Convincing businesses of the need to batten down their hatches against the storm of cyber crime makes a modern-day Cassandra of cyber security specialists – gifted with the ability to see the future but cursed not to be believed. Not, as addressed by the group CEO of Cybersec Innovation Partners (CIP) Andrew Jenkinson (pictured), that disbelief is necessarily the issue he faces when showing businesses the full range of exposures they face and the simple solutions that are available to combat them.
“Because this isn’t a debate and it’s not a conversation,” he said. “And if you want to engage with our services, we’re happy to talk to you, we’ll go through your [online presence] with a fine-tooth comb and show you exactly what your problems are, and we can even help you fix them. But if you want to debate whether these are actually problems, then I’m sorry but ‘no’. These are just the facts.”
So, rather than disbelief, he said, the challenge facing the uptake of cyber security protections appears to be a matter of the arrogance of the C-suite who believe their systems are secure. Perhaps the most concerning element of this pridefulness, however, is that it is reflected across so many swathes of society – from governments, to NGOs, to religious orders, and even to the insurance companies which underwrite policies that could be liable to settle claims totalling billions.
Jenkinson spoke with Insurance Business shortly after CIP published a ground-breaking report into the state of cyber security across several of the top insurance businesses in the world. Using CIP’s Whitethorn Shield offering, which utilises OSINT capability to confirm a company’s internet-connected security, the report found that several of the world’s leading insurance businesses are not demonstrating a resilient cyber posture.
Whitethorn Shield found that, at the time of the report, businesses including Aon, Zurich and Lloyd’s of London each held a CIP-rated security rating of ‘F’ and 0/100, the lowest rating possible. Jenkinson noted that this means that their internet-facing security could not be worse, placing the businesses, their investors and their customers in a “highly vulnerable and exploitable position.”
“We’ve tried to have a dialogue with a number of them,” he said. “And that includes the CEO of Lloyd’s, John Neal, and the CISO of Lloyd’s of London and they’ve got this report… And people often say to me ‘Andy, you’re showing these companies up for being incompetent’, and I guess I am, because better that than them being breached due to ignorance. Because I didn’t make these mistakes, but I have offered to help them. Take John Neal, for instance, I’ve personally emailed him several times asking him not to dismiss this information and his silence is quite telling.”
Jenkinson and his team, which includes the cyber security expert Professor John Walker, have worked closely with a variety of governments, charities and businesses assisting them in identifying and plugging the gaps in their internet-facing security. However, he highlighted how too often organisations either ignore the very urgent warnings they are given or make a half-hearted attempt to solve only the most visible of concerns.
It’s time for more of a question mark over why companies are ignoring this actionable intelligence and not taking greater action when it comes to their cybersecurity, he said, and he has two beliefs that underpin this – people are either complacent or complicit. He can’t say which one each person or company is, but he does know that the references to “sophisticated attacks” are nonsensical when even the simplest remote access doors are being left wide open by global corporations.
When he speaks to the market, he said, he’s often met with the rebuttal that surely the solutions available are cost-prohibitive. However, he highlighted a recent programme CIP has embarked on aimed at negating the increased targeting of education institutions and how, once the entire costs have been collated for this rollout, it amounts to a minute percentage of the average ransomware payment and offers peace of mind to a customer rather than making them wait for a breach before action can be undertaken.
Evaluating the variety of class-action lawsuits that have and are occurring across multiple industries when it comes to online security, he noted that it is a real shame when class-action lawsuits drive behavioural change, especially when it’s so easy to take action before the point of crisis. But as it stands, the stick does appear to work better than the carrot when it comes to enacting change and, with this in mind, CIP is looking to create an online environment where consumers or potential employees can check out the security of a company in a similar way to how rating agencies operate.
Insurers could use it to assess the security of a company they’re considering offering coverage to, he said, while consumers could use it in a variety of ways, including where to spend online. This in turn will drive behavioural change as, if a business saw a decrease in sales because people were concerned about the privacy of their digital identity, then they would start to reassess their exposures.
This is the goal for the CIP team, he said, but, to get there, he’s ready and willing to continue putting in the 100+ hour weeks required to continually reach out to those businesses as yet unaware or unconcerned about their security rating and remind them that - whether complacent or complicit, the time for inaction is up.
“With cyber insurance revenues predicted to be in excess of $200 billion, and cyber losses of $6 trillion this year,” he said, “the disparity will need to be made up somehow and the only way to reduce these losses significantly is to address the systemic insecure positions adopted by thousands of companies, including cyber insurers. In fact, one could say, clients buy cyber insurance to mitigate their risks, not add to them.”