Cyber insurance provides an opportunity to address residual risk in your information security program to offset the costs due to a data breach of ePHI. However, individuals polices, coverage and exclusions are highly variable, so just like any security control it's important to understand your security risk profile before an appropriate security insurance policy can be defined. An assessment, such as a HIPAA Security Risk Analysis should be the first step in any insurance policy strategy. Here's why: A) You'll have to do it anyway, B) The safest approach is to avoid a breach in the first place, C) Your risk profile will enable a better tailored policy.
An Open Letter, A Call To Action
Cyber security has reached a complete state of mayhem, and estimated costs of cyber crime have reached trillions of dollars annually. This year, we’ve seen the largest DDoS attack ever orchestrated, the largest data breach ever, the largest fine for a data breach ever, the largest number of hacked IoT devices ever, and the list goes on. The most unsettling fact is that it’s clearly just the beginning.
The Daily News
The list of ramifications is astounding. The number of stolen identities has now impacted well over a billion people. In the last few months, we’ve seen a single breach fine of almost $500,000, and a breach settlement of $5.5 million dollars. Company valuations have been crushed, class-action lawsuits have halted normal business operations, and brand reputations have been permanently damaged. The list of data that has been freely dumped or sold to the general public is also shocking. Companies, candidates, and governments have lost mountains of intellectual property, trade secrets, private communications, and proprietary tools.
Things to Come
We’ve seen cases where healthcare cannot be administered until ransoms are paid. Hackers have proven they can take control of medical devices that administer life support and pharmaceuticals. The FBI has warned that ‘smart vehicles’ can be unlocked, and that steering, brakes, and transmissions can be remotely controlled. Rigged elections and voter fraud is a looming reality. And to top it off, the dismal state of IoT security has proven that critical infrastructure such as power plants, dams, stadiums, and traffic control systems are largely defenseless.
A Call to Action
Obviously we are all concerned, but all companies need to take responsibility and move beyond the status quo. In a time where almost anything can be hacked, relying on automated security scanners, endpoint protection, and intrusion detection systems is simply not enough.
If you’re not regularly hacking your own resources, your company is riding on a false sense of security. Penetration testing is more relevant than ever. It remains so critical because it’s the only practice that rivals a highly skilled real world hacking attempt.
The only process that can answer, “Can we be hacked?” is a vulnerability assessment or penetration test from a skilled security engineering team. You simply can’t answer that question by looking at the results of an automated scan.
Research Your Security Provider
- Are they trusted throughout the security industry?
- Do they have a successful track record?
- Are they using full time, award winning, world-class engineers?
- Do they have a proven methodology and effective processes?
- Is analysis, testing, and reporting performed by professional security engineers?
- Do they offer free quotes, samples reports, and guidance?
A Dime a Dozen
If you’re not already working with a security provider, check out Redspin’s Penetration Testing, Vulnerability Assessments, or Red Team Assessments. We only hire world-class security engineers, we’re on the front lines every day, and we do relentless examination of today’s exploits and threats.
At a time when so many security companies (and security reports) are a dime-a-dozen, Redspin delivers the highest levels or expertise, intelligence, and service in the industry.