Whether it is in its entirety, one day a week or from a dream destination (Auntie Germaine's house in Normandy or a hotel in Greece), teleworking is a new paradigm for work organization, team management and even information systems. What about risk management, in particular the Cyber risk associated with these new practices? What exactly is the role of Cyber insurance in this context?
Telecommuting and Cyber Security
Teleworking is a reality for many employees, praised by some and decried by others. Teleworking (let's risk the truism) means working remotely.
This implies the use of equipment and services that are not fully under the control of your company : WIFI, cell phones, printers, sometimes even laptops, ... to access sensitive systems and data.
Popularized under the acronym BYOD ("Bring Your Own Device"), this trend appeared with the first smartphones, and allowed the happy owners of the latest mobile equipment not to "regress technologically" with the equipment provided by their companies.
The consequences were and still are the same:
- Integrity of the mobile device (system updates performed, antivirus present and up to date, software installation restrictions...)
- Security of data exchanges (secure WIFI, VPN, ...)
- Multiple use of the terminal (including the famous "daddy/mommy lend me your phone")
Do I need cyber insurance?
Let's put ourselves in the head of a professional hacker for a moment.
Like any professional, he will seek to maximize his potential gain while minimizing the effort required. To do this, 2 main families of approaches are available to him: targeting and opportunism.
The case of targeted cyber attacks
If you are a really interesting target (industrial, political, research and development, ...), then you will be entitled to targeting.
An approach based on patient information retrieval, social engineering sprinkled with phishing, your relatives once identified can also be targeted...
Generally speaking, your employer also knows that you are an interesting target and you have at your disposal all the material and training required to protect yourself (or rather not to put your employer's information assets at risk).
At the hardware level, PC and cell phone "hardened" or otherwise under total control of your IT department: real-time updates, limits to the installation of third-party software, etc.
At the level of connections: use of a simple SMS for a double authentication, cards or dedicated tools for the distribution of temporary passwords. At the communication level, it will always be necessary to use the VPN to access remote resources ... ETC.
For the lucky ones, you will be entitled to trainings, phishing attack simulations, audits, ...
Some interesting targets, especially in the healthcare sector, have not yet fully caught on to the interest they generate ... or the construction of their defenses is not (yet) up to the motivation of the attackers.
Cyber attacks by opportunism
If you think you are not an attractive target for an organized, possibly state-driven attacker, you are probably right. No hacker is going to make a major effort to penetrate the information system of the local coffee shop or the village mechanic.
However, there is a so-called opportunistic approach, and we will talk about it now.
Let's remember a fundamental characteristic of digital: the ease of duplication and automation.
If you are a shipwrecker and you attract potential victims by throwing bottles into the sea or by making a big fire: the presence of raw materials (wood, bottles, paper,...) can quickly become a limit to your little business.
A modern hacker will be able to search for potential targets thanks to scanning software that works quickly and at a very low cost. These scanning software will explore thousands of IP addresses, Internet sites, look everywhere, without a precise target, but not without objectives: the tool will search for a precise list of flaws, badly closed doors, keys hidden under the flower pot, ...
Let's use the metaphor again, you don't need to enter a property to realize that the owners are away on vacation and have forgotten to close an upstairs window (too bad, because only the first floor windows are protected by bars). This is the role of the scanning software, to list the vulnerabilities, classify them by family and give the attacker a hacking action plan:
- The XY update is not performed: there are then one or more flaws with the malicious software that will be able to exploit them.
- The email server is not properly configured? It is then possible to do identity theft (or spoofing) and make an attack by social engineering.
Let's stay on this last example for a few lines. The potential attacker knows that it will be easy for him to use your domain name to send emails (the scanning software has filled it in), a quick look at your activity, turnover, some information left online about your customers or your employees? A first phishing campaign within your company will allow for example :
- Installing ransomware in your systems (the attacker neutralizes your sensitive data and demands a ransom to restore it)
- Collect enough information to launch a campaign to send invoices to your customers with a new RIB ...
- Etc ...
No firewall or reverse proxy? No protection against DDoS or brute force attacks? These are hundreds of possibilities left to potential attackers to visit, neutralize, deface, your websites and information systems.
The measures to be adopted
When faced with the risk of acomputer attack, whatever its nature, there are three possible measures: avoid it, reduce it and share it.
Avoiding Cyber Risk
Avoiding Cyber risk would mean not digitalizing your activity, not using emails, not using smartphones,... The number of activities for which Cyber risk is higher than the opportunities offered by digital is very limited (probably close to 0 in the West), and should continue to decrease over time. Telecommuting without digital ... even less frequent
Since in most business activities it is not possible to avoid cyber risk, let's explore how to reduce and share it.
Cyber insurance to share the risk
The simplest way to share the risk is to take out insurance: "The contribution of many to the bad fortune of a few". According to certain conditions that we will detail below, it is possible for a company to insure its activity against computer attacks . If a disaster occurs (data leakage, data loss, operating losses, ...) the Cyber insurance will then finance the consequences(guarantees) of the attack: from the intervention of experts, crisis communication, possible CNIL fines, etc ... to the repair of the damaged systems.
Counterparties for Cyber Insurance
In return for agreeing to guarantee the risk, the insurer or more often the new insurer will ask for certain conditions. The one that comes to mind first, is of course the insurance premium... and this is not the case. First of all, theinsurance company will measure your maturity in terms of information systems security: backups (daily? remote site?), antivirus, software update policy, ... Theinsurance company will also look at the sector of activity: one can imagine that an NGO that defends the freedom of the press in Russia and a chocolate maker that sells online do not have the same risk profile. It seems normal to take some guarantees before covering a risk as protean as it is complex.
Cyber risk reduction and insurance
Risk reduction via cyber insurance will include all upstream measures, monitoring measures and the existence of an organization to respond to a crisis. Some examples of upstream measures are antivirus installation, backups, system access controls, password rules, multi-factor authentication, etc... but also training, awareness and communication to users. A post-it note stuck under a keyboard or an employee who talks too much on the phone can open up breaches in the best of systems. The principle of monitoring is to keep an eye on what is happening on your networks in real time: attempted attacks, suspicious behavior, excessive outgoing data flow, etc.
Share the Cyber risk with your insurer
If reducing or mitigating risk is the first essential step in any Cybersecurity protection strategy, sharing Cyber risk is the next step. Compared to the maritime risk, which has been covered by insurers for more than 5 centuries, the Cyber risk is much more recent. It is less mastered by insurers who nevertheless multiply products and offers for companies of all sizes.
The most advanced players in this segment have found a martingale that allows them to both share and reduce the risk. The insurer positions itself as a co-actor of your security: initial assessment, training, monitoring, awareness tools (such as a generator of fake phishing campaigns to evaluate the reactions of employees to an attack) but also crisis management and technical interventions (cleaning, restoration of systems, etc ...).
It's a win-win approach: neither the insured nor the insurer wants to suffer a cyber loss, and each is an actor in the other's success. It's also a win-win approach to selling insurance: a service that brings continuous value, not just a financial exchange that happens in two situations: the collection of the annual premium and the reimbursement of a claim.
Cyber insurance but not only!
Faced with such a complex risk, the solutions that will make the difference:
- Will contain Cyber insurance, services and tools
- Will be able to aggregate policyholders in the form of a community of interest (including the one of not being pirated)
This will be the only way to allow theinsurance industry to continue to cover the Cyber risk at a cost accessible to the majority of companies.