A half-decade of breach notification laws and penalties have shown that the proper motivation can regulate corporate practices and behavior when it come to data security, as is usually the case when it comes to incentives and disincentives. Clearly, breach laws and fines are representative of the latter. Now, at least in the UK, there is a move to ensure that incentives are also part of the mix. It could mean that companies will take a second look at data protection tools like laptop encryption software like AlertBoot.
Lloyd’s of London et al. Talking with OCSIA
According to zdnet.com, OCSIA — the UK government’s Office of Cyber Security and Information Assurance — has revealed that Lloyd’s of London and two other major insurers are planning to lower insurance premiums for companies that “take adequate measures to secure their networks.”
The director of the OCSIA, James Quinault, declared that “eighty percent of the attacks we see could be defeated by basic cyber-hygiene, techniques and software that are already readily available” and that “if firms can demonstrate the risk of expensive disruption to their IT has been reduced because they have better cybersecurity hygiene, they might be able to trade that for a lower premium.”
No specific details have been released, however; for example, would the deployment of computer data encryption software — and quarterly audits to ensure that everything is as it should be — be a factor in reduced insurance premiums? Or does this only apply to network security only?
(And if so, why? The loss and theft of laptops, desktops, USB flashdrives, and external HDDs account for a good chunk of data breach incidents. Just ask the ICO).
Incentives and Disincentives, Carrot and Stick
If the insurance companies start to offer lower premiums and rates, will things be more secure all-around? Yes. It’s not a silver bullet — nothing ever is — but combine this incentive with the disincentive of losing money via fines, or losing face via public breach notices, or both, and you’ve got a great carrot-and-stick strategy.
Of course, this means that the insurance companies will have to ensure that proper security is in place. For example, did a company really use encryption to protect their client data? If so, was it strong encryption software? You’d imagine that companies looking to secure their data would use products that actually safeguard data, but that’s not how it always works (like getting a real security camera vs. a $25 “mock” security camera that looks just like the real thing).
Which is why, one presumes, the insurance companies are talking to OCSIA — they’re the ones who’d know what constitutes proper data security.
Related Articles and Sites: