How many digital blackouts will it take before companies take steps to understand cyber risks and how to manage them effectively? We should be building resilience now, not firefighting when an incident occurs!
A lot can happen in a week, as the recent Microsoft-CrowdStrike outage has shown us all too clearly. In the face of what has been described by some as the ‘largest IT outage in history’, can organisations really afford not to take cyber insurance seriously?
Attitudes need to change
After a cyber event of this magnitude, I live in hope that attitudes to cyber insurance will change. Perhaps senior management will now understand that cyber security is not just an IT issue and that cutting the IT department’s budget is a bad idea. Perhaps IT teams will now understand that cyber insurance is not a useless expense but is an essential layer of risk management not to be ignored. And maybe companies will now fully understand that cyber security isn’t just about technology and that there are some factors you just can’t calculate.
However, you can be prepared!
CrowdStrike, a well-established firm and not a newcomer to the market, did not fall foul of a cyber-attack, the outage was due to an internal mistake, which has caused estimated losses of somewhere between USD 400 million to USD 1.5 billion (source: Cyber Cube). The insurance companies will be busy with this one until well into next year! The company is protected by Tech PI insurance, but it remains to be seen how much their insurer(s) will cover.
Tech PI, or Professional Indemnity insurance for tech professionals, safeguards against claims related to errors, omissions, or professional negligence in the technology sector. It covers legal defence costs and settlements in cases where a client alleges that a technology service or product did not meet expectations, caused property or business damage, or resulted in financial losses. Additionally, it addresses technology-related risks such as software defects, hardware failures, network outages, data breaches, and intellectual property infringement.
And it wasn’t just CrowdStrike
During the same week as the CrowdStrike outage, we saw another interesting incident occur. A well-known security company, KnowBe4, needed a new software engineer, so they posted the job online, interviewed candidates, and hired an IT worker. They made every possible background check, had video conference calls with the candidate and so forth. The new employee got limited access rights to the company’s systems but soon after a series of suspicious activities were detected. It turns out the new employee was a fraud. He was from North Korea and had used a stolen US-based identity and an AI-generated picture to fool the HR department. Luckily, he was caught and the company reported that “no illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems”.
Transparency is key
I commend KnowBe4 for going public with this case. Disasters offer valuable lessons, proving that any company or individual can be a target. We need transparency, not silence or ‘it-can-never-happen-to-us’ attitudes. By being open when disaster strikes, we learn from each other’s experiences and mistakes. This is crucial in the fast-paced digital world where criminals easily thrive. Without sharing our digital experiences, we can’t prepare for or defend against similar events recurring.
Companies must be aware of the risks and understand how to manage them effectively. We should be discussing cyber risk management strategies now, not waiting for an incident to occur!
Anita Molitor
Cyber Specialist
T +43 664 962 40 08
