An article from the Insurance Journal, 5 Reasons Cyber Security is Failing and What P/C Insurers Can Do About it, states 5 reasons why it is not working:
1. Common misconceptions. Most people understandably think of cyber security as an IT problem. “For most people, the inner working of information technology is somewhat of a mystery. It makes, somewhat, sense that it’s both the cause and the cure of a lot of the problems,” Garrett said. But IT is not the whole picture. “The true drivers, in my opinion, of some of these cyber security risks, are organizational cultural issues. You can buy the latest firewall and buy the latest data loss prevention tool. But if there’s a fundamental issue with your organization’s culture that’s driving some of this risk, you’re really in no better spot.”
2. Traditional security strategies. Most enterprise risk management tends to be specialized. The finance department handles financial risks. The legal department handles legal risks. The facilities department handles physical security risks. The IT department handles IT risks. “That does not lend itself well to digital risks. Digital risks span all of those various risks,” Garrett said. Also, a data breach raises technical and reputational issues. Traditional risk management strategies do not provide visibility into those different risks.
3. Security risk factors: culture and enforcement. There are certain behaviors and activities that correlate with the likelihood that there will be a breach. One is tolerance for inconvenience. “A truism, in information security, is that security and convenience are inversely related. You cannot have both,” he said. One example is passwords. The longer they are, the harder it is for employees to memorize them. Human nature dictates going the route that has the most convenience and that doesn’t necessarily equate to better security. Denying administrative rights to employees makes it more difficult for hackers to install software. But it’s not always done because employees want their freedom to be able to download that Yahoo app because March Madness is coming down the pike. “There is almost a culture within an organization that favors convenience.” Lack of security governance is another risk factor. There is often an infrastructure of people, policies and processes that set corporate policy when it comes to security but those policies need to be enforced. Organizations that take those steps in a “cavalier way” are more likely to have a data breach. Also, decentralized organizations can be a risk. Many organizations that grow through acquisitions work in silos. If there is a risk that needs to be managed, it’s more difficult to do that if the group in one silo has a different set of IT than the group in another silo.
4. Data imbalance. Paradoxically, at the same time information security professionals are flooded with data, they have no data. That is they have lots of data of certain types from firewalls and data loss prevention tools for tactical decisions but not necessarily data that support strategic decision making. “We see an attack coming in from a particular IP address, we can shut off access to that IP. Organizations are actually getting pretty good at being able to do that,” he said. But there is a lack of data in other areas, such as on the culture of an organization, whether the organization prioritizes convenience over security. “There’s ways to do that but that’s not happening right now. It’s one place where insurance carriers can really distinguish themselves from one another is the ability to be able to collect really meaningful data,” he offered.
5. Choice overload. This is a term invented by Columbia Business School professor, Dr. Sheena Iyengar, whose research is around what drives consumers to buy. There is an “avalanche” of products in the information security field, especially for small and medium sized businesses. “Lots of companies that are doing really cool and exciting things. Many small and medium sized businesses are not capable of differentiating between them. It has become noise,” he said. “What is happening, and I’m seeing it happen more and more often, is that companies are not actually purchasing the technology that could help address some of these issues. Companies are either delaying or not actually making that choice.”
If you want to read the reminder of the article on what to do about it