Making your network hack-proof would be like constructing a fireproof building. Doing either would be beneficial but expensive and impractical.
In both cases, purchasing liability insurance would be an alternative. To paraphrase a security mantra: One shouldn't spend $10 protecting something worth $5, but what about insuring it for 50 cents?
William Cook, a partner with Chicago-based law firm Wildman Harrold, recommends insurance to companies that have performed risk analyses and found areas they could not afford to secure. "I have a lot of clients who are afraid to admit they couldn't afford to install something, but that is OK if they did the proper analysis," he said.
Companies can recoup a variety of costs with insurance. For example, insurance can help companies that are sued for downstream liability. A company would be liable in a downstream sense if its systems were compromised and used to attack servers owned by someone else. Insurance can also cover downtime for a company that was attacked.
Insurance, however, is not a substitute for good security, said Robert A. Parisi Jr., senior vice president with AIG eBusiness Risk Solutions, which has sold information security insurance since 1999.
"It's like offering life insurance to middle-aged men. I only want to sell it to nonsmokers who exercise and eat right," Parisi said. "But there is still a lot of risk out there. The insured guy could be hit by a truck."
Companies buy insurance all the time to shoulder risk they can't afford. For example, when it comes to fire, organizations pay for smoke detectors, sprinkler systems and evacuation plans. But they also have insurance to cover any damages caused by a blaze. It's less costly to purchase a fire insurance policy than it is to build a fireproof building.
Now, the comparison to network security is only apt to a point. It may be possible to build a fireproof building, but making a usable corporate network totally hack-proof is impossible, Parisi said. Even if a company uses bleeding-edge technology and is ultra-dedicated about patching and encryption, the possibility for human error still exists.
"You are never going to have entirely secure networks," Parisi said. "All it takes is a rogue LAN administrator and you have a fox in the henhouse."
The first thing Parisi does when someone wants a plan is to perform a security audit based on the ISO 17799 standard. This is both for the prospective policyholder and for the insurer. Even so, underwriting security insurance is a little tricky; it's hard to calculate the risks because security is constantly changing. "What was appropriate six months ago is now passÉ or inappropriate," Parisi said.
Car insurance is far easier, he said. "I have tables for selling auto insurance to a 17-year-old male driving a red Camaro," Parisi said. "I don't have that luxury [with information security yet]."
FEEDBACK: Does your company purchase hacker insurance?
Send your feedback to the SearchSecurity.com news team.