10 June 2015Bermuda analysis

Firms must change approach to cyber-threat: former White House CIO

Companies need to view cyber security in a different way and focus less on spending a lot of money on preventing breaches and more on how prepared they are to limit the damage if one does occur.

This is opinion of Theresa Payton, former White House chief information officer and authority on cyber security, who spoke to delegates at the Bermuda Captive Conference held in Bermuda this week (Monday June 8 to Wednesday June 10).

Payton admitted that the current model for preventing cyber crime is not working as the nature of the threat changes so quickly. She stressed that for technology-savvy individuals in developing countries, cyber crime represents a lucrative way of making money.

“And the moral compass gets turned upside down in some of these places when they are considered local heroes for bringing money into some of the poor areas where they live,” Payton said.

She added that companies and individuals should look at this threat in a different way and focus on what they can control.

“A breach at some point is inevitable; what they get away with and how you respond are the two things you can control,” she said. “Try and focus on your most critical assets and examine the implications of a breach and how you can better protect the assets.”

She was also critical of the way in which many security systems and procedures are designed for putting the technology ahead of the way it will realistically be used. She said any security procedure should be designed assuming that the users will do everything wrong. Secondly, she added that she always asks whether it has high empathy for the user.

Payton noted that cyber crime was recently ranked as the top national security threat by the US director of national intelligence and it is estimated that cyber crime and espionage costs some $445 billion annually.

But while this is seen as a very sophisticated crime relying heavily on technology, the reality is that 95 percent of security breaches are caused by human error.

“The conventional wisdom is that these are sophisticated cyber criminals. In fact, this mostly comes down to human error,” Payton said.

She added that she believes the insurance industry could do better at understanding and offering coverage around this risk.

“If the industry can insure body parts, surely they can grasp this” she said.

But she also admitted that it is difficult for underwriters who need solid historical data on which to base decisions. “They are seeking definitive financial models to assess this risk but the threats are so fluid it is impossible to do that,” she said.