Traveler’s Insurance Gets Security Wrong, Wrong, Wrong
Thanks to Joel Spolsky for the scan of the Traveler’s Insurance ad in Inc. magazine:
Forget the geek stereotype stuff. Like the rest of humanity, you can find techies who fit stereotypes and techies who don’t.
What matters here is that Traveler’s is promulgating the idea that external threats are where organizations should direct the bulk of their security efforts (and, of course, increased insurance spending).
The threats come from the inside, people! Not the outside. Laptops gone missing (for some reason loaded with sensitive or confidential data), disgruntled employees, gossips, the complete and utter inability to secure media transformations (paper to disk to screen and back to paper again…), MS Outlook, security policies which focus on making legitimate tasks hard by forcing employees to jump through hoop after hoop of red tape, MS SQL Server, being unable to flexibly apply policies instead of using broad brushes to make everyone’s like more difficult, and on, and on…
Whew! I feel better now. You can put away the needle with the tranquilizer. OK, yes, there are external threats, but they are much more readily identifiable, and easier to secure against.
There’s also a slight matter of exactly what and how the insurer is actually underwriting. Read the contract really carefully, and you will find that unless you’ve been documenting every last sub-atomic particle of how you secure your premises, your systems, your operations, and your data, and that those efforts conform to some bizarre idea of security developed by an insurance industry task force, you ain’t gonna see dollar one from that policy.
I am gonna get me a pair of red socks, though.