The main job of information security professionals is to balance risk. Similar to what insurance businesses do, we balance the cost of implementing security countermeasures with the cost of an incident.
The definition of risk is as follows:
risk = probability * cost
In information security, both probability and cost are hard to define. Insurance companies estimate both these variables, usually with a cost estimated in a currency, and the result is the price you pay for your insurance contract, plus a management fee.
Mario Greco said end of 2022 (Financial Times) that “What will become uninsurable is going to be cyber,”. To his point, we see attacks happening more often that ever before, and the cost of each event increasing each year. The trend seems to be worsening. Mario Greco is saying that soon, the consequences of these attacks on our society will have so far reaching and expensive consequences, and will be happening too often, that insurance companies won’t be able to cover the costs of these events, or said in a different way, people won’t be able to afford the cost of such an insurance.
Considering this statement, we need to see a bit deeper that just insurance companies: if insurance companies, of which the day to day job is to evaluate risks, step out of insuring risks related to cyber attacks, can we as a society accept to carry these costs? Consequences of cyber security incidents usually go beyond financial loss. Companies close doors, people have their lives thrown upside down, some of them die. Do we integrate these costs in our calculations?
According to a survey of the Cloud Security Alliance, Measuring risk and risk governance, more than 50% of companies to not evaluate the risk associated with their infrastructure, 85% do not have an reliable list of the services they are using. You can’t protects things you don’t know about.
In that context, cloud providers hold a big share of responsibility to help onboard companies in a secure by default environment. Yet default values in the main cloud providers don’t always reflect the user’s best security interest. Some providers are planning to change the default permissions on their storage solution in 2023 to private, after more than 10 years of information leakage because of open storage buckets. According to the same survey, more than half of companies are most worries about unauthorized access and improper configuration and security settings. These are issues than can be prevented with the right tooling and sane default values. Why does it take 10 years to update these defaults?
There are many questions still open:
How can compliance programs be improved to actually make security better?
Whose responsibility is it to run a secure infrastructure?
Are budgets on par with the reliability expectations of our infrastructure?
Do we understand the risk of living in the digital world?
Can we afford this digital world we’re living in?
Information security costs are part of the costs of running a digital infrastructure. You either pay this cost regularly by having a security strategy, people helping you run your infrastructure securely, or you pay this cost at once, when the attack hits you. The only difference is who do you choose to finance. Do you finance your employees, or do you finance the criminal organizations by paying the ransom to continue your operations, until the next time.