Would you rather trust a coder or an actuary for your data security? Getting an answer to this question has companies reaching for one of two very different approaches to data security: direct technology or risk hedging. After all, is there really a difference between insuring your car and a data breach insurance policy at the office?
Data Leak Prevention takes the direct technology approach. With the identification of a company’s confidential data, DLP uses a number of technological – software and hardware – measures to prevent it from leaving the office. There is an exhaustive list of tricks from the individual vendor for detecting and classifying the data that I am not going to mention. The critical issue here is perspective: companies with DLP such as Safetica 5 take a lifeboat issue to their data security. By safeguarding their data, the company can dramatically slash the risk of a data breach happening to them – in their company ship – with its costs and competitive consequences and get in compliance with whatever data handling regulations there are. While some data (and leaks) may be more mission critical than others, data security is a direct issue for the company.
Data breach insurance is primarily risk management to hedge the company against an uncertain – but real – risk. This approach goes back to the slave trader roots of the insurance business; by pooling their risks, market players could offset the real chance that some boat was going to sink on that next voyage. It is based on the philosophical bet an incident is going to happen, you hope it happens to someone else, but if it happens to your company, you're covered when it comes to paying for the damage.
There are a lot of similarities between the benefits to both DLP and a data breach insurance policy – at least from the promotional brochures with hey buzz words such as compliance with regulations, preventing a data breach, and help from industry experts. However, the two vary completely on the last point: covering the costs of a data breach. Data breach insurance policies emphasize covering the costs of a data breach as in notification, identity theft monitoring, and getting a PR team ready to minimize the collateral damage to the company. The DLP position is that the data breach incident should not have happened in the first place, so what’s the point of preparing to pay for PR or ID theft monitoring?
Aside from all philosophical comments, there is overall agreement over the risk of a data breach. According to the 2013 Verizon Data Breach Investigations Report (DBIR), most breaches were preventable and a whopping 78% of these attacks were rated low on the VERIS difficulty scale. And, it is not just the Targets of the world that are vulnerable. The DBIR found that 31% of all data breaches they investigated took place in organizations with less than 100 employees.
Data breach insurance policies currently focus on the cost of cleaning up the mess after what they present as an expensive, and nearly inevitable, data breach. DLP solutions center on technology and think of the cleanup issues as “costs prevented” in the individual company. If you think of a data leak as an unavoidable mess, you will likely be more interested in the insurance option. But if you see a breach as a consequence of poor data handling and maintenance, DLP is a much greater attraction. After all, a leak in your own boat of data is much more important than a leak somewhere else.
Back to the connection between data security and your car insurance. Insurers are doing more than just passively hedging risks by covering every car with mandatory coverage. They actively reduce their potential losses by requiring anti-theft devices and mandated training for drivers. Even better, with usage based insurance (UBI), they take data on the individual diver’s acceleration, braking, and location to calculate the premiums. This UBI approach is likely to come in future data breach policies. Not only will the insurers sell you a policy, they will offer a really substantial discount if you also implement various DLP features within your organization.