The title of this post may seem blatantly obvious. You’re probably thinking that anyone who chooses to drive with their feet – when they have a perfectly good set of hands – deserves whatever they get. But bear with me and you’ll see where I’m going with this.
I work in information assurance, which means that I’m in the business of helping enterprises manage information-related risks. Now if you’ve functioned in the real world for any length of time, you know that there’s no such thing as 100%, and absolutes are up there with pink elephants and Bigfoot. There will always be risk in some form or another.
Organizations are then left with the decision of weighing these lingering risks against the operational/financial benefits, and doing one of three things:
Assign or transfer the lingering risk to a third party (note: this is rarely ever possible)
Mitigate the residual risk and reduce it to an acceptable level
Accept or ignore the lingering risks, which in many cases is the only option.
These lingering risks are often documented in what is commonly known as a “risk register.” Over the past few years, many information assurance practitioners have acquired cyber-liability insurance for their organizations to offset the exposure in their risk register. Therein lies the rub.
Unexpectedly, many of those organizations’ leaders see their insurance policy as an opportunity to cut down their security budgets. They think they needn’t be as stringent since they’re now “covered” – which brings us neatly to the driving analogy.
Most drivers spend their lives paying for insurance hoping that they will never need it. We may make jokes about it, but the point of having insurance is to protect you against things you can’t control or anticipate. In information assurance, this is like driving on a road with millions of cars, some of which are at high risk of colliding with you.
However, having insurance doesn’t mean you can start driving with your feet, and it most certainly doesn’t mean you can be intentionally negligent with your customers’ data. In fact, frameworks such as the EU’s General Data Protection Regulation (GDPR) or the US’s HIPAA (Health Insurance Portability and Accountability Act) take a particularly dim view of less-than-diligent organizations, levying fines that no insurance policy would cover.
So, even though you have insurance, you still need to plan, secure, mitigate, and remember to always drive safely.
Disclaimer: We do not sell insurance, but If you’re in the market for some advice on to risk mitigation or selecting the right provider, please reach out to us at BlackBerry’s Advanced Assurance division; we would be more than happy to help.
About Nader Henein
A staunch advocate of Data Protection and Privacy, Nader brings over two decades of tactical experience in the architecture, development and management of secure, scalable systems. He has worked in a wide range of organizations from startups to multinationals allowing for both depth and breadth of experience focused on enabling business without compromise of corporate security or individual privacy. Today, his role hinges on providing solutions to current challenges faced by BlackBerry’s strategic customers in banking, governance, security and beyond.