It cannot be overstated enough that the two most powerful weapons in a company’s policy arsenal are proper purchasing protections and performance metrics.
Without smart purchasing, businesses tend to waste money on solutions that are inadequate and penalize the company repeatedly until cured. The money needs to be reallocated to purchase the correct solution, and while it is in place, the company fails to gain any advantage from the wrong solution; possibly loses ground.
Proper metrics are what allows a company insight into layers of operational intelligence. Without good metrics that permit comparison with competition and external industry measurements, perceptions can be flawed and gains lost. Worse, improper use of metrics can lead to stagnant areas of insight which undermine the entire purpose.
These two areas are clear marks of maturity in a business and keys to remaining competitive and obtaining market dominance. But they are HARD to do. So we see the almost nowhere. This despite the fact that both areas have been understood and well defined for 50 years!
Now, the interesting thing to us here at Liticode is the ramifications these two key indicators have on information security and litigation costs. Because the cost of a failed security tool purchase are potentially far greater than the cost of the mistake and the fix. If there is an event stemming from the failure in purchasing, it can have catastrophic consequences well in excess of the purchase costs. All stemming from a failed purchasing policy.
Cyber insurance is motivating the black hats to pursue more ransomware attacks. Much like piracy in the Gulf, knowing there is insurance, and requesting a fraction of the insured worth means it is in the best BUSINESS interest of insurance companies to pay the ransoms, which creates a terrible cycle of destruction and costs. The pirates/criminal know the money is there, all they have to do is write the ransomware.
As is the norm in such cases (like piracy) it will require a government to step in and enforce a contractual policy through force. The government must mandate non-payment, which insurers will lobby against. If payment cannot be made, the government will be required to intervene to protect the business assets of the insured and insurance company or a black market will develop to pay the criminals.
If the government doesn’t want the insurers to pay the criminals then the government will need to have an actor (military etc) take action to discourage releasing ransomware. This will not stop the use of ransomware, only decrease the frequency and increase the intensity, just like piracy.
Unfortunately, this will not increase demand for highly qualified cyber security and risk personnel, who can help prevent successful attacks, it will merely increase the size of the insurance market. Consumers, as always, are a secondary consideration, and critical mass affect assets such as health records will be the biggest target, as in any terrorist style criminal activity. Criminal know they need to pick big targets if you want a big payday.
HIPAA security officers need to prepare for this impending increase in risk more than any other industry, because you’ve got the most to lose.