Chaired by Mark Geoghegan, formerly of Insurance Insider, we welcomed Dr. Jessica Barker, Lord Peter Ricketts, and Adam Banks to give their personal views on this emerging space. Here's what they had to say...
A government perspective
Now sitting as a crossbencher in the House of Lords, Lord Peter Ricketts was Britain’s first National Security Advisor from 2010 to 2012, established the National Security Council, and oversaw the 2010 National Security Strategy and Strategic Defence and Security Review.
He was uncompromising in his view on the severity of the threat posed by cyber; simply put, it is completely different to all other national security risks, including terrorist threats, and the government cannot work in isolation when it comes to protecting the nation from cyber risk.
One significant initiative has been the creation of the National Cyber Security Centre which he sees as a major weapon in the UK’s cyber armoury – using the capabilities of our extensive and experienced intelligence organisations and their partners, and turning that into a resource for the private sector.
He also encouraged the audience to engage with the recently-formed Cyber Security Information Sharing Partnership, a joint-industry and government initiative set up to exchange cyber threat information in real time and in a secure and confidential environment, with the aim of reducing the impact on UK business.
It’s serious and we all need to be more aware and keep our systems and technology up-to-date to defend ourselves against it.
Lord Ricketts closed with a word of caution for insurers and their clients alike; the risk of attack by predatory states is growing. We’ve seen demonstrations of their capability and their power and the risk they pose cannot be emphasised strongly enough. It’s serious and we all need to be more aware and keep our systems and technology up-to-date to defend ourselves against it.
The human nature of cyber security
Named one of the top 20 most influential women in cyber security, Dr Jessica Barker provided delegates with some fascinating insight into the human nature of cyber security.
Even those well-versed in cyber security can fall victim to social engineering as cyber criminals have become increasingly sophisticated; their understanding of behavioural economics means that they know the most powerful emotional triggers and even the best times of day when their victims will be tired, vulnerable and less likely to question the veracity of an email request. They’re even aware that many of us are simply fatigued by the abundance of security warnings we face day-to-day, and will capitalise on that.
But do those responsible for cyber security view cyber insurance as a good thing?
According to a quick poll of 1000 cyber security professionals that she undertook before the symposium, a third gave it the thumbs up. But before the insurance industry could give itself a pat on the back, Dr Barker was quick to state that a third were sceptical about whether it pays out or if it provided businesses with an excuse to avoid security controls.
On a more positive note, however, the same professionals did appear to acknowledge the value of cyber insurance for SMEs, providing them with a rapid response tool as well as helping with compliance and quantification of risk.
Her advice to delegates was to engage with organisations that have benefited from cyber insurance and with security professionals who do believe in the value it can deliver in order to influence the sceptics. An abundance of social studies show that if around a quarter of people agree to take a certain course of action, the rest will follow. That’s human nature!
Collateral damage
Adam Banks, chief technology information officer at AP Moller-Maersk, shared how the NotPetya cyber attack brought the maritime giant responsible for carrying almost a third of global trade to a dead halt.
Maersk wasn’t the target of the cybercriminals behind the most devastating cyber attack of recent years – alongside numerous others including the NHS, it was merely collateral damage to an attempt to disrupt the Ukrainian government. In what was spectacularly bad timing, a Maersk employee in its Ukraine operation had asked IT administrators to install some accounting software on a single computer and that gave NotPetya a way in.
Maersk wasn’t unprotected; it successfully defended the first two attempts by the malware, but the weapon had four different modes of attack. It took just seven minutes for it to shut down one of the world’s most complex and interconnected distribution businesses. It took the business 24 hours to work out what had happened.
How businesses respond and recover from an attack is critical and Adam shared with our audience the lessons that Maersk learned and, more importantly, how they have applied those lessons.
Based on the assumption that cybercriminals will get in, Maersk’s efforts are now focused on being able to detect a threat and protect against it.
Having invested heavily in responding and recovery, the business has completely changed the way it defends itself from cyber attacks. Based on the assumption that cybercriminals will get in, Maersk’s efforts are now focused on being able to detect a threat and protect against it. Every keystroke and every CPU is monitored so the business understands what is normal and if any deviation – no matter how small – is spotted, that machine is disconnected immediately.
This strategic change has worked. Last year the business stopped 2500 separate attacks. It cost Maersk US$350M to recover from the NotPetya attack. If it happened today, Adam estimated it would cost around US$4M.
To learn more about our 2019 London Market Cyber Symposium, visit the event page here.
