Who Watches the Watchers

November 17, 2019 | 5 min read

CyberInsuranceInsights” is a Blog Series that shares ideas, advice, and experiences from the BlueVoyant Professional Services team. The blogs discuss the lessons learned from assisting clients navigate post-breach insurance claims and pre-breach preparation.

Quis custodiet ipsos custodes? The literal translation of this line, written during the 2nd Century AD, means “Who will guard the guards?”, although the most common translation is “Who watches the watcher?” (Source, Junvenal, Satires, Satire VI, lines 347-348). In 1984, Motown singer Rockwell released his hit song, “Somebody’s Watching Me.” It reached #2 on the “Billboard Hot 100”, the music industry standard record chart in the United States. Notable highlights from the song include, “I'm just an average man with an average life...I always feel like somebody's watchin' me and I have no privacy...I don't feel safe anymore, oh what a mess.”

Latin phrases and hit songs often stand the test of time. In our current, computer-dominated environment, these themes resonate. Rockwell thinks he’s an “average man with an average life” and later in the song, wonders whether he is paranoid with his thoughts of being watched. But today, we know that no one has complete privacy - from average individuals with average lives - to individuals who live in the spotlight. No one is paranoid if they think they are being watched and in fact, they are correct. The question is, in our environment where lack of privacy is the norm, who is watching, and can we protect ourselves by watching the watchers?

The Internet of Things, as a concept, wasn’t officially named until 1999. One of the first examples of an Internet of Things is from the early 1980s, and it was a Coca Cola machine, located at Carnegie Mellon University. Local programmers would connect by Internet to the refrigerated appliance, check to see if there was a drink available and confirm whether it was cold prior to making the trip to purchase a can. (Source: https://www.ibm.com/blogs/industries/little-known-story-first-iot-device/).

he modern-day Internet of Things includes connected security systems, thermostats, cars, electronic appliances, and numerous other devices we don’t even know are connected. The leading industries that are increasingly relying on the Internet of Things include maritime shipping, aviation, smart cities, and critical infrastructure. There are benefits to a connected culture: increased communication; financial and operational efficiencies; augmented protections. However, there are also significant drawbacks and negative implications that may wreak havoc in our daily lives.

The interconnectedness provides multiple opportunities for attackers to infiltrate our society. Their practice of watching individuals and corporations in order to steal data and disrupt the status quo is thriving. Attackers patiently and relentlessly look for these opportunities through the systems of ordinary appliances, email traffic, domain names, and patterns of behavior. They identify appealing characteristics of corporations including, but not limited to, marketplace presence, research and development, reputation, employees, clients, board of directors and financial success.

The threat landscape presents new challenges for corporations and individuals to manage these risks. Similarly, insurance carriers are struggling to underwrite and price them. It is difficult to trace the origin of a cyber attack when there are several points of entry. Further, it may be hard to determine whether multiple damages - including physical damage - resulted from one single, related event or many. From a policy response perspective, these events could trigger not only a cyber liability policy, but also a general liability policy. But risks are not only interconnected; they can be singular, isolated and still be catastrophic.

Cyber risk management, therefore, must play a critical role in reducing and avoiding the totality of these risks both to individuals and corporations. In this context, we hark back to our original framework for inquiry: who is watching the watchers? On an individual basis, there are identity theft monitoring solutions that can be purchased at a reasonable price, or even available through banks or insurance carriers at no cost. Oftentimes, when clients’ or employees’ data is compromised as a result of a company attack, these services are provided by victimized corporations.

It shouldn’t be a surprise, then, to learn about a similar solution for monitoring potential threats to organizations. The solution is called endpoint threat monitoring, also known as managed detection and response. Typically, the solution is not intrusive to the organization if conducted properly. The process begins by deploying software on endpoints while at the same time, whitelisting client applications to minimize business interruption. Many organizations benefit by transferring the orchestration of the project and associated action items to a dedicated third-party team of experts, especially if their IT department is understaffed or not experienced in the role of monitoring networks.

When a suspicious event is detected or an alert is generated, a member of the monitoring team will perform an analysis to investigate whether the alert is a true positive, benign, or false positive and the client will be notified. Upon completion, a specific set of actions may be triggered: quarantine, delete, whitelist, monitor, or blacklist. Not only may the response take place in real-time, but it can be conducted remotely, resulting in immediate prevention of the execution of suspicious or known malicious software, thereby containing the outbreak or spread of that malware. Should the malware be recognized, the response can be even more tailored to that particular strain.

The insurance community is offering support for these monitoring tools. Underwriting applications ask questions about the existence of monitoring tools already installed. These questions signal to the insured that monitoring tools are important measures underwriters consider when evaluating a risk. Carriers may offer financial and coverage incentives to organizations that can answer in the affirmative. From a cost benefit analysis, both the insured and the carrier are positioned to save money if an intrusion can be stopped before it rises either to the definition of an incident that needs to be investigated or for which a ransom must be paid to resume business operations.

Conversely, the absence of monitoring tools may negatively affect the resulting policy offering or even coverage determination. Regulators are also encouraging the implementation of these tools. For example, financial institutions are facing an increasing number of cyber security regulations. Monitoring tools assist with the compliance of these burdensome and confusing requirements which help the organization avoid penalties, reputational damage, and provide a defensible argument should any incident occur.

The rise of ransomware attacks and focus from the insurance industry on coverage ramifications associated with any intrusion supports the need for corporate vigilance. Keeping an eye on the attacker who is watching you or your network provides an effective, offensive solution we should all consider.

This article was originally published by CHART Magazine.