profit company into a for-profit corporation.
It's hard for me to see any for-profit company filling this role.
(Score: 3, Interesting) by krishnoid on Wednesday April 12 2017, @01:23AM
And finally, it will be the insurance companies that end up instilling software development best practices.
(Score: 0) by Anonymous Coward on Wednesday April 12 2017, @01:50AM
Would solid security design and a lack of "new shiny" every year be a bad thing?
Easy, NOPE!
(Score: 2) by tibman on Wednesday April 12 2017, @06:16PM
hah, agile leads to defective software? I'll tell you what leads to defective software. Not writing unit tests. The duration of your design/program/release cycle has nothing to do with bugs. It has to do with customer feedback. If you want to talk about one of the defining things between a software developer and a software engineer i would say it is unit tests (of any kind).
SN won't survive on lurkers alone. Write comments.
(Score: 2) by Grishnakh on Wednesday April 12 2017, @12:36AM (2 children)
Hopefully, any insurers stupid enough to get into this business will be bankrupted when some company doesn't bother writing secure code and gets hacked.
(Score: 3, Interesting) by bob_super on Wednesday April 12 2017, @12:40AM
I foresee a really bright future for forensic guys paid by insurers to prove that inappropriate measures were taken, and therefore, according to fine print that the PHB can't understand, claims should be denied...
(Score: 3, Interesting) by Snotnose on Wednesday April 12 2017, @01:37AM
Yeah, the only way I see insurers to come out ahead here is to form a team of security professionals that can evaluate each client's security. Thoroughly. Updated every few months. That's gonna cost some big bux on top of the assumed risk.
These teams will soon learn the biggest risk is from various TLAs, and learn how to mitigate the damage the TLAs tools can cause. At which point they realize they can make 10x the money by going rogue and using those tools.
If I was an insurance company I wouldn't go near insuring against cyber-attacks. When the government is the biggest risk you face, you're gonna lose.
When the dust settled America realized it was saved by a porn star.
(Score: 2) by kaszz on Wednesday April 12 2017, @12:40AM
Your PHB said that your security requests were too expensive. And now he (or his bosses) have decided that it's not even possible to be secure. Time to throw in the towel?
Instead the PHB will be billed the actual cost of IT incompetence right now. Economic bottom line will enlighten the boss and if not, competition will happily take the business away.
The big question is what is good IT practice? One should not assume insurers have good insight..
* Servers running open source? (Microsoft sponsoring subversion?)
* Cloud computing so you can be spied upon..
* RAID or ZFS?
* Backup routines?
* Inflated degrees? (must have compsci PhD to put the backup tape in to the shelf)
What could go wrong..
As soon as non-technical people gets involved. It seems fubar is inevitable.
(Score: 4, Insightful) by Runaway1956 on Wednesday April 12 2017, @01:07AM (4 children)
Think about it. Suits in the insurance industry are going to tell us how our computers should run.
They will approve of a small list of operating systems - currently, only Windows 8 and Windows 10.
The presence of dozens of programs on your computer will render your insurance null and void - torrenting is out, bit coin is out, anything that the insurance company doesn't approve of.
The old concept of police-ware will be forced on you, but it will be "alright" because it's the insurance company's warez, not the police.
You will be required to route all of your traffic through an insurance company approved router, which will block access to third world countries, among other things.
If you do a search on any medical condition, expect your insurance company to know about it, and require you to submit to a physical.
Holeee SHIT - I don't like much that the insurance companies do today. I will truly hate the day that insurance companies barge onto the internet, and start running things.
(Score: 0) by Anonymous Coward on Wednesday April 12 2017, @01:23AM (3 children)
Delusions of grandeur?
The story is about a national or international "cyber catastrophe" and businesses with losses of many $M or $B. No matter how many of your personal computers are taken out, it won't count as a catastrophe (well, maybe for you, but not anyone else).
(Score: 2, Troll) by Runaway1956 on Wednesday April 12 2017, @02:40AM (2 children)
You're not picturing this thing on a grand enough scale. The country (business and government) grows fearful of all that liability, so they hand off liability to the insurance companies. Those companies start writing "best practices" policies, and requirements for coverage. The insurance companies note that the common sheeple pose no threat - and those sheeple are all using the latest Microsoft offerings. After much negotiation, it is determined that the Unix-likes all pose threats to the insurance companies "secure model". Hell, the browser you use could eventually be dictated by insurance companies - we'll all use Edge to connect to business, banking, or government sites, because everything else poses a threat of some sort.
It isn't just me, FFS, it's the whole nation.
Look at your work environment. Neither you, nor me, nor any other person in this country is smart enough to determine when we should put on a pair of safety glasses. Because the insurance company says so, you wear your safety glasses from clock-in to clock-out, unless you're in the restroom, or the breakroom. Hard hats, if applicable, never come off of your head. I wear steel toes by choice, but people who don't have to wear them anyway. I could go on and on about the silly crap that insurance companies already make us do. You should revisit the history of seat belt laws. Almost every state strongly resisted the enactment of seat belt laws, but the insurance companies lobbied the feds to do an end run around constitutional questions. And - today, almost everyone is brainwashed into doing the insurance companie's bidding. You don't even realize that you're brainwashed because you grew up with all the bullshit. You believe that only an idiot would CHOOSE to not use a seat belt.
(Score: 2) by linuxrocks123 on Wednesday April 12 2017, @03:39AM (1 child)
You believe that only an idiot would CHOOSE to not use a seat belt.
Yeah, I do believe that, because every reputable analysis and all first-hand evidence I've encountered in my life indicate that seat belts dramatically increase the safety of the car occupants who use them. They are, according to all reasonable evidence and analyses I've encountered one of the single most effective and inexpensive car safety inventions of the last 50 years. They probably saved the life or prevented the serious injury of at least one of my family members. Using a seat belt has a downside of zero or close to zero and a huge, huge upside.
I should know better than to argue with you by now, but railing against Big Seat Belt is a new level, even for you. Why, exactly, do you think not wearing a seat belt is a reasonable life choice? I'm not asking for you to argue against seat belt legislation, because that's not what you said. You think seat belts shouldn't be mandatory, because Libretardianism or something, whatever. That's not what you said. You said people who think using a seat belt when a car is the totally obviously correct choice to make as an individual are brainwashed. So: why?
Oh, and don't talk about infants or whatever. The government's car safety publications talk about the special things you need to do to keep infant car occupants safe, so we know they need special handling. As an adult human of average weight and height, why should I not use a seat belt in a car? Please un-brainwash me.
(Score: 0) by Anonymous Coward on Wednesday April 12 2017, @07:09AM
Even those baby things are of no statistical benefit to wearing a seat belt and sitting in the back seat from about the age of 2 years. Most of the benefits to infants is just not sitting in the front seat, or jumping around lose in the car. All the other fancy shit is barely better than just a seat belt in the back seat. Which obviously is life saving.
(Score: 1, Funny) by Anonymous Coward on Wednesday April 12 2017, @03:15AM (1 child)
If you run Linux it'll cost you $12.99/year. If you run Windows it'll cost you $1200.00/month.
(Score: 1) by anubi on Wednesday April 12 2017, @06:58AM
It will be much cheaper for them to simply insist on a "hold harmless" clause in their contract.
The only concrete thing in the business contract should be legal language insuring they get paid in full with a valid financial instrument.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by linkdude64 on Wednesday April 12 2017, @03:10PM
Once they begin to backtrace, the consequences will never be the same.
(Score: 0) by Anonymous Coward on Wednesday April 12 2017, @04:34PM (1 child)
Insurance co's could require customers follow certain policies to qualify for coverage, and even audit them. However, something tells me companies will either balk at the cost of the requirements, or get sloppy and skip them over time such that they won't qualify for reimbursement when bleep actually happens.
Following the requirements AND paying for insurance will be viewed as too much by the typical PHB. They'll look for ways to cut corners.
(Score: 2) by DannyB on Wednesday April 12 2017, @06:08PM
Look at the PCI compliance requirements to accept credit card information. That is a good starting point. They have TONS of documentation about security practices and isolation. It would cost more, but it would be good if everyone jumped through those hoops to get PCI compliance. Sort of like requiring UL approval. Especially for IoT devices. (Note: remote credit card terminals are in some sense like IoT devices.)
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.