Cyber security and leaving the door unlocked

A standard part of home or office contents insurance is making sure you use a lock from a list of approved manufacturers, and then ensure that the lock is actually engaged when you’re absent. Enabling other security mechanisms such as alarms is also typically required.

This seems entirely reasonable and simple common sense: if you leave a building unlocked and your belongings are stolen, it’s your own fault – you were negligent.

It’s not quite the same when it comes to cyber theft.

Even though you can purchase insurance to cover you against the risks of cyber attack, hacking, ransomware and data loss, the policies are much vaguer when it comes to understanding your responsibilities.

In a physical contents policy, it is sufficient to use the term “locked” to describe the state the building must be in to be considered sufficiently protected. When applying for the policy you will be asked if there is an alarm and in theory the presence of one should reduce the premium. The same isn’t the case when applying for a cyber insurance policy. I think it should be.

Basic security steps

There are two steps you must take to secure your online accounts:

  1. Use a password manager, with unique passwords for every online account that are at least 12 characters in length (as of Jan 2018, this will change over time).
  2. Use 2 factor authentication using a TOTP app such as Google Authenticator, not SMS. Or even better, use a security key.

Having the same password (or a small number of passwords) for your online accounts is the single biggest reason why account compromise is so frequent. A single breach of any online service will reveal your password for everything else, something which happens on a regular basis.

Without a password manager, this becomes difficult to achieve, especially since you will want to use a random selection of numbers, letters and special characters. The main reason to use a passphrase with combinations of words is to make it easier to remember. Using a password manager means you don’t even have to remember anything except the single master password, can protect against phishing because auto-fill matches are based on URL patterns and you can quickly enter credentials with keyboard shortcuts.

You have to expect that your password will be leaked (or possibly guessed given sufficient compute power), and so that is why having 2 factor authentication is so important. This is a great example of having layers of security so a breach of one type of protection is mitigated by another.

If you don’t use both of these “techniques” for at least your email and ideally for every account, you are negligent. It’s the same thing as leaving your property unlocked.

Applying this to cyber policy insurance

Just implementing these security measures significantly improves your security and should really be a standard part of applying for cyber insurance just like asking about alarm systems is for contents insurance. Not using either should therefore increase your premium.

But given the number of people who are still acting negligently with regards their own cyber security, perhaps it’s not yet been considered in the risk analysis for insurers. Maybe so many people don’t bother with proper security that it doesn’t show up in their premium modeling yet.

Or maybe it does. If you look closely at the insurance wording, you might find something like this:

What is not covered – pre-existing problems: anything likely to lead to claim, loss, breach, privacy investigation, illegal threat or interruption which you knew or ought reasonably to have known about before we agree to insure you.

Source: Hiscox Cyber Policy

This is vague enough to give the insurer scope to exclude many claims for poor security practices – “ought reasonably to have known about” easily covers not using the two security techniques above. There is enough advice online and from official government channels saying the same thing (2FA and password managers) for this now to be considered reasonable knowledge.

Leave the room to get feedback from your board

I’ve been running monthly board meetings for Server Density since 2015 which was when we brought on an institutional investor. My board now comprises of the VC partner (Barnaby Terry), my first angel investor (Qamar Aziz) and an independent (Oren Michels).

Although it’s well established that employees should have regular performance reviews, this isn’t widely heard of when it comes to evaluating the CEO performance. In much larger businesses, compensation can be linked to stock price or other KPIs, but at a startup or small business it can be harder. Feedback often needs to be qualitative as well as quantitative.

You might implement a 360 degree feedback process within the management team but a formal opportunity for feedback from the board to the CEO is rare. This might only surface through scrutiny of specific board agenda items, difficult questions or ultimately being fired!

With this in mind, an idea I have been using for some time is a specific section of the board meeting where I leave the room and allow the remainder of the board to discuss without me present. This is a good opportunity for them to discuss the meeting topics themselves but I specifically frame it around “Feedback to the CEO”. This lasts 10-15 minutes, after which I’m called back in.

Despite the board members not being in the day-to-day so less able to provide specific operational direction, I have found the feedback very useful. It has allowed me to direct my thinking on difficult topics, understand how I might change my approach to problems and reconsider where I should be spending my time.

Positive feedback is just as useful as negative. I know many CEOs suffer from imposter syndrome so being given praise is valuable as well. You should try and bring on board members who have been CEOs themselves, so they understand the difficulties. Feedback is so much more valuable when it is from someone who can relate to the experience.

If you’re not getting feedback from your board, you’re missing out on a big part of why they’re supposed to be there.

The most important piece of advice I’ve learned on structuring board meetings is that they should be discussions without fear of conflict. Just using the meeting as a status update is a waste of everyone’s time and incredibly boring.

Further reading on running effective board meetings I’ve found helpful:

We’re still in v1.0 of the cyber security industry

Things are just starting to get interesting in cyber security. We’re seeing a ramp up of attacks, from corporate breaches through to election tampering and disabling critical healthcare services. Governments are posturing and hinting at their warfare capabilities. There is almost no regulation and most end-users are failing to protect themselves.

Security is still talked about by the uninformed as a binary state. To be secure, or not.

Actually, “defense” isn’t a single thing. It’s not a question of whether you will suffer a security incident, but when. As such, good security is implemented through layers and with a mind to mitigating breaches through compartmentalisation:

In every instance, it is the lack of compartmentation between accounts and personas that has been the cause of the pain. Without proper compartmentation, attackers are able to leverage information from one compromised account to access another related account. Increasing privileges and traversing across the persona’s exposed and interlinked account control centers.

The human element of security is often the weakest. We hear a lot about zero-day vulnerabilities and elaborate hacks because they are cool, but it’s the simplest breaches – users with poor password hygiene and no 2-factor authentication – that are the biggest cause for concern. People are used to frictionless access to their computers, and the UX around 2FA and strong passwords is usually less than frictionless.

E-mail continues to be a popular communication platform despite it having minimal built-in security. With history of all your communication, files, personal conversations and direct access to all your other accounts (through password reset), it really is a single point of failure. Nobody uses PGP properly so most have given up and moved to encrypted apps like Signal and WhatsApp.

Yet email continues to be a critical part of business and governmental infrastructure.

The security industry is also full of vendors with vague, fluffy marketing. It can be difficult to know precisely what you’re buying and it’s difficult to compare products because they’re often hidden behind enterprise sales processes. The big cloud providers are starting to offer data-driven products and there are some promising businesses like Cloudflare, but for the vast majority, the market is confusing.

  • Unlimited attack surfaces
  • Users not paying attention to basic security practices
  • Frustrating and inconvenient UX
  • Enterprise vendors selling vague security promises
  • An increasing number of attacks from criminal gangs, hacktivist groups and nation states

To me, it looks like a very immature landscape where things are just getting started. We’re still in v1.0 of the cyber security era and things are only going to get more interesting!