RAND on Cyber Warfare

Insurance policies do not protect you against acts of war. They don't do it for your home and auto, and I doubt they will do it for your data assets. It's good to be a bit familiar with the areas in which you have limited protection. Here are links to the RAND corporation's page on Cyber Warfare, and wikipedia's entry on RAND:

A conversation with General Pace

Last month, I was thrilled to attend a talk hosted by Peter Pace, former Chairman of the U.S Joint Chiefs of Staff at JP Morgan's headquarters in New York City. During a Q&A session that followed the main talk, he fielded some good questions from investment bankers in the audience. The last question he answered was about which threats to American security kept him up at night. 

His response surprised me. 

First he listed things that you would expect, such as the campaigns in Iraq and Afghanistan, political instability in Africa and the Middle East, the rise of China, the craziness of North Korea, the specter of general nuclear proliferation. Then he went back over each of these things and explained why they do not bother him too, too much. 

What really bother him, he said, is the threat of cyber attackThe United States is extremely vulnerable to cyber weapons, he said. He mentioned that large firms like JP Morgan no doubt have the resources to protect themselves a bit from these threats. [Word on the street has it that they do this by hiring people straight out of the CIA and NSA]. But that smaller firms have no such protection, and it is in the best interest of everyone for large corporations and the US government work on security gaps together. 

He said the advent of cyber weapons will have the same impact on relationships between nations as nuclear weapons has. Unlike nuclear weapons, however, thousands of cyber attacks occur each day. He knows what the United States could do to launch a cyber attack and knows what the country cannot defend against. Nation states have generally practiced self-deterrence and do not want a cyber attack launched against them. 
It is not nation states that concern him as much as small terrorist groups. He said that small groups of individuals have the power to launch the sort of actions that only nation states could just a few years ago. 
After the talk, I introduced myself to him as an Iraq veteran, which I hoped would soften him up a bit so I could pepper him with questions. When I asked him what kind of books or articles I could read in order to understand all this better from an insurance perspective, he said that the scene changes so fast that anything more than two years old is out-dated. He told me that updating your reading every two weeks was more like it. This all raised more questions than it answered. What sort of redundancies should web-based businesses develop, so that they can weather any conceivable storm???
I welcome anyone's thoughts on this.

Philadelphia Insurance Companies

Philadelphia Insurance Companies is a firm that has developed a broad range of coverage for Cyber Liability and they do a great job describing their programs. As this field develops, various insurance carriers will compete to corner areas of this insurance market. One of the factors in choosing which ones to go with [aside from the obvious factors of price and service] is how clearly informative a company is educationally. Right now, the material provided at this link is a good place for getting familiar with types of coverage. As time goes on, this will change and develop a great deal.


Step One For Protecting Your Technology

Information Technology can be pretty overwhelming.  There are lots of acronyms, abbreviations, and buzzwords you have to know just to do your everyday work.  On top of that you have tons of vendors and sales reps that want to sell you some kind of server, software, or service to protect you from all that can go wrong.  How do you evaluate all this technology when you barely understand it?  If you're like most people you get overwhelmed and procrastinate.  Really, who wants to go home after putting a long day at work and start working on their technology protection strategy.

The first step that I recommend to anyone working on a technology protection strategy is to visualize what they would do when confronted with the most common technology disasters.  Sure you may need protection from a potential hacker that might try to break into your network Oceans 11 style, but those types of break-ins are relatively rare for small businesses.  However I can almost guarantee one of these problems will happen to your business in the next three years:

Wall Street Journal on Lawyers Cyber Security