Is CyberLiability Insurance Becoming A More Feasible Risk Management Strategy?

The cyberinsurance market today represents only a tiny segment of the overall insurance industry, and a recent Forrester paper on the topic identified that only a very small percentage of organizations that have purchased business insurance have also purchased cyberinsurance. Many insurance companies, however, are now estimating a period of significant growth in this area, and recent conversations suggest that more companies are either interested in this coverage or have recently purchased such policies.

I'm interested to know where your organization sits on this topic. If you have a minute, please respond to our short poll on the topic

You can find the poll in the right column of this page, below the “About the Analyst” or “About this Blog” section.

------------------------------------------------------------------------------------------------------

7/22 UPDATE - An interesting story which seems to suggest that Sony may be trying to leverage cover from existing 'traditional' insurance policies to cover for recent cyber-losses, much to the annoyance of the insurer... http://www.theregister.co.uk/2011/07/22/sony_breach_insurance/

In the unlikely event that Sony do manage to get the insurer to pay, that would be an interesting development for the future of cyberliability insurance...

In Cloud-Friendly Web Services Security, "There Is No Enterprise." Wait. What?

“There is no enterprise — the work we do is a collection of people that dynamically changes through a mix of organization control.” That’s what I heard from one venerable old construction company while working on my new research report, Protecting Enterprise APIs With A Light Touch. I wanted to investigate how enterprises are using and securing lightweight RESTful web services, and in particular to figure out the problems for which OAuth is well suited. (You might recall my request for feedback in a prior post.)

 What I found was that forward-thinking enterprises of many types – not just hip-happenin’ Web 2.0 companies – are pushing service security and access management to the limit in environments that can truly be called “Zero Trust,” to use John Kindervag’s excellent formulation. This particular firm dynamically manipulates authorizations to control access to a variety of innovative lightweight APIs on which the whole company is being run, not actually distinguishing between “internal” and “external” users. They’ve kind of turned themselves inside-out.

Read more

InfoSec In The Supply Chain

The importance of data security throughout the supply chain is something we have all considered, but Greg Schaffer, acting deputy undersecretary of the Homeland Security Department of the National Protection and Programs directorate at the Department of Homeland Security, recently acknowledged finding instances where vulnerabilities and backdoors have been deliberately placed into hardware and software. This is not a risk that hasn’t been previously pondered as, in 1995, we watched Sandra Bullock star in ‘The Net," and address this very issue. However the startling realism of Mr. Schaffer’s admission means that it can no longer be categorized as a "hollywood hacking" or a future risk.

The potential impact of such backdoors here is terrifying and it is easy to imagine crucial response systems being remotely disabled at critical points in the name of financial or political advantage.

If we are dedicated to the security of our data, we must consider how to transform our due diligence process for any new product or service. How much trust can we put in any technology solution where many of the components originate from lowest cost providers situated in territories recognized to have an interest in overseas corporate secrets? We stand a chance of finding a keylogger when it’s inserted as malware, but if it’s built into the chipset on your laptop, that’s an entirely different challenge… Do we, as a security community, react to this and change our behavior now? Or do we wait until the risk becomes more apparent and widely documented? Even then, how do we counter this threat without blowing our whole annual budget on penetration testing for every tiny component and sub-routine? Where is the pragmatic line here?

Read more

Does The Mobile Internet Mean The Death Of User Privacy?

Innovations in mobile technologies are making the mobile Internet increasingly ubiquitous and powerful. Consumers are drawn to the mobile Internet because it can be highly contextual and leverages information such as geo-location, presence, and user-specific information to deliver a rich and intensely personal experience.

As my colleague Julie Ask pointed out in her new report eBusiness: The Future Of Mobile Is User Context, companies that produce consumer products/services will increasingly take user context into account to produce convenient products with relevancy and immediacy for consumers. Already location-aware applications are becoming more and more ubiquitous; our movements as individuals are invariably documented somewhere.

Our phone is packed with sensors that can gather more contextual information about its surroundings than anything we’ve seen before. Sensors such as GPS, accelerometers, gyroscopes, NFC, and high resolution cameras are now commonplace in smartphones. Emerging sensor technologies like barometer, microbolometers, and chemical sensors will provide even richer user context information.

Soon your phone will not only know where you are, but what you are doing, how fast you are moving — and if Apple gets their way, the rate your heart beats!

Read more

Categories: