“It doesn’t surprise me that insurance companies are nervous. The Statoil breach at the end of last year is testament to energy giants being caught out by cybercriminals. However, I believe that the risks are universal in all organizations, so we should expect to see this reluctance transfer across other sectors. Businesses may increasingly discover themselves to be uninsurable in the coming months unless they can prove robust IT security measures are in place.
“The root of the Statoil breach is common in many organizations as there’s little or no consensus on what constitutes sensitive documentation. It is impossible for IT to be aware of all the confidential and sensitive information stored in the corporate IT environment. It is of course sensible to document and communicate a framework of what constitutes sensitive information, but it may not always be as obvious as listing particular applications or document authors. Indeed following the recent scandal surrounding an IT contractor in the US leaking vast quantities of data, it is advisable that IT administrators, neither know about or have access to sensitive content.
“Mistakes are always going to occur that result in the potential disclosure of sensitive content, but it is up to organizations to ensure that the impact of those mistakes is kept to a minimum. Too many organizations are leaving themselves wide open to data breaches because of an over-reliance on their overstretched IT security department rather than sharing the responsibility with business managers, who have a vested interest in keeping content safe.”