SE Labs

Special Edition
Computer security testing comment and analysis from SE Labs

DE:CODED – Understanding and Managing Risk

“No one ever thinks it’s going to be them.”

DE:CODED is the official podcast from SE Labs.

SUBSCRIBE! Use one of the ‘Listen on’ links below to keep updated using your favourite podcast platform.

Listen on Apple Podcasts Listen on Spotify Listen on Google Podcasts Listen on Stitcher RSS Feed

Series 1 | Series 2 | YouTube

🥇 Winner of the Best Up & Coming Podcast 2021 award 🥇


Show notes for series 1, episode 6

In this episode Simon and Marc focus on the basics of understanding and managing risk. They discuss insurance, how to assess the risk of anything (from dropping a cup of tea on an expensive server to animal attacks!) and touch on ransomware.

Understanding and Managing Risk

We look at the issues from the perspective of executives in large organisations and founders setting up their own startups.

Please subscribe and join the discussions.

Sign up to our newsletter!

Annual Report 2021

Topics

  • Security advice for startups
  • Cyber Essentials, Cyber Aware and ISO 27001
  • Deprecated advice
  • Scaling security with your company
  • Risk registers
  • Examples and risk scoring
  • Impact and probability
  • Insurance company’s guide to managing business risks
  • Startup advice
  • Ransomware and handling criminals
  • Why insurance companies are worried about cyber cover
  • Risks with litigation (USA vs. UK)

Resources

Transcription

(Generated automatically)

Simon Edwards 0:01
Welcome to DE:CODED Series One, Episode Six – your weekly podcast providing in depth insight into cybersecurity. Show notes, including any links mentioned in the show are available at DecodedCyber.com. In this episode we’re focusing on the basics of managing risk. We’re going to talk about insurance, about assessing the risk of anything, from dropping a cup of tea on an expensive server to mitigating the risks of animal attacks. We’ll touch on ransomware and try to look at the issues from the perspective of executives in large organizations, and founders setting up their own startups. So where do we begin? I’m Simon Edwards, CEO and founder of SE Labs, the leading security testing lab. I’ve been advising on security for over 20 years.

Marc Briggs 0:36
Hi, I’m Marc Briggs, with over 10 years experience as a British Army officer. And five years in cybersecurity. I’m now the COO of SC labs.

Simon Edwards 0:40
Security for startups, and why there isn’t much official advice, because we’ve done the ISO 27001, which doesn’t give you practical advice really. It gives you kind of a framework to work on. And we’ve got Cyber Essentials, which we’ve talked about. And there’s a new-ish thing called Cyber Aware. But it’s all very general and quite high end. So I thought maybe seeing as we’ve done a startup or two, and we’re very security focused, we could probably offer some advice to people.

Marc Briggs 1:04
Yeah, and I’ve had emails only this week through our website asking for information for startups and small and medium businesses, and whether we provide that advice, and what the advice is, you know, where to where to go. And so the demand is out there for that, for that advice,

Simon Edwards 1:17
I think the demand isn’t being satisfied, because there isn’t much money in it. You know, we can do a podcast and tell people what they should do. And it doesn’t really cost us anything, and no one’s paying for it. But I wouldn’t want to set up a business trying to provide security consultancy to small businesses, because there just isn’t the cash, certainly not for the startups

Marc Briggs 1:28
No, as a startup, I guess if you’re taking an investment and building your company as fast as possible, it’s just a matter of prioritization. And you’re working at such a pace are you thinking in such a focussed way about implementing the right security protocols? Or do you just focus on making money, turning over the business and doing what you need to do, but without the breathing space to think about what you should do?

Simon Edwards 3:09
Well, there is one legal startup we talked to a few years ago, where the guy was using his personal iCloud account for everything to do with the business, there was no sort of wall between his personal life and his business life. Yeah. And you know, you can you could hack an individual and get their bank details and mess with their life. But if you can also get into their business data and their IP for their startup, and wow,

Marc Briggs 3:34
yeah, but no one no one ever thinks it’s going to be them. Like that. Everyone’s always got a justification as to why they don’t need to invest so much time, or effort or resource with security, whether it’s be well, why would anyone target us or, you know, we’re too We’re too small organization to have to be noticed, or people apply or applying security practices that they’re aware of a number of years ago, which may have been sufficient back then. But now they’re, they can be bypassed quite easily.

Simon Edwards 4:16
Or there’s some really old advice, something that keeps coming up because journalists will read old articles and regurgitate about passwords. So changing your password every so often used to be the de facto advice. Yeah, but everyone that was interested in paying attention realize that people would just make their password password one today. And then next time they change it, password two. Yeah. So even like the UK government’s websites and things now say, changing a password every month is silly. Don’t do it. But people still put articles out about you should do this. So I thought maybe we could talk about things like cyber insurance because that’s about threat mitigation. But also, before we get And some real practical tips and ways that you can create strategies for your security and plans and things like that the ISO certification that I think we’ve talked about before, I think if you’re a startup, it would make a lot of sense to pay attention to it early on. And I don’t mean, you should get it, the minute you go through the expensive process of getting it, but have a look at what you need to do. Because if you do some of those things anyway, it’s a really good idea. And then when you come to an ISO certification, that 27001, one, then you’re ready for it. Yeah,

Marc Briggs 5:34
it’s all to do is scalability, isn’t there? That’s true. It’s, it’s, it’s not a new concept, when you’re building a business, to put in infrastructure in any department. And cybersecurity is just one of those security in general, it’s not just cybersecurity security, in general is one of them. And it’s all around, making sure that doing more than just getting by, you’ve got five members of staff, well, you’ve all got multiple crossover responsibilities. But if you start to inter introduce a structure to a business that when that at that stage, and policies in place, when you become a 500 staffed business, you can just expand the policies you’ve got and you aren’t reinventing how you work as a business. And the same as your ISO example is, is is is a good one. In that respect. If you start your if you start your file management and your security protocols in line with the advice and the question that come alongside the ISO 27001, when you are building your business, you build it in with a framework that you will have naturally completed ISO, the ISO qualification when you come to want to be tested in it, or you get asked by a client if you are ISO compliant.

Simon Edwards 7:07
And you don’t have the politics that when you’re a small company don’t have lots of stakeholders all arguing over how a policy should be written. When it’s two or three of you setting up a company you just decided. And then later on, as you scale up and heads of department want things changed, it’s kind of harder for them to, to change it. And we know people who have gone into large retail organizations and tried to get an ISO standard through and it’s taken more than a year. Whereas we did it in about a month or eight weeks or something like that.

Marc Briggs 7:41
Yeah. And that’s Yeah, that’s because we’re passing on the advice of the other practices that we carried out, we built this company was built around a good security, good security practices were probably a bit

Simon Edwards 7:57
more paranoid than most what some focus on what’s a risk register, because that’s something that was new to me as a concept. And I think it might be quite a good thing to use to start off, someone’s thinking around their security.

Marc Briggs 8:11
So a risk register is a, it starts off with which you can separate it by department. Or you can have it as your whole business. It depends how strategic or tactical operational you want to be with it. But it’s a list of every risk associated that you can think of. That will materialize as a result of you doing the work that you’re doing. That will have an impact on the business that will have a an effect on the business. So it’s a list of things that we’ll have, if they happen will have an effect on the business, you then a negative effect, I should say, you then need to identify how big an impact if that action or incident happened, how big an impact that would have, and then the likelihood of it happening. And then you give it a score, and that is your and then after you’ve got your score, you then decide your risk appetite, which is at what level of score do you start to need to do something about that risk or that event? And then you mitigate the risk in any number of ways. There are to mitigate risks, there’s about four or five different ways to mitigate risk. And then after that mitigation, you reassess your original formula. So the probability will remain the same, but the impact should be reduced because you have mitigated the risk and therefore you give it a new score and you have to see if that new score is below your risk appetite. If it’s not, you need to get again, if it is, you move on,

Simon Edwards 10:09
let me give you a couple of thoughts was, I’ve been thinking of some scenarios whilst you’re explaining that. So one is that we drop a cup of tea onto a £20,000 server in the and that’s pounds as in money dollars, not weight, in the server room and blow it up. So we lose lots of data with these sorts of expensive hardware. And another threat might be our office is quite near some stables so some ponies walk past us and horses every so often. We’ve even got special traffic lights for the pedestrians, which are extra height, so people on the back of the horses can touch them. But what happens if as we go out to buy our lunch, we get kicked to death by horse? So those are two threats. Okay, how would you? Well,

Marc Briggs 10:51
let’s assess those. So let’s talk about the cup of tea in the server room. So we’ve identified that a server failure will have an impact on the business, and it would be damaged if liquid was spilt on it. So the impact is high to our business, the probability of a drink being spilt on it, let’s say it’s medium, when we got a risk score, which is high and medium, which is medium high, and that is that is not acceptable. So we want to mitigate that risk. So we would sit down as an organization and go right, we want to mitigate that risk. So how, what is what are some of the ways you can think of mitigating the risk? I could put plastic coverings on all the servers?

Simon Edwards 11:47
Yeah, absolutely. I could drink from the entire office from the building. Ban drinks. Yeah. I could ban drinks from the Justice server. Yes. I could ban servers. We just don’t have any computers anymore. Well, I guess we’ll be able to do your business. Well, yeah. I mean, I guess that’s another variable, isn’t it? Is business continuity? Yeah. I was gonna do banned people from going into the server room or banning Yes. Make make it like completely. Ban everything. banned business make make it kind of allows you remote access kind of facility. Okay. Yeah. So even if one person does have to go in every so often, the chances of them dropping a drink on the servers lower. Okay. Because

Marc Briggs 12:35
there’s less, there’s less frequency of being done that, yeah, we could buy another server and and have it to plug in when I drink an insurance policy on this. We have all we could just insure it with an insurance company. Yeah. And so when it gets when the drink does get poured on it, we, we just claim our insurance and get a new. So there’s a number of ways there. So we now need to work out. So we’ve got some great ways of of mitigating that risk, we now need to decide which one’s most appropriate out of those possibilities. For our business, it’s probably not banning services. Nope. Not going to be banned service. And are we in the business of just buying spare equipment, just in case the planet doesn’t like that? No. And nor does the bank balance? And particularly, it kind of feels like banning drinks from the server? Yes. You know, what are your first suggestion was like wrap it in plastic. Yeah. But of course, we’ve got a problem there with temperature control. And access, we plug plug things in and out of it will be turned on as well. So yeah. So burning drinks, or burning any liquid food or drink from the server room is a practical, achievable, and appropriate mitigation measure that we can enforce a very little impact, very little extra resource allocation to us as a business. And so that, you know, risk register is our mitigation. So we’ve gone from a medium high risk, mitigated it, we now look at the impact and probability again, now the impact of a liquid drink falling on the server, and damaging it is still high. But now the probability of it happening because there’s no drinks in the server room is now low. Which brings our overall risks or down to medium or medium low. And that is below our risk appetite level. And therefore, we can move on,

Simon Edwards 14:37
we might still want to backup the server because other liquids could get involved. So let’s say that there’s a flood. Yeah, this has happened in a company where I worked where the server room was in the basement and water made Ingress. So you might still want to insure your server or you might still want to back the data up or have a spare somewhere. For other non t related incidents.

Marc Briggs 14:59
We Yeah, that’s another line on the risk register. Okay. Yeah, yeah. Okay. What about the ponies? Right? Okay, so you’re outside. What was that? You’re outside going for lunch? Yes. And a pony kicks? Yeah. Yeah, it

Marc Briggs 15:10
startled by my keen fashion sense.

Marc Briggs 15:14
So, so the impacts of that to the business that you get a kick? Yeah, no, it’s me. So I think it might be significant say impact is, is high to the business. The probability though, what is the probability of you out and about walking around? getting so close to a horse? But

Marc Briggs 15:40
my mom always told me not to stand behind them

Marc Briggs 15:43
of getting kicked in the head. So is it what would you say? The I would say that was low. Okay. So when we look at the when we look at the overall risks, or we’ve got a high and a low, so it’s medium. Now we can we then sit down in business? Are we happy with that? Are we happy that there’s horses out there? We just crack on? Or do we go? Well, a medium risk level? We should have a think about some mitigation. So let’s have a think about how we might mitigate that risk. could wear helmets? Yes. Yep. You could wear you could wear a helmet. I mean, you got no guarantee it’s going to keep you in the head.

Simon Edwards 16:21
No, but I think that’s probably the worst place that you can

Marc Briggs 16:24
maybe Yeah,

Simon Edwards 16:25
you could go and get me lunch every day.

Marc Briggs 16:28
Send someone out to get lunch? They could get kicked. Yeah.

Simon Edwards 16:33
We move the office somewhere else?

Marc Briggs 16:34
Yes. Move the office away from the stables? Yeah.

Simon Edwards 16:40
None of all of these mitigations seem out of proportion to the likelihood of it happening. Okay. Yeah.

Marc Briggs 16:46
So this is good. This is this is good. When you go through mitigation measures, you have to make sure they’re appropriate and proportionate to the threat level. Otherwise, you’ll end up spending too much time effort or money mitigating too far.

Simon Edwards 17:04
So I think there should be a policy of not standing behind horses, okay.

Marc Briggs 17:08
Or you could just have education. So in this when staff arrived here on their staff briefing handbook we talk about we have to talk about health and safety Anyway, when we’re talking about

Simon Edwards 17:22
the horse section of those slides

Marc Briggs 17:23
we have to talk about lifting and trip hazards, and the server, all that good stuff, which we do anyway. And it’s available in our in the staff handbook and available on our interweb. And the horse. The fact that we have horses walking around outside should be part of that. And therefore we’ve, we’ve educated staff, that therefore when they walk out and get their lunch, they see a horse, hopefully they remember their training, scream and run. And then they won’t walk near it. And therefore we’ve reduced the probability of of them being close enough to be kicked, that we really look at the risk register, impact still high probability reduced. Now it’s a low, risk acceptable. Move on to the next one.

Simon Edwards 18:21
So once we understand how a risk register works, we could probably talk about some of the common, likely high impact threats that every business faces and give some general advice on that. Yes, absolutely. When you read articles about common cyber threats, you often see things split into groups, like malware, ransomware, and phishing. But in many cases, these can all be part of the same attack. If someone sends you a link that downloads ransomware onto your system, you have all three covered ransomware is definitely a type of malware. And the email that you receive with that link is a phishing attack. Now Hiscox, which is a pretty well known business insurance in the UK, they’ve published a guide to managing risks. Some years ago, actually, an interesting the even in 2016, they had cyber threats as the number one issue. But, you know, we cover that quite a lot. So I thought it’d be interesting to look at some of the other things that they talked about. So from their perspective, other common threats to businesses work, poor cash flow, hiring the wrong people, developing a poor reputation, getting sued, and physical crime, such as burglary.

Simon Edwards 19:43
Well, anyone who has started a business knows that cash flow is crucial. It’s the thing that they say, when you read any guide about setting up a new business, is write a great business plan and watch the cash flow. It’s crucial, but it’s also potentially very boring. Because if you’re an executive in a large company, well, somebody else is probably worrying about that side of things anyway, unless you’re the chief financial officer, the CFO.

Simon Edwards 20:10
And if you’re running a startup, it’s possibly the most important thing. But you want to focus on your cool new idea and get investors hooked in or get customers depending on how what kind of startup you’re in. And if you’re running a small business, you’re probably killing yourself, keeping your customers happy, and finding new ones. But forecasting, invoicing and saving money, they’re critical.

Simon Edwards 20:36
So imagine the following real life scenario, because this was me a couple of years back, you only have so many hours in the day, and you need to send out a dozen invoices, which will bring in enough money to keep the business going for another three months. You also have back to back calls with customers and potential new customers. And let’s say that you enjoy that part of the job more than invoicing.

Simon Edwards 21:00
And then you also need to run the payroll for the month because it’s too early to have a finance team. And you don’t want to waste money outsourcing because that’s really expensive. So given that it’s Friday, and you have to do all of these things, how do you prioritize.

Simon Edwards 21:14
Well the calls will bring in more money, and they will increase your reputation, or you’ll lose your reputation if you don’t take calls often enough. The invoicing is boring work and gets in the way of business development, the calls you’re going to take. And then the payroll. Well, if you don’t pay the staff, then you are dead in the water.

Simon Edwards 21:33
So the real answer, which won’t really appeal to very independent-minded people who are trying to do it all themselves, is to work with the right people who you can trust to do the things that you shouldn’t, like invoicing and payroll. The business risk of taking everything on yourself is massive, and it will drive you mad. And this is true, whether you’re a startup CEO, or a manager at a large company.

Simon Edwards 21:59
And I’ve been both. And I have to say that learning to delegate and trust people can be a real challenge. So my only useful advice here is to try it and see what happens just bite the bullet, because in my experience, you’ll be pleasantly shocked. And if you’re a good leader, you will experience this really weird feeling you get when you hear people talking to others using your own words and phrases.

Simon Edwards 22:24
Now, speaking of staff, hiring sensibly is tough, but worth the hours that it takes. And if you can delegate that as soon as possible, so much the better. hiring people can be very time consuming. And also consider that if you’re the CEO, you may not be working directly with the new people, the new hires, but your current staff will. So picking people that you personally like might not work for the others in the office, having a happy team is is critical, is not quite as critical as cash flow, perhaps. But you will have less staff churn if everyone is happy, and it saves you time and money as well.

Simon Edwards 23:06
Reputation was another thing that Hiscox brought up, it does matter a lot. No one wants to work with horrible people. Sometimes they’re forced to. And we in the security testing industry, we’ve seen what happens there, unhappy customers, and also massive opportunities for new entrants to step in and attract the business with good ethics and accurate work. So how do you monitor reputation?

Simon Edwards 23:34
Well, it depends on the type of business you’re running. If your consumer focused, then online reviews probably matter. We don’t do a lot with consumers. So when we see silly comments made on various online forums, we have a strategy to let the slanging match play out, and then drop in some facts at the end for historical purposes. So for those who find the threads in a year or two, they can see that you had a point to make and perhaps the lies were lies.

Simon Edwards 24:03
You can’t convince people who are sure their rights. So the people having the fight is kind of pointless trying to convince them. But you can go on the record as challenging their accusations business to business ventures, which we largely are, they probably don’t need to worry too much about forums. But you do have sites like Glassdoor they let employees rate their employers. So you might find that you’re a poor reputation on a site like that might cause you to struggle to hire new people. Now, legal threats are an issue for every company, I would say.

Simon Edwards 24:41
It’s really hard to give proper advice on this other than say that it’s okay to make mistakes, is when you try and cover them up that things get tricky. Now, I’ve been involved in helping out with some significant litigation in the US, possibly the world’s most litigious location, and having been interviewed by the DOJ, the Department of Justice, I can honestly say that you just want to avoid all involvement, where you can

Simon Edwards 25:06
Also bear in mind that lawyers and law enforcement, they use a completely different language. They have their own jargon. So again, depending on what, regardless of which industry you work in, I would speak to them like you would almost a five year old, because otherwise your words will be misunderstood.

Simon Edwards 25:23
I’ll give you a quick example. In the testing world, if we do a test, we then share results and people get to challenge them. We call it the review period. But in the industry, it’s generally called the dispute period. So we all talk about people having disputes and disputing results within the legal world, that sum usually down to breaching contracts. If people are disputing something, it means something completely different. So you can throw away throw around a word casually like dispute. And you and I, it might mean one thing, but to them, it’s something much more serious.

Simon Edwards 25:57
So try and simplify. Also, the DOJ generally don’t know what viruses are – computer viruses. So that was an interesting education. But basically, be good, be honest, and save a few 100,000 of your Western currency just in case.

Simon Edwards 26:15
Now insurance is an age old way to mitigate threats, particularly the ones over which you have very little control. So you know, fire theft and tax investigations. But what about cyber threats? Well, cyber insurance has been on the horizon for ages. And we’re really only just starting to see companies taking it seriously.

Marc Briggs 26:39
It’s difficult, though, because is it going to cover me from a ransomware attack. Well, surely, that’s illegal, because you’re paying a criminal. Yeah,

Simon Edwards 26:47
there’s ethics and legality. But we also know, don’t we, that people do pay through security companies and law firms? They pay kidnappers, don’t they?

Marc Briggs 26:57
They do. But yeah, my question is, when do you when you bring that into the mainstream of insurance? And I Oh, yeah, we’ve got a policy to pay ransomware attacks? Isn’t that just going to encourage more ransomware attacks? That think they need much encouragement? But yeah, that’s a fair point. And is it going to discourage the companies from sufficiently protecting against them? If they’re risk mitigation is transference of risk to insurance?

Simon Edwards 27:34
If you were an insurance company as well, how would you I wouldn’t insure anyone to not get ransomware? Because the the amount they could claim would be could be horrendous if their whole business is taken down? And how would you how do you tell that a company’s hack proof?

Marc Briggs 27:50
Yeah, and we’re we’re kind of talking in the dark here, because I’ve not seen any details of any cyber insurance policies. But rants, but if I wanted, if I wanted cyber insurance, or insurance against being attacked, my business being attacked, I’d want ransomware covered. But it seems like it’s such a an attainable beast, because like you say, like the figures that they criminals could ask for could range anything from $5 to $5 million. Whereas the

Simon Edwards 28:28
are you insuring to be able to pay the ransom? Are you insuring for your business loss? So let’s say you don’t pay the ransom. Because we’re not going to. it’s against the law, it’s against our principles. But our business worth 10 million pounds dollars has just completely gone because all our files encrypted, isn’t it the business lost that you might

Marc Briggs 28:51
I think that’s I think you might have hit on something there. And that might be a more secured, perhaps wrong word, but a more robust way of protecting your business continuity against the ransomware attack, if you have a number of lines of security insofar as you’ve got the insurance to pay for business loss, but you’ve also got sufficient backups. And so your as soon as you get a ransomware attack, you switch to your backups, which take you to yesterday, let’s say or last week, depending on turnover your business and the you’re insured against the period of time it takes for you to bring those backups online and for the work that you’ve lost in the period that you haven’t backed up. And that’s your that’s your that’s your insured Delta.

Simon Edwards 29:46
And that’s what the insurance company will want to see how have you got backups and only maintained and kept away from

Marc Briggs 29:53
harm? Yes, they can’t be included in the same in the same attack.

Simon Edwards 30:00
Then you’ve got in cyber insurance for other threats like theft. You know, you’ve got your vaccine formula that has now been stolen by yet some other country. Yes, yes,

Marc Briggs 30:11
that was a big thing. That was a big thing. Also, you know, attacks against they that the COVID vaccine manufacturing companies. It’s a national level, I guess, because the global rush to get vaccination out and be the first country to be to be vaccinated and get their economy back on track. Yeah, God, I

Simon Edwards 30:37
wouldn’t want to be an insurance company that was insuring a country for economic losses, because that would be billions within this thing, though.

Marc Briggs 30:45
Do you insure a country where you can insure companies, I guess, but an entire country? I guess that’s just then they just all borrow money off each other? Yeah. And then they never pay? Yeah. Yeah. Yeah. So. But there’s a number of reasons why you should get I think you should, you could, you could, you could reassure yourself and any investors about business continuity with by getting cyber insurance, because it’s, it’s the same way that you get insurance about having a flood in your building or, or a fire or anything like that. You just need to cover the difference that it’s going to take you to get back up on track. Yeah, yeah.

Simon Edwards 31:38
We’ve have in the not too distant past talk to some major insurance companies, haven’t we about cybersecurity insurance. And the theme that came out of those meetings was insurance companies are all based on metrics. And yeah, like it is a ship is going to sink and all that kind of thing. Yeah. But no one knows anything about cybersecurity just hasn’t been around long enough for them to work it out. Yeah,

Marc Briggs 32:01
there’s just not enough data to churn through which they can draw patterns from because it is just there’s so many different variables.

Simon Edwards 32:12
It’s like a casino, I suppose, where they have worked out so that you feel like you’ve got a good chance, but you really don’t have a good chance. And insurance. Insurance companies have got it worked out. So you think you’re getting something? But of course, in general, you’re not.

Marc Briggs 32:27
Yeah, your your general house insurance, you think you’re getting a good deal paying a couple 100 pounds? 100 pounds? Yeah. But they know, they know how many houses actually get burned down or flooded? in the country? Yeah. And they know the chance of yours actually actually happening to you is so minute that, that that’s where they get the big money

Simon Edwards 32:49
from, and then you get stung with the, what do you call it? The excess? Cuz I had a fence blown down once in a really strong storm, like a bit like we’re having now. And yeah, the excess meant that even though it was 800 pounds worth of damage, it really wasn’t worth me claiming because I’d get about 500 pounds. And I’d then pay more than my premium for every year after.

Marc Briggs 33:12
Yeah. It’s Yeah, it’s questionable, isn’t it?

Simon Edwards 33:18
So have you seen out numbered?

Marc Briggs 33:21
Oh, the sitcom on the BBC

Simon Edwards 33:21
Yeah , about a normal family. And they, I can’t remember what happened they lose something – something gets damaged or lost. And they think they’re going to claim for it on their insurance, I think a stereo is stolen, and it’s like, a five 400 pounds stereo. And they realize that their excess is about 250 pounds. I’ve got the figures wrong, but essentially, they’d make about 10 pounds, once they pay the excess. Yeah. And then they start thinking, Well, what about all those other things that we didn’t claim for? Because, you know, the excess was too much. Maybe if we add those all up and make one claim, then morally it’s not too bad. But of course it is wrong, isn’t it? Their kids pick them up on their hypocrisy because they’re telling their kids not to download music? Because it’s stealing because like, well, defrauding an insurance company. Isn’t that a bit like stealing?

Marc Briggs 34:16
Yeah. But it doesn’t feel like a fair relationship does it? No. You’re paying to have protection against loss and then when it comes down to when it comes down to it, you’re actually forking out a lot of it i get i guess it I guess it comes into its own when there’s large payouts yeah and your your few 100 pound excess is insignificant in the in the cost of an entire building or your your business turnover over a period of a month or whatever it takes to get back on track

Simon Edwards 34:54
what I mean the differences you know, you and I’ve paid a house insurance buildings insurance for years. And yeah, thank goodness, nothing’s ever burnt down. So for us, it’s been a waste of time. But then on the grand designs episode of the TV home building thing, this record executive and his family were building something a cottage, and he stopped paying the buildings insurance and it burned to the ground. And his wife was furious with him.

Marc Briggs 35:19
Yeah. But that’s, that’s the that, that and then that all comes down to risk appetite. So as an individual or as a company, you have to sit down when you produce your risk register and understand what your risk appetite is. So we all know how to generate risk. probability. And impact isn’t a isn’t a new formula for anyone. But when you get a number at the end of it, whether it’s 01234, or five, where as a business, what number do you start having to mitigate? Or do you just, you just accept the risk, because that is one way of handling risk just accepting it?

Simon Edwards 36:02
Well think as well about our friends in San Francisco. When you have a house in San Francisco, you have a choice, you can have earthquake insurance or not. And the price of earthquake insurance is hair raising, it’s humongous. And the problem there is that there will be an earthquake, and it will damage lots of houses once every however many years. And when you count up the cost of rebuilding your house. Let’s say it’s a 10 year period. Like if it costs you a million pounds to rebuild your house in San Francisco, insurance will cost you 1/10 of a million every year. So it’s kind of like do you pay in installments in advance?

Marc Briggs 36:40
In effect, you’re paying in installments, because the other way of and the other way of managing insurance is to not pay the insurance company. But you still save to save the money. Yeah. So as a business, we could say, Okay, well, there’s a chance that we could have a cyber attack. And that would stop our productivity for what is likely to be two to three days, because we’ve got some technical skills, we’ve got some we’ve got we know we’ve got backups in place, all this kind of stuff, to reckon two to three days if it’s bad. And so we would need a pot of cash to draw on. And most people draw on the insurance claim. But if we instead of paying the insurance premium, I just be putting that money into a pot. And then we just draw on that pots. There’s no excess. It’s our cash. Yes.

Simon Edwards 37:35
So going back to cyberinsurance, their issue is that they they they’re the casino, but they haven’t worked out the odds yet, so they can offer us insurance deals. But they still don’t know yet if they’re going to come out ahead.

Marc Briggs 37:49
Yes, they don’t. And so they’re err on the side of caution, of course. And so. So I would imagine the premiums are quite high. And I would imagine the small print is going to be vicious as well. Yeah, yeah. Yeah, it comes down because there’s so many different ways that you could be attacked. I guess it’s it’s down to the level of impact that it’s that it’s had on you.

Simon Edwards 38:17
Yeah, I mean, we had an issue, didn’t we, a few months ago, where there was a power cut, and it knocked out lots of equipment. And some of that equipment didn’t come back again. And it cost us, you know, a few quid to replace those switches and things. Yeah. But then to mitigate against that happening again. We spent 1000s of pounds on uninterruptible power supply equipment. So yeah, it’s like, well, we kind of bought our own insurance there. And it means that the guys don’t have to spend time fixing things and rebuilding things.

Marc Briggs 38:49
Yes, that’s the way that we’ve mitigated that risk we’ve identified Well, when we first moved into this office, in the UK, the mains power suppliers is reliable, it has constant reliable, and we didn’t feel like the rip the likelihood, or the probability of power cuts happening was high enough to warrant any, any more mitigation, then then does relying on the power company. But then we’ve had more power cuts here than we would have had, we’ve experienced anything before, we’ve had impact financial impacts from hardware as a result. And so we’ve re assessed our risk register. And for continuous power supply, the probability likelihood of it happening is now gone up. The impact has stayed the same, but that’s high anyway. And it’s brought the overall figure for that formula or up to a point where it’s past our risk threshold, and appetite, and therefore we needed to mitigate. And we could have done that a number of ways. And we decided that we were going to invest in uninterrupted power supply, you know,

Simon Edwards 40:03
some might say we closed the barn door after the horse bolted, you know, we waited till we had a problem before we dealt with it. It’s like, you get robbed, and then you put the CCTV in. But everyone’s got limited resources, and they security has a cost to it. And you can’t start out as a new business and put everything in. You’ve got to judge what’s the most impactful thing? What’s the most likely thing? And what can we afford? Yeah,

Marc Briggs 40:30
I mean, that’s why that’s the reason why you go through this process of assessing risk. Because you can only you, it will be crazy for you as a business, it doesn’t make any business sense to be investing money in mitigating risks that simply don’t need to be mitigated. You’ve got to prioritize. And you’ve got to understand where you need to focus your efforts. Otherwise, you just be chasing your tail and all kinds of random things. Yeah.

Simon Edwards 41:01
Yeah, I mean, we, when we started out, we thought one of the major risks would be a security company in another country suing us for testing them without permission. And, you know, touch wood, we’ve only ever had one threat of that. And that didn’t come to anything.

Marc Briggs 41:15
That came from a country where litigation is far more prevalent than it is here in the UK anyway. And so it’s, it’s, I think it’s less of a is probably less of a dramatic event, in that kind of work for them to make a threat. Yeah, whatever, then we’ll have a cup of tea. Yes. Yeah. Yeah, yeah. It’s because it’s more part of a general conversation. Whereas it’s more it’s, it’s, it’s more rare here in the UK. And therefore, the when you receive a letter like that, it’s has a bigger impact. Yes.

Simon Edwards 41:50
Yeah. One big difference. I hadn’t realized, because we went through some litigation, through our involvement with the Anti-Malware Testing Standards Organization where it got sued by one of its members, because member claimed some antitrust nonsense. And what I didn’t realize this in the States, you can get sued for something and then you can win, but you don’t get your costs back.

Simon Edwards 42:12
You have to then sue the other person for your costs. And so the costs keep rising and rising. There’s almost never ending whereas in this country. If someone sue’s you, and they lose, you can then claim costs off them without having to have a whole nother suit.

Simon Edwards 42:26
Yeah. So for us threatening my point is for us threatening to sue someone is more significant, because it can come back on you quite fast and hard. But it seems like in America, you can throw these things out there fairly secure in the knowledge that for years, you’re never going to have to deal with a loss. Yeah, yeah.

Simon Edwards 42:46
Please subscribe. And if you enjoyed this episode, please send a link to just one of your close colleagues. If you want to join the DE:CODED community, and access private content, including our monthly executive briefings, apply at DecodedCyber.com/circle. And that’s it. Thank you for listening. And we hope to see you again soon.

Peek further behind the curtain with DE:CODED Circle.

If you would like access to exclusive, private content from the security testers at SE Labs, please consider applying to join DE:CODED Circle.

DE:CODED Circle is a moderated, vetted community built with the goal of sharing threat intelligence and business-focussed security knowledge to responsible peers.

Apply to DE:CODED Circle now.

Feedback

Please send your comments, questions and concerns to info@decodedcyber.com.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press