Posts Tagged ‘building technology’

How The Insurance Industry Could Change The Game For Security

The recent growth in the cyber insurance market is already improving cybersecurity in some industry segments, and has the potential to do more — if the industry is able to address its data problem.

One area where cyber insurance has already made an impact is in the retail space, said David White, founder and COO at Axio Global, a cyber risk company. After the 2013 Target breach, it became very difficult for retailers to get a decent price for cyber insurance unless they had completely switched over to end-to-end encryption, or had a definite plan in place for doing that.

“I spoke to a large retailer at a conference a year ago who was wringing their hands because they could not buy cyber insurance — the sort that would cover a payment card data breach,” White said. “Their problem was that they had not allocated the funding to install end-to-end encryption and were not even planning to in the foreseeable future. The risk manager told me that they had approached the insurance market annually for several years and all she could get were ‘FU quotes.’ The cyber insurance industry has been a substantial force in driving retailers to adopt end-to-end encryption.”

Next, White said, he expects insurance companies to start insisting on anti-phishing awareness programs, strong network segmentation, and network hygiene controls for industrial control systems.

“A decent analog is the presence of sprinkler systems and other fire suppression systems as a consideration for property insurance,” White said. “Organizations don’t stop buying fire insurance because they install a sprinkler system, but they do get more attractive rates.”

“Insurance companies are helping set some general standards cybersecurity,” said Mark Sangster, vice president and industry security strategist at eSentire. “And it’s not just for the point at which the policy is written, he added. Insurers are adding language to contracts that require companies to maintain a particular level of security. For example, you must do annual cybersecurity training, and if you do those things, you can have the policy and it will cost you this amount. That’s like them saying, if you’re caught doing reckless driving, your auto insurance is null and void. I think they are one of the top influences at the moment when it comes to what cybersecurity policies and procedures need to be looked at.”

Insurance companies are asking for minimum controls, agreed Jenny Soubra, head of the U.S. cyber practice at Allianz Global Corporate & Specialty. But they’re also starting to go beyond that, with more services, she said.

“Pre-loss mitigation services offered by carriers have just become table stakes,” Soubra said. “Everyone wants their clients’ risks to be improved.”

And that translates to better security, she said, as companies become more aware of their vulnerabilities and take steps to close the gaps, train their employees, and reduce response times. But there’s a limit to how much insurance companies can actually do when it comes to measuring risk, she said.

Cyber Insurance Lacks Hard Actuarial Data, Technical Experts

According to Soubra, the insurance industry is still 30 to 50 years away from having a standardized cybersecurity data set, with relevant actuarial data, that it can pull insights from.

“The threat vectors are constantly evolving,” Soubra said. “There are new ways to get into the system, new types of ransomware are constantly being created. This, in turn, has the coverage that we’re offering constantly evolving. So we’re collecting new types of data that we weren’t collecting in the past. It doesn’t help that it’s difficult for insurance companies to share data. We need a way to standardize the data, share it, and repackage it in a way that would be useful.”

For example, insurance companies are often bound by non-disclosure agreements, and there’s no central body that collects cyber information — like, for the example, the Federal Aviation Administration does for airplane accidents and the National Highway Traffic Safety Administration does for driving.

“We need a way to standardize the data, share it, and repackage it in a way that would be useful,” Soubra said.

Instead, what happens is that insurance companies mostly sell coverage for loss of personally identifiable information and to cover the costs of business interruption due to cyber attacks, said Adam Thomas, principal at Deloitte Cyber Risk Services. The way it works is that companies looking to buy insurance fill out a questionnaire, then their insurance broker sets them up on a conference call with half a dozen carriers.

“It’s a high-level assessment — there’s not a lot of substantiation going on,” Thomas said.

And on the call itself, the carriers tend not to ask probing questions — they don’t want to give away their trade secrets to their competition, and they don’t want the client to think they’re hard to do business with.

“So that’s about as much due diligence as insurance companies do,” Thomas said. “And more recently, some of those calls have gone away because it was too much pressure on the customer.”

The cyber insurance industry doesn’t have anywhere near the kind of deep expertise as, say, property and causality, life insurance, or automotive.

“You’d think they’d take their actuarial knowledge, analytical knowledge and amass a ton of information about the claims they paid out, what the underlying causes were, so they can improve their policies,” Thomas said. “And the reality is, they haven’t.”

Instead, the industry is struggling with a dramatic shortage of personnel and a problem with getting good actuarial data.

“Most people writing cyber insurance don’t have technical backgrounds,” Thomas said. “They come from writing some other type of property and casualty insurance. They need to hire better people — and collect more data.”

And the data is another problem. In cyber insurance, the risks change more quickly than in any other type of insurance. Cars don’t — yet, at least — deliberately try to find new ways to kill their drivers. Tornadoes don’t deliberately aim for trailers parks. But cyber criminals actively look for news ways around security controls, and when they find something that works not only does the news spread quickly to all the other criminals, but through the use of automation, botnets, crimeware-as-a-service and other tools the criminals can launch fast, massive attacks against, well, everybody.

Take ransomware, for example. SonicWall saw the number of attacks go from just 3 million attacks in 2014 to 638 million last year. That added up to $1 billion in profits for the ransomware industry. As a result, there are very few hard criteria for insurance companies to use when pricing policies. “It’s largely qualitative, not quantitative,” said Thomas.

They can look at the total amount of data at risk, and cost of responding to breaches and outages. Insurance companies also look at compliance — does the customer meet PCI or HIPAA requirements, or the new financial services regulations in New York State? And these kinds of guidelines don’t help much when the threats come out of the blue.

“Last year, our industry saw a large-scale cyber incident that never occurred before,” said Mike Donaldson, solutions specialist at Bay Dynamics. “We had a DDoS attack executed successfully across millions of endpoints that took down some major retailers.”

The number of vulnerable endpoints is increasing, he added, and now includes cars and medical devices and cameras. That means that an insurance company may be dealing with tens of thousands to millions of endpoints. “That makes it very challenging to assess risks,” he said.

Plus, many companies use third-party services — such as the cloud services providers hit by the recent DDoS attack. In some ways that creates the possibility of wide-ranging, catastrophic risks. But in other ways, using third-party services can improve a company’s risk profile, if the vendor is doing a particularly good job in security. So, for example, a car owner might pay a lower insurance premium if they buy a safer car.

“The cyber insurance industry has not leveraged the same telemetry to make the same kind of decisions,” said Rajiv Gupta, CEO at Skyhigh Networks. “Part of it is that the cyber insurance industry is much younger than the auto insurance or home insurance industry. And, in many cases, the industry is still not even aware that there is a way to objectively determine, or as objectively as possible, what is the security posture of a company.”

One issue is that, traditionally, the insurance industry has been backward-looking, said Steve Durbin, managing director at London-based Information Security Forum. But in technology, a focus on the past isn’t particularly helpful when everything changes so quickly.

“The challenge for insurance companies is more of a cultural or mind shift change that we have to embrace,” Durbin said. “Insurance companies will have to look at predictive analytics until we reach the point where they can combine them with actuarial data. Until then, i think it will be quite challenging for them.”

Uninsurable Risks

When there’s a lack of hard data or strict compliance requirements, getting cyber insurance may be difficult or almost impossible.

According to the Information Security Forum, there is currently little or no insurance available for catastrophic risks such as critical infrastructure failure or state-sponsored attacks, operational mistakes, reputation damage, industrial espionage, and loss of intellectual property or trade secrets.

According to the Ponemon survey, inadequate coverage was a major reason not to purchase cyber insurance for 36 percent of companies, tying for first place with the high price of premiums. And too many exclusions, restrictions and uninsurable risks were cited by 27 percent of respondents. And if a company does get coverage, it may be difficult to get a payout.

“The onus is on the company to prove that their controls were adequate but they still got breached and the insurance company should pay up,” said Javvad Malik, security advocate at AlienVault. “It’s never an easy process. It doesn’t help sometimes that breaches don’t get discovered for months or years. It’s kind of like health insurance. Are you covered for existing conditions? This is where it really gets messy.”

The Problem Of Low-Value Policies

One of the reasons that insurance companies might not be doing as much research and analysis as they could, and requiring serious risk assessments on the part of their customers, is that the dollar values of the policies are still relatively low.

“They’re not risking a lot,” said Itzik Kotler, CTO and co-founder at SafeBreach, an automated penetration testing company. “As the industry grows, then they will revert into more means of measuring the risk.”

SafeBreach has insurance companies as customers, he said, but for internal security testing — not as a risk control for their clients.

“As the industry grows, and companies want to purchase bigger policies, with more money, then the question of how insurance companies will mitigate their risk will be more relevant,” Kotler said.

The global cyber insurance market is now over $3.25 billion, and is expected to reach $20 billion by 2020. The entire US insurance market is more than $500 billion, so that might not seem like much at first. But it’s a significant change for the industry.

“Insurance companies are extremely excited about the product because it’s probably the first new insurance product that they’ve been able to take it to the market in the last 80 to 90 years,” said Deloitte’s Thomas. “So there’s a lot of emotional excitement about it.”

And there’s a lot of room for growth.

According to recent research from the Ponemon Institute, the average company only has 15 percent of their information assets covered by insurance — compared to 59 percent for property, plant and equipment. That’s despite the fact that the average potential loss for the information assets is greater — $979 million, compared to $770 million.

Today, there is only a very small number of large writers, with over $100 million in cyber insurance premiums, according to a report by Betterley Risk Consultants.

There are several insurers in the $50 million to $100 million range, several more in the $25 million to $50 million range, and numerous insurers less than $25 million, the report said.

“That’s more that 60 carriers that offer cyber insurance altogether,” said Marc Schein, risk management consultant at New York-based Marsh & McLennan Agency. “Some carriers are offering it as a standalone product, other insurance companies will offer it in a package.”

Source: CSO

The Keys To Implementing An Effective Surveillance System

Whether you have a surveillance system in place or are looking to develop a new one, the world of cameras and security equipment can be daunting to those who aren’t experts in the industry.

When working properly, a surveillance system can improve your response to crimes or other issues that arise.

“If an organization has an on-site security force and a security monitoring center, a camera system can be used to leverage their capabilities,” says Michael Silva, Principal at Silva Consultants in Covington, WA. “One security officer sitting in a control room can monitor an entire campus with the video system. When used with other systems like motion detection and access control systems, it can really leverage what one security officer can see.”

However, when not installed and operated properly, a surveillance system will be of little help. Awareness of some key issues in video surveillance will ensure that you are keeping your facility safe.

Identifying Vulnerabilities

Silva suggests starting with a security risk assessment that diagnoses a facility’s needs by examining risks and threats. He likens this process to having a physical at the doctor; the assessment is about finding problems and developing solutions to address them. Doing so allows you to determine the overall goals of your security program and identify how personnel, procedures and technology will contribute to achieving these objectives.

Specific areas and strategies need to be made clear from the beginning. Jason Maddox, President of Vulcan Security Systems in Birmingham, AL, first looks to identify the intended scope of the security system a client wants.

“On any building, some basics almost always apply. I like to secure from the inside out, and if you have a high dollar asset, we would like to put a camera on it,” says Maddox. “You want to have ingress and egress points to the building covered. That way you always have timestamped video of who came, who left and when they left. Immediately after that would be your server or mechanical rooms, so you know anytime someone’s coming in or out of there and have a record of it.”

Assessing Video Quality

Identifying the particular reasons you are installing cameras can prevent any disappointments. A statement of purpose that clearly defines your goals will help you communicate with surveillance professionals, and they can then address any misconceptions before it is too late.

“You need to communicate fully what you want to achieve in writing and let them design a system to meet those stated needs,” explains Silva.

Set Expectations

Silva suggests establishing reasonable goals when you are planning a surveillance system.

“A lot of people view a video surveillance system as a magic bullet, but once they’ve done this underlying planning and identifying what the solution should be, cameras may or may not be the correct solution.,” Silva explains.

In fact, Silva contends that cameras have become one of the most misused types of security technology because they make people feel more comfortable merely through their presence. An overstated reason to get surveillance is that they provide a deterrent to crime. Silva notes that just because a person committing a crime sees a camera does not mean they will think rationally and worry about the consequences, so they might not be as much of a deterrent as many believe.

That is not to say that a surveillance system won’t help if something does occur. They can provide video documentation of security incidents that can be helpful when investigating crimes and identifying criminal suspects. In any case, it is important to keep in mind that no system is perfect, and that surveillance cameras – like any other technology – are prone to imperfections.

“Usually the biggest disappointment people have is an expectation that they’re going to be able to clearly see the entire area with crisp, high resolution and positively identify someone who on the screen looks to be about a quarter of an inch tall,” says Silva. “Most commercial video systems don’t do that, and if they do, they do it in a very limited area. One of the most important things you can do is actually define what your goals are.”

As with anything else, surveillance technology is going to cost more as quality increases. Therefore, if money is an object, you should identify where coverage is absolutely necessary. Even if a surveillance system does not completely deter crime from happening in your facility, it is also important to consider how else a surveillance system might help to benefit your business or organization.

Maddox has noticed an increase in facility managers approaching HR, life safety and operational issues like slips and falls and worker’s comp with security cameras. Most importantly, these kinds of considerations can help justify the upfront cost. However, no matter the application of security cameras, you should know the technological advancements and concerns in the industry.

Technological Considerations

In the past, analog systems dominated the market, providing systems connected by separate coaxial cables that run from individual cameras to a central recording switch. More recently, IP technology has taken over surveillance, reducing the number of cables – especially in systems covering a number of cameras and buildings. For those looking to add or modify their existing analog system, the good news is that they are not obsolete, but the direction of the industry is and has been unequivocally IP-centered.

“The industry has done a pretty good job of maximizing what they can get out of existing coax cable; it’s basically given the analog systems an extended life. But at the end of the day, it’s still an old technology,” says Maddox. “If someone’s going new, then we’re almost always going to recommend IP because it’s newer, you can get better resolution and do more with it. But the industry as a whole has done a good job extending the life of analog systems.”

If you are looking to develop an IP system, all you need is a network cable connection, which is often accomplished with fiber optics.

“If we’re doing a multi-building campus, we’ll run a single fiber optic cable from each of the buildings to the central building,” says Silva. “At the end of that fiber optic cable in each building, we’ll install one or more network switches. These switches will allow us to connect all of the security devices in those buildings. You need connectivity between buildings, which in most cases, you will have. Security devices can communicate over a segmented portion of the enterprise’s regular network (VLAN) or a separate dedicated network just for security devices can be provided.”

In addition to the sheer convenience of an IP system compared to an analog one, video and image quality are improving.

“You’re inherently capped at right around 2 megapixels for analog, but with IP the world’s really your playground as far as the resolution,” says Maddox. “Higher and higher megapixel resolution cameras are coming out every day.”

Bandwidth and data storage are two of the main areas the industry is looking to enhance. Balancing these two areas with the highest possible video quality can be a challenge under a budget, but solutions continue to become less expensive.

“If your whole system is recording within the building, bandwidth is usually not a problem,” explains Silva. “The other main factor is how much disk space you need to store it. With these newer cameras, you need much more storage, but the cost of storage is going down significantly. In the commercial realm, it still costs money for good storage, but if you want to spend the money, you can get super high-resolution cameras that pump out a lot of data, and you can make that work with high-capacity drives.”

Lighting and Indoor Cameras

Because of advancing camera technology, video quality continues to improve. In indoor settings, users will usually be able to get the best out of their cameras because the conditions inside best facilitate the technology.

“Indoor cameras are pretty basic because in most cases, unless the camera is looking at a door or a window, the lighting is pretty constant inside,” says Silva. “Generally, it’s much easier to do camera installations inside.”

Consistent lighting indoors helps with video quality, and cameras ultimately require less light than it takes for humans to see. Consequently, you can often get away with using a less expensive camera and expect good results.

“You can be guaranteed good video quality indoors probably 90% of the time,” explains Silva. “Outdoors, it is a little more iffy. You can get just as good video, but you have to do a lot of careful planning. You have the elements to worry about – weather, rain, snow, sleet and freezing. Cameras outdoors are usually more expensive, and you have to give a lot more thought to what kind of camera to use and where you’re placing them.”

Weathering the Outdoor Elements

Outdoor surveillance is frequently more difficult because of the variables that affect light quality, which include cloud coverage, darkness, bright lights shining directly into the lens and uneven lighting.

“When you’re talking about an outdoor arrangement, you have a whole different set of conditions because the lighting level outside is constantly changing from super bright sunlight in the middle of the day to a huge variation of lighting conditions,” says Silva.

For example, an outdoor camera on a bright, sunny day can give you a clear, crisp image of a parking lot. However, during the winter, heavy rain or at night, that camera will not be able to provide the same level of picture quality. That is not to say that the camera is unusable in those conditions, but it is important to know that there will be some difference. Lighting solutions can be a productive way to bridge this gap.

“You need to have decent lighting to get decent video,” notes Maddox. “The camera manufacturers are doing a great job when they claim the little light or no light cameras, but you still need decent light if you’re not using infrared or supplemental lighting.”

When you do have lighting within an outdoor space, you need to be aware of the light sources that might interfere with the cameras. For example, the bright headlights in a parking facility might prevent the camera from capturing vital information like a license plate number.

“In areas like parking lots, there are issues with lighting that typically make the design much more challenging,” says Silva. “Different cameras have different abilities to work in different lighting conditions, so in your written goals, you would state, ‘This is the parking lot. These are the light levels that are in the parking lot. Here’s what we want to achieve.’ Then, let the consultant or the vendor come up with the appropriate cameras.”

Planning and setting realistic expectations, like any other part in the surveillance process, will help you get the most out of your system.

Establishing a Surveillance Policy

The advent of new surveillance equipment in a facility often ushers in a series of questions and expectations about use of the camera footage from occupants and even other nearby facilities. If clear guidelines remain unstated, requests for use outside of the intended purposes of the system can generate conflict.

Thus, when installing a new surveillance system or updating an existing one, it is a good idea to institute a written policy that will specifically outline what purposes the cameras will and will not serve. In this policy, you should be sure to address the basic functions of the system and answer questions of access to the video.

Some important areas that should be addressed include:

– Intended purposes of the surveillance system
– Proprietary rights of video
– Personnel who have access to video
– Proper channels to obtain video
– Areas that are and are not covered by cameras
– Cameras are only placed in appropriate locations
– Basic operations of cameras
– Details of archival video footage
– Covert cameras that may be in use


Source: Buildings