There is a major move today by companies towards the adoption of cyber insurance due to a change in the perception of cyber-attacks from one-off situations to an ongoing problem, Evolver VP Chip Block told ITWatchIT in an exclusive interview. One of the ways to improve consumer confidence in IoT devices is the development of security and performance standards, said Block, who also advocated for the micro-segmentation of networks and data storage to reduce the value of potential hacks.
More Companies See Value In Cyber Liability Insurance
Cybersecurity isn’t new, just that the volume and the nature of the threats have changed. Cyber insurance is growing dramatically fast, if you look at the NetDilligence reports, the Verizon DBIR reports and the Gartner reports, you will see growth of up to fifty percent or more. It is about a $2 billion market now and is projected to go to $7 billion by 2020. The reason for this growth is that our perception of cybersecurity has changed from a problem that needed to be fixed to a risk that will always be there. It is certainly becoming less of a problem where we go get engineering to solve the problem to something that will always be a possibility.
In terms of scope, the breach may be a little issue such as someone putting a smiley face on your website, to something catastrophic where a major system is brought down, such as a power grid. The ranges of impact are quite large, so once you get to the involvement of risks, then insurance comes in because that’s what they do. They allow companies and individuals to transfer risks from themselves to the insurer to handle certain situations and cases. What we are seeing is that this is a major move right now by most companies.
Any company that does not have cyber insurance currently needs to look at that very hard. Just like we have insurance in other areas of our lives, such as property insurance in case something bad happens, having no protection for your company leaves you open to great losses if you got hacked, had a major data breach or lost personnel information. Insurance allows you have a certain level of confidence that you can transfer some of the risk to the insurer.
IoT Adds Another Dimension To Cybersecurity Insurance
The growth of the Internet of Things is actually just starting and will accelerate. This is due to the advantages it provides to us in our private lives and also the economic value. The benefits are huge, but we have to think of the negatives, especially the challenges from the security perspective. Even though that Internet of things device that reports your heartbeat to your doctor may save your life, more focus should be placed on the basic protections of such devices.
They should have a UL-type capability so that at the minimum, when you go to buy something as a consumer, you have some level of assurance that the device won’t allow somebody to gain control and cause physical harm. It doesn’t necessarily have to be a government agency, but I do believe the government can provide some level of expected standards or performance that could address that.
Do IoT Benefits Outweigh The Risks Considering Self-Driving Vehicles?
You’ve probably found the one person who has a positive view on the cyber world in the sense that it will get better. Do you feel safer on the road with autonomous cars or with drunk drivers? We have to look at the total risk picture. The other important part is the motivation driving the people hacking these vehicles. Is it a terrorist activity or someone who wants to hold car dealers to ransom with ransomware?
For a large-scale hacking of cars to happen, the person has to have a motive to do that, and that hasn’t happened yet, even though it may. When it does, then that might change how we develop the cars. The biggest challenge with automobiles right now is that the development cycle is so long. That is somewhat of a risk in the sense that if you had a vulnerability that could be exploited, how quickly can you fix it?
If the answer is two years, then you have a problem. On the other hand, if the answer is for the consumer to drive down to the dealer and the issue is resolved by the next day, or they send out a patch to every car like that in the world and it is solved in an hour, then that would be a better option.
How Does The Need For Privacy Affect Security?
This is a decision that we all have to make because it is a personal decision in many ways and the average citizen has to walk somewhat of a line. For instance, we want our phones to be able to tell us when our favorite things are on sale, or for navigation systems to tell us about upcoming turns, or even for our banks to tell us about our account activities. You can’t do these things without telling the technology certain things about yourself. If you want to tell Amazon about your shopping habits, then you’re giving up information.
The question is how much you want to give up versus how your privacy is protected. It’s a line that the company and individual walk and will be an ongoing issue. The big issue with privacy, where things get complicated, is when you start talking about multiple systems, multiple applications and multiple databases all sharing information. You realize that you just gave a system your phone number, and that system talks to another one that connects your phone number to your name and another one makes the connection to your social security number.
The privacy issue is now glaring even though none of those systems had any of that data congregated in one place. From a technology perspective, it is going to be our greatest challenge because the average consumer wants to be more connected and for their devices to tell them more things, but how much do you want to give to that technology in order to get that information.
How To Prevent SWIFT-Type Breaches
The major breaches that we have today are somewhat an architectural issue, and I think we are already changing that. In the IT industry, we went through a period of time during the late to early 2000s when consolidation of data was a big deal. The problem with that is the value of a hack goes up dramatically because if I get in, then I get everything. I think that a change in the architecture with how we build our systems — both micro-segmentation of networks and micro-segmentation of data storage will start to reduce the value of some of these attacks.
Right now, most of our systems are built in such a way that when you get to the core data you get everything. This is an economic problem in the sense that the cost of attacks keeps going down while the cost of defense keeps going up. If we can reverse that trend so that the costs of attacks go up while the cost of defense goes down, then we might have a solution.
When I refer to cost, it includes how much effort it takes to get into a system and the value of the assets that you get once you are in. If it is hard to get into a system and once you get in there, you only get a small fraction of data, the value of the hack drops and the cost goes up, then the incentive to conduct the attack also drops.
In today’s world, there is a rather rapid move so that the phone you have in your pocket may be provided by you and not your company. The applications and capabilities that you need to do your job would be loaded onto your phone, not the company’s phone. This creates a security issue and the company has to come up with a way of allowing that flexibility while not dramatically increasing the risk of a security problem if your phone got lost or hacked because the company is not overseeing that device.
You also run into the challenges of the segmentation of information between company data and private data. As the world moves more towards BYOD, there’s an engineering discussion and strategy session of figuring out if that is a policy that a company wants to achieve. Is it worth the risk and what is the benefit? There are a number of benefits because the employees are more connected to the company, you are reducing your costs when you are not buying a lot of devices and you are able to integrate the workforce better.
Big Data Management
Most of our clients require big data management services, including the Department of Commerce – we are talking about the collection of very large amounts of information. With regards to ediscovery, we collect very, very large amounts of data that has to be analyzed for evidence that can be used in a court case. On the cyber side, we are working with large log files of information, trying to determine where there might be a threat.
Through all of that is an infrastructure requirement that you are providing solutions to the clients in a way that is fast, user-friendly and not exceptionally expensive. When you get into the actual applications of technologies, we can work with different vendors who provide some of the newer visualization technologies. We don’t develop new analytical software ourselves, but we create an environment to allow the ones that have been created to work and be advantageous to our clients.
We have our own data processing centers and our clients range from mid-level companies upwards. Many of them are fortune 100 companies, large-scale corporate clients, major law firms and some federal agencies. We do both federal and commercial work and our federal clients are fairly broad. They include the Department of Commerce, Social Security Administration, Department of Human Services and Department of Homeland Security. Our commercial clients include legal, automotive and financial sectors. We have over 300 employees and most of our operations are in the D.C. area, with some work in Denver and San Francisco.
Speaker: Chip Block
Position: Vice President of Market Management, Evolver
Clifford “Chip” Block leads new market and technology development at Evolver to include corporate business development, marketing, branding and overall market strategy. He has over 30 years of advanced technology creation, development and marketing for the federal and commercial market space. Chip’s experience includes leading several major groups and companies in the development and market introduction of new technologies.
Evolver helps clients achieve long term success by anticipating, preparing for, and managing the changes that inevitably impact their mission. From identification of desired outcomes, through solution development and implementation, they plan for and integrate the critical building blocks of success ‐ technology, processes, and resources. Headquartered in Reston, Virginia, Evolver has grown to over 300 employees, established two international subsidiaries, and continues to expand their client base in both the federal and commercial markets.