We think of cyber-security in terms of genius hackers crouched over banks of laptops in faraway places, burrowing into troves of corporate or government data. But people who actually fight cyber-crime for a living talk about operational failure, not technology failure, as the big problem in this area.
At a recent workshop in Canada covered by Canadian Underwriter, experts from AIG, Aon and elsewhere talked about some of these basic lapses in corporate security. “It’s the CEO writing his password on his computer, it’s people leaving briefcases on planes, trains and automobiles,” said David Price of AIG. Employees lose laptops and send contact lists to the wrong person, creating the potential for havoc.
In one widely publicized event, a reporter for a French television station that was hacked and shut down by ISIS was interviewed on television. On the wall behind him were sticky notes with various passwords clearly legible to viewers. In discussing the recent breach at the US Office of Personnel Management, Business Insider said, “Fantasizing about super-hackers and visions of cyber-doom are more fun than the boring but necessary drudgery, for example, of modernizing a decrepit and decaying federal information technology base or ensuring that basic security protocols are observed.”
As we have noted previously, cyber-insurance products combine traditional liability coverage with risk management. Clearly, a key element of this risk management entails teaching security protocols to employees at all levels, and reinforcing those protocols with clear, forthright communications.