With an increase in high profile data breaches and ICO fines, one information security expert asks whether the anticipated growth in the cyber insurance market is going to affect employee data security training.
Last month's fine of £150,000 for Welcome Financial Services woke the private sector up to the ICO's intensified data security offensive. Prior to this, the most notable fine to a business had been the £1,000 fine for Andrew Crossley at ACS: Law, which would have been £200,000 had the firm not ceased trading by the time the fine was issued.
Over in the public sector the fines have been coming thick and fast. Most recently, Belfast Health and Social Care Trust received a £225,000 fine, which comes hot on the heels of the £60,000 fine for St George's Healthcare NHS Trust in London. Press releases from the ICO itself, supported by commentary from the industry, indicate that the gloves are off as far as this particular watchdog is concerned.
Those with an eye on human resources will be aware of the huge increase over the last 10 years of employees suing their employers. In fact, I read that an organisation is now 5 times more likely to end up in front of an Employment Tribunal than suffer a fire at one of their premises. Nevertheless, this has prompted the development of specific insurance products to help employers afford the cost of defending themselves at tribunal.
I use the employment example because many factors - not simply the increase in high profile data breaches and ICO fines - indicate we are on the verge of massive growth in the cyber insurance sub-market. Many will have read that the European Network and Information Security Agency (ENISA) is calling for the insurance market to provide more cyber products to organisations. In support of this it published a report that outlines key barriers and incentives for growth. We also have the formation of the Cyber Insurance Working Group, with big names such as Liberty International Underwriters, Zurich Insurance, CNA Europe and Oval creating a forum to focus on this issue. Their objective is to develop a framework of recommended information security practices and policies for organisations that they insure. The big question is: what will cyber insurers come to expect?
Most insurance policies have stipulations. For example, some building insurance policies require you to have a minimum standard of lock on all doors and ground-floor windows, in addition to working fire alarms. It stands to reason that insurers will stipulate that organisations adhere to a similar minimum standard of protection with regard to their information security.
Measures for physically securing networks and information will almost certainly be included. However, I'm particularly interested in what the Cyber Insurance Working Group arrives at with regard to data security policy. In other words, what will they see as the minimum standard for employee data security handling procedures? By definition, that could also include a benchmark by which organisations can prove that employees have been adequately trained in these procedures, and understand the key cyber risks and how to avoid them. We may even see insurers offer insurance premium reductions for those organisations that strive for higher levels of data security.
For most organisations, employees are still seen as the weakest link in the security chain. And although there will always be the risk of being caught out by a highly sophisticated attack, there is a desperate need for organisations to protect themselves against the more 'mundane' employee mistakes - many of which are exactly the kind that draw ICO fines. The work emails sent from personal email accounts. The misplaced back-up media. The sensitive data transported out of the office without being encrypted.
In summary, I look forward to the outcomes of the Cyber Insurance Working Group. I believe it has the capacity to be just the driver that the UK needs to achieve a good standard of data security practice across public and private sector organisations.