Companies shun e-Crime insurance despite growing risk
Over three quarters of UK IT security professionals do not have insurance, or do not know if their organisations are insured against e-crime legal costs. This is despite more than half seeing an increase in the threat level in the last 12 months, according to a new study released today by audit, tax and advisory service company KPMG.
Just over a quarter say they have definitely taken out insurance against interruption of business by hackers, while only 27 percent say they know their organisations are insured against e-crime-related data loss.
Malcolm Marshall, UK head of information security at KPMG, comments: “Businesses should be acutely aware of e-crime risks after various recent high-profile cyber attacks against big organisations. But they aren’t taking out insurance for a number of reasons.
“Not many out there know or understand what insurance is available. Many are also sceptical about the effectiveness of current policies and whether insurers will actually pay out against e-crime claims.”
Lack of knowledge raises risk
Insufficient awareness of the increasingly unpredictable e-crime threat also appears to be hampering organisational response, the research finds.
Two fifths of organisations say their lack of knowledge of potential vulnerabilities is leaving them open to attack. As a result, half admit they don’t have, or don’t know whether their organisation has, a strategy for dealing with e-crime risk.
More than half of CISOs are also experiencing problems prioritising detection and, a similar proportion, the investigation of e-crime incidents.
Marshall continues: “The threat landscape is changing by the day and it looks like organisations are floundering as they try to protect themselves. You need to act fast to create strategies that enable them to prevent, detect, respond and learn from attacks.”
New technology exposes new vulnerabilities
Compounding the e-crime threat, the report also found that companies are opening up new lines of attack as they attempt to capitalise on popular new business and consumer technologies.
Despite almost a third having already invested in cloud computing and two thirds in outsourcing, 69 percent agree that this activity presents the greatest security risk to their vital data. The majority also single out Software as a Service (SaaS) as increasing their vulnerability to security risks.
Alarmingly, half also believe the internet in its current form does not provide a sustainable platform for e-commerce and e-service delivery.
Other major risk-raisers identified include employees using the same devices for business and personal use and the use of consumer technology in the enterprise, such as smart phones and tablets.
Marshall concludes: “While innovations like cloud and mobile computing deliver cost savings and efficiencies, security needs to be built in from the start to avoid the risks destroying the benefits.”