Quocirca's Straight Talking: Marrying IT security and insurance

Some vendors see the sense in providing complete peace of mind to users wanting protected systems. But they are very much in the minority, says Quocirca service director Bob Tarzey.

Managers worried about whether their businesses can function following an IT failure may have good reason for concern. There have been plenty of businesses in the news in recent years that have fallen foul of not having a good business continuity plan – often the problem has been caused by a preventable IT failure caused by a lapse in IT security.

IT security vendors play on this concern. They have products that help prevent those lapses from happening. The trouble is that while they have a valid message for businesses they are prone to overplay it. After all, selling IT security is their bread and butter.

How does a business know if it has spent enough on IT security and how does it know if it has identified the most effective IT security solution in an overcrowded market?

The answer will vary from business to business. For some the consequences of an IT security lapse are more severe than others, especially those that hold sensitive customer information that is increasingly subject to privacy laws and other regulations. A lapse in IT security, then, threatens not just business continuity but can also put the business in breach of regulations and damage its brand name, perhaps irreversibly in the most extreme cases. But no matter how much is spent on IT security there will always be a residual threat, as no IT security vendor can guarantee 100 per cent reduction of risk.

This comes as no surprise given that much of the threat is beyond the scope of 'standard' security kit such as firewalls and antivirus software. No IT security vendor can protect a business against a terrorist attack, earthquake or some lesser disaster such as flooding. Added to that, there is plain old employee incompetence and misbehaviour.

As IT security is of little help with such threats, businesses buy insurance products instead. Indeed, there is not really that much difference between the reasons a business buys IT security products and insurance products. They are both investments they would rather not make but know they are obliged to, to mitigate threats they would prefer not to exist in the first place.

It would seem reasonable to expect to find packages on the market that offer the two together, to provide a 100 per cent guarantee of business continuity following an IT security failure. That is, to require the customer to have IT security products in place but, if they fail and IT systems are compromised, insurance provides the funds to get things going again.

And indeed there are such products available. For example ACE, an insurance vendor, has a product called Dataguard which does insure against the consequences of the failure of IT security. Obviously ACE would not insure a completely unprotected network, so it requires that basic security measures such as antivirus and firewalls are in place. But that is as far as it goes. ACE does not concern itself with whether some products are more secure than others.

Perhaps it should. Better antivirus, firewalls and so on can mean less risk and less likelihood that the insurance will have to pay out. Interestingly, Trend Micro, an IT security company has a service that sounds a bit like insurance.

It offers its Virus Response Service alongside its antivirus software. If the antivirus software fails they will come and clean up the mess within two hours and if they fail to do this they will provide financial compensation. Trend does this not because it has cash to burn but because it is confident that its products and services will work in the first place.

If more security vendors and insurance companies offered such products a market could be established. The price of policies would vary based on the effectiveness of the IT security deployed. Those using the most effective security solutions would be offered lower premiums. Not only would businesses have peace of mind but it would sort the wheat from the chaff in the IT security market, which is still very fragmented with more vendors than can be supported in the long term.

Analysts like to talk about convergence. Why not the convergence of IT security and insurance? Trend Micro and ACE both offer examples of where this convergence is starting to happen. It might be something worth considering next time your antivirus cover expires or your insurance premiums come up for renewal.