A recent report based on interviews with nearly 3,000 IT security experts and executive leaders found that, in Australia and globally, multi-cloud adoption continues to increase. The Thales Cloud Security report found that the use of multiple cloud providers has almost doubled in the last year, with one in five respondents using three or more providers. Yet only about 10% of companies encrypt most of what they store in the cloud.
The multi-cloud environment can dramatically increase cyber vulnerabilities. Brian Grant (pictured above), ANZ director at Thales, said insurance brokers can play a proactive role helping their clients reduce their cyber risks.
“If I was a broker and I was advising my client, I would literally go to them and say, ‘what is material’?” said Grant.
In other words, what’s the stuff on your computer networks and in the cloud that really matters?
“How much is your data worth as an asset to your organization? How do you put a value on your balance sheet for that asset?” he asked.
Grant suggested that a lot of brokers’ clients don’t view their data in this way.
“If they did, that would flip their entire perspective on the value of that data,” said Grant. “They would sit there and go, ‘Holy crap! That’s worth $10 million on my balance sheet so I should spend $50,000, or $100,000 securing it really well.’”
Companies typically don’t, he said, have data and digital systems on their balance sheet as an asset, it’s usually a cost.
“They’ll do software amortization, they’ll depreciate IT assets over time for tax purposes and the like, but they won’t carry the actual data and digital system themselves as a value based asset.”
Grant said it would take a flipping of financial modelling to change this.
“There’s no standard accounting methodology for valuing data as an asset,” he said.
But there is a starting point for brokers helping clients navigate these issues.
“Understand your assets and the value of your assets,” said Grant.
He points to a cyber security paper written a few years ago by Michael Burgess, the current director general of security in charge of the Australian Security Intelligence Organisation (ASIO).
“He outlined this whole idea of know your data, know the value of your data, know where it is, know how to protect it and know how to respond in the event that it’s been compromised,” said Grant.
He said, however, cyber security does not depend on knowing all assets and all data.
“It’s about starting the journey and knowing your most critical ones [assets and data], the ones that you can’t afford to live without and then you secure those.”
In practical terms, he said, the different IT platforms companies use can only be secured “to a certain extent.”
Grant included SAP, Oracle, Microsoft and others as platforms with technology that can effectively secure data and help stop it being stolen or compromised on their own platforms.
However, he said, securing your Microsoft server with data encryption won’t protect data when it moves to your Linux or Oracle servers. Grant encouraged brokers to promote a holistic cross-platform approach to cyber security.
He said this goes against the traditional approach to data security where different systems are secured “piecemeal.”
“Now, everything’s driven by APIs so you’ve got to have data security embedded in your API framework, at your database layer, where you’re holding data, at your file folder container and where you’re using unstructured data,” he said.
The data being stored might be on premises, on virtual platforms or in the cloud.
“You need to secure that consistently because you’re going to be moving data across all these platforms over time,” said Grant. “This is difficult because, I’ll be honest, most of the data security out there today is provided by vendors.”
Read more: How practical is Lloyd’s cyber mandate?
A connected issue is finding IT specialists, he said, who understand the different platforms rather than just specializing in one.
However, a major motivation for improving cyber security that is often lost, he says, is the impact of a cyber breach on real people.
“We quote the statistics but don’t quote the harm,” he said. “I would love everybody to understand that when we make these mistakes we actually hurt people, and we need to stop hurting people.”
Grant said companies have a social responsibility to better secure the data they’re collecting on customers.
“I get up every day and I’m hoping that I can help convince someone to better secure their data and digital systems so that the next time they’re under attack they don’t expose your data, or my daughter’s data, or your brother’s data, and cause them enormous harm,” he said.