back to article Money can buy you insurance against network break-ins but investing in infosec hygiene wouldn't go amiss, says new NCSC chief

So-called cyber-attack insurance "cannot be a substitute for better basic cybersecurity," the National Cyber Security Centre's chief exec has said in her first major speech since taking office. Lindy Cameron took over from founding CEO Ciaran Martin last summer and on Friday made her first public appearance since taking office …

  1. Warm Braw Silver badge

    Simply not embedded into the UK's boardroom thinking

    It's simply not embedded into products. Especially embedded products.

    If you can't interest builders in using less flammable building materials than those that literally cost lives, you're not going to convince a few suits to spend money protecting binary digits.

    It needs standards and regulations. The things we have governments for, allegedly.

    1. Don Dumb

      Re: Simply not embedded into the UK's boardroom thinking

      It needs standards and regulations. The things we have governments for, allegedly.

      And enforcement - often governments think the first two is enough.

      It was illegal to build towerblocks that burn down. It seems more difficult to force builders to care.

  2. Mike 137 Silver badge

    Wow! Ground breaking expert guidance!

    " ... cyber-attack insurance "cannot be a substitute for better basic cybersecurity," the National Cyber Security Centre's chief exec has said"

    Anyone who thinks insurance can substitute for security should take the locks off their external doors - and then see what the insurer says about it. And it's no different in the "cybersphere". Any policy worth its premium will come with conditions of cover that include maintaining an adequate security stance. Otherwise it won't pay out. Any policy that doesn't include such conditions ain't worth a dime as it probably won't pay out.

    Only once the "experts" get beyond spouting truisms will the appalling vulnerability of most organisations be capable of improvement.

  3. FlamingDeath Silver badge

    Hearing about insurance companies paying ransomware attacks, or worse, universities paying ransomware not because they dont have a backup plan, but because they believed by paying, the bad actors would destroy the data they had already copied, is nothing short of unbelievable naivety.

    Apart from ‘care free’ lusers who will click anything no matter how obvious the ruse, software houses need to stop with the constant ‘brainfart’ patching and take a break from the constant ‘new features’ and take a hard look at the crap that’s already been created, and ask themselves, does it work, is it secure

    I swear, none of them do that last bit, hence why we get so many damn patches

    1. Tomato42

      what? and have the middle management without features to show they implemented?! you want to completely destroy their careers?

  4. ThatOne Silver badge
    Devil

    Won't work

    > "Insurance can really help to cover costs, but [...]"

    What else is there to cover?... Wake up and smell the shareholder meeting! The goal of management is to minimize cost and maximize profit, so insurance is "good", while spending money on something as vague (and potentially unneeded!) as "security" is definitely wasting money, and you don't do that if you value your career and bonus.

    The whole thing is a bet, reinforced by the knowledge that if you win, the gains are yours to pocket, and if you lose, the loss is somebody else's...

    1. Doctor Syntax Silver badge

      Re: Won't work

      "What else is there to cover?"

      Loss of reputation.

      After you've had your customers' personal data cast abroad over the interwebs you'll have seen the last of a good number of them. You may think you're sorting things out for them by letting Experian slurp more of their data for 6 months but it's unlikely they'll think that solves the problem and it's what they think that matters in the long run.

      1. HildyJ Silver badge
        Facepalm

        Re: Won't work

        Reputation?

        The general public doesn't notice breaches anymore. They are interested in the websites allowing them to do what they want to do (which is one reason companies pay ransomware). PR can smooth over any bad publicity and for those actually affected Experian seems like a solution.

        I can think of all sorts of user facing businesses that took a major reputation hit for all sorts of reasons but data breaches aren't one of them.

  5. 0laf

    I don't think the C-Suite are ignoring it but many companies and organisations have been around for a long time and their networks have grown like slime moulds over decades. If these were brand new networks then securing them would be far easier. It's like trying to find a way to make a horse and cart carry a shipping container.

    The board probably do see the problem but it seems nearly impossible to fix in a financially viable way, plus they've spent many of the last 5yr decimating their IT departments so they have no resources or skills to do the work even if they wanted to. This is something I've always found hard to understand, C-Suite falling over themselves to proclaim a new digital future yet forgetting who actually has to do the work on anything that is digital.

    1. Doctor Syntax Silver badge

      "yet forgetting who actually has to do the work on anything that is digital."

      It's the cloud that does it innit?

    2. virtual insanity

      Even working at a relatively new company is no better, we have good people here and are trying hard but shiny features trump security every time. So the tech debt pile is growing.

  6. Potemkine! Silver badge
    Flame

    Cybersecurity is still not taken as seriously as it should be, and is simply not embedded into the UK's boardroom thinking,

    Cybersecurity is a cost, it does not generate money and cost are bad, bean-counters and shareholders don't like that. This is only when a disaster occurs that they begin to think about it, and then throw a lot in money in PR to claim they take security and customers' privacy very seriously. Till next time.

    Today's tendency is to get rid of internal IT and push everything in the almighty and magical cloud to change CAPEX in OPEX, delegating the responsibility, so the C-suite believes. It's well known that underpaid and overworking contractors would be more efficient than in-house IT, right?

    If bean-counters and shareholders could get rid of fire alarms, security exit and generally anything related to physical security, they would gladly do it to save a few bucks. Regulation and law enforcement is the only thing that prevent them to do it. GDPR is a first step in the good direction.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022